Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:10
Behavioral task
behavioral1
Sample
2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240729-en
General
-
Target
2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
855a935a36c711934493ce4dcc4f4fb1
-
SHA1
bfac817b70a51b2a55671109c2708496928ba836
-
SHA256
64ee0b608fe5812fc7aa29fa780e9c02cf96c6ea729664449c51cad8ec4507ec
-
SHA512
4c078eae8fd2a53fb0fced5eb128d04b03db2c1c4b48b26ceae53a960473feb183240cc055eea1bbe978378fee0399d88071d15e9144930b72376588c1e02f5d
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibj56utgpPFotBER/mQ32lUW
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000234cc-4.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d1-9.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d0-10.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d2-19.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d3-24.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d4-26.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d5-38.dat cobalt_reflective_dll behavioral2/files/0x00080000000234cd-71.dat cobalt_reflective_dll behavioral2/files/0x00070000000234da-69.dat cobalt_reflective_dll behavioral2/files/0x00070000000234db-75.dat cobalt_reflective_dll behavioral2/files/0x00070000000234dc-89.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d9-66.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d8-65.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d7-64.dat cobalt_reflective_dll behavioral2/files/0x00070000000234d6-53.dat cobalt_reflective_dll behavioral2/files/0x00070000000234dd-95.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e0-108.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e2-125.dat cobalt_reflective_dll behavioral2/files/0x00070000000234e1-121.dat cobalt_reflective_dll behavioral2/files/0x00070000000234df-109.dat cobalt_reflective_dll behavioral2/files/0x00070000000234de-115.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1956-46-0x00007FF73DBD0000-0x00007FF73DF21000-memory.dmp xmrig behavioral2/memory/3696-57-0x00007FF6FE2B0000-0x00007FF6FE601000-memory.dmp xmrig behavioral2/memory/2968-81-0x00007FF737340000-0x00007FF737691000-memory.dmp xmrig behavioral2/memory/1936-92-0x00007FF7A02E0000-0x00007FF7A0631000-memory.dmp xmrig behavioral2/memory/3308-91-0x00007FF6FF690000-0x00007FF6FF9E1000-memory.dmp xmrig behavioral2/memory/1752-88-0x00007FF68D3F0000-0x00007FF68D741000-memory.dmp xmrig behavioral2/memory/5008-86-0x00007FF696F60000-0x00007FF6972B1000-memory.dmp xmrig behavioral2/memory/1524-78-0x00007FF6EFBA0000-0x00007FF6EFEF1000-memory.dmp xmrig behavioral2/memory/4816-77-0x00007FF77DDF0000-0x00007FF77E141000-memory.dmp xmrig behavioral2/memory/2960-73-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp xmrig behavioral2/memory/3512-16-0x00007FF681720000-0x00007FF681A71000-memory.dmp xmrig behavioral2/memory/2744-134-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp xmrig behavioral2/memory/2244-133-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp xmrig behavioral2/memory/2280-131-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp xmrig behavioral2/memory/2904-136-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp xmrig behavioral2/memory/3000-145-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp xmrig behavioral2/memory/3132-144-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp xmrig behavioral2/memory/3000-128-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp xmrig behavioral2/memory/1160-146-0x00007FF644730000-0x00007FF644A81000-memory.dmp xmrig behavioral2/memory/1716-149-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp xmrig behavioral2/memory/908-148-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp xmrig behavioral2/memory/4392-147-0x00007FF744CB0000-0x00007FF745001000-memory.dmp xmrig behavioral2/memory/4008-150-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp xmrig behavioral2/memory/3000-151-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp xmrig behavioral2/memory/3512-207-0x00007FF681720000-0x00007FF681A71000-memory.dmp xmrig behavioral2/memory/1956-209-0x00007FF73DBD0000-0x00007FF73DF21000-memory.dmp xmrig behavioral2/memory/2280-211-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp xmrig behavioral2/memory/3696-213-0x00007FF6FE2B0000-0x00007FF6FE601000-memory.dmp xmrig behavioral2/memory/2744-215-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp xmrig behavioral2/memory/2244-217-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp xmrig behavioral2/memory/2904-220-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp xmrig behavioral2/memory/2960-221-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp xmrig behavioral2/memory/2968-224-0x00007FF737340000-0x00007FF737691000-memory.dmp xmrig behavioral2/memory/4816-229-0x00007FF77DDF0000-0x00007FF77E141000-memory.dmp xmrig behavioral2/memory/5008-228-0x00007FF696F60000-0x00007FF6972B1000-memory.dmp xmrig behavioral2/memory/1524-226-0x00007FF6EFBA0000-0x00007FF6EFEF1000-memory.dmp xmrig behavioral2/memory/3308-231-0x00007FF6FF690000-0x00007FF6FF9E1000-memory.dmp xmrig behavioral2/memory/1752-233-0x00007FF68D3F0000-0x00007FF68D741000-memory.dmp xmrig behavioral2/memory/1936-235-0x00007FF7A02E0000-0x00007FF7A0631000-memory.dmp xmrig behavioral2/memory/3132-238-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp xmrig behavioral2/memory/4392-240-0x00007FF744CB0000-0x00007FF745001000-memory.dmp xmrig behavioral2/memory/1160-242-0x00007FF644730000-0x00007FF644A81000-memory.dmp xmrig behavioral2/memory/1716-244-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp xmrig behavioral2/memory/4008-246-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp xmrig behavioral2/memory/908-248-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 3512 AikdlhE.exe 1956 DlhrASY.exe 2280 ZxJLmWR.exe 3696 zxShMCC.exe 2244 gqVaDnH.exe 2744 HIMjgsB.exe 2960 nbxrFiB.exe 2904 TlfnAYe.exe 5008 rWRXKaS.exe 4816 KctMqqC.exe 1524 INCOoCF.exe 2968 kugoGIG.exe 1752 YAeXbJT.exe 3308 iBSrVcy.exe 1936 QeAIVrD.exe 3132 otejBUs.exe 1160 ABagijM.exe 4392 FjSwNNg.exe 908 VSKvxoF.exe 1716 oypJoDb.exe 4008 Itbmddo.exe -
resource yara_rule behavioral2/memory/3000-0-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp upx behavioral2/files/0x00080000000234cc-4.dat upx behavioral2/files/0x00070000000234d1-9.dat upx behavioral2/files/0x00070000000234d0-10.dat upx behavioral2/files/0x00070000000234d2-19.dat upx behavioral2/files/0x00070000000234d3-24.dat upx behavioral2/files/0x00070000000234d4-26.dat upx behavioral2/files/0x00070000000234d5-38.dat upx behavioral2/memory/2744-37-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp upx behavioral2/memory/1956-46-0x00007FF73DBD0000-0x00007FF73DF21000-memory.dmp upx behavioral2/memory/3696-57-0x00007FF6FE2B0000-0x00007FF6FE601000-memory.dmp upx behavioral2/files/0x00080000000234cd-71.dat upx behavioral2/files/0x00070000000234da-69.dat upx behavioral2/files/0x00070000000234db-75.dat upx behavioral2/memory/2968-81-0x00007FF737340000-0x00007FF737691000-memory.dmp upx behavioral2/files/0x00070000000234dc-89.dat upx behavioral2/memory/1936-92-0x00007FF7A02E0000-0x00007FF7A0631000-memory.dmp upx behavioral2/memory/3308-91-0x00007FF6FF690000-0x00007FF6FF9E1000-memory.dmp upx behavioral2/memory/1752-88-0x00007FF68D3F0000-0x00007FF68D741000-memory.dmp upx behavioral2/memory/5008-86-0x00007FF696F60000-0x00007FF6972B1000-memory.dmp upx behavioral2/memory/1524-78-0x00007FF6EFBA0000-0x00007FF6EFEF1000-memory.dmp upx behavioral2/memory/4816-77-0x00007FF77DDF0000-0x00007FF77E141000-memory.dmp upx behavioral2/memory/2960-73-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp upx behavioral2/files/0x00070000000234d9-66.dat upx behavioral2/files/0x00070000000234d8-65.dat upx behavioral2/files/0x00070000000234d7-64.dat upx behavioral2/files/0x00070000000234d6-53.dat upx behavioral2/memory/2904-43-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp upx behavioral2/memory/2244-28-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp upx behavioral2/memory/2280-23-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp upx behavioral2/memory/3512-16-0x00007FF681720000-0x00007FF681A71000-memory.dmp upx behavioral2/files/0x00070000000234dd-95.dat upx behavioral2/memory/3132-103-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp upx behavioral2/files/0x00070000000234e0-108.dat upx behavioral2/memory/4392-113-0x00007FF744CB0000-0x00007FF745001000-memory.dmp upx behavioral2/memory/4008-119-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp upx behavioral2/files/0x00070000000234e2-125.dat upx behavioral2/memory/1716-122-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp upx behavioral2/files/0x00070000000234e1-121.dat upx behavioral2/memory/908-118-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp upx behavioral2/files/0x00070000000234df-109.dat upx behavioral2/files/0x00070000000234de-115.dat upx behavioral2/memory/1160-104-0x00007FF644730000-0x00007FF644A81000-memory.dmp upx behavioral2/memory/2744-134-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp upx behavioral2/memory/2244-133-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp upx behavioral2/memory/2280-131-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp upx behavioral2/memory/2904-136-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp upx behavioral2/memory/3000-145-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp upx behavioral2/memory/3132-144-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp upx behavioral2/memory/3000-128-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp upx behavioral2/memory/1160-146-0x00007FF644730000-0x00007FF644A81000-memory.dmp upx behavioral2/memory/1716-149-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp upx behavioral2/memory/908-148-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp upx behavioral2/memory/4392-147-0x00007FF744CB0000-0x00007FF745001000-memory.dmp upx behavioral2/memory/4008-150-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp upx behavioral2/memory/3000-151-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp upx behavioral2/memory/3512-207-0x00007FF681720000-0x00007FF681A71000-memory.dmp upx behavioral2/memory/1956-209-0x00007FF73DBD0000-0x00007FF73DF21000-memory.dmp upx behavioral2/memory/2280-211-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp upx behavioral2/memory/3696-213-0x00007FF6FE2B0000-0x00007FF6FE601000-memory.dmp upx behavioral2/memory/2744-215-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp upx behavioral2/memory/2244-217-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp upx behavioral2/memory/2904-220-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp upx behavioral2/memory/2960-221-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\INCOoCF.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YAeXbJT.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QeAIVrD.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\otejBUs.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ABagijM.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AikdlhE.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gqVaDnH.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KctMqqC.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FjSwNNg.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VSKvxoF.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\oypJoDb.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZxJLmWR.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\HIMjgsB.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iBSrVcy.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\TlfnAYe.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rWRXKaS.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kugoGIG.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\Itbmddo.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DlhrASY.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zxShMCC.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nbxrFiB.exe 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3000 wrote to memory of 3512 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3000 wrote to memory of 3512 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3000 wrote to memory of 1956 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3000 wrote to memory of 1956 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3000 wrote to memory of 2280 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3000 wrote to memory of 2280 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3000 wrote to memory of 3696 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3000 wrote to memory of 3696 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3000 wrote to memory of 2244 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3000 wrote to memory of 2244 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3000 wrote to memory of 2744 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3000 wrote to memory of 2744 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3000 wrote to memory of 2960 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3000 wrote to memory of 2960 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3000 wrote to memory of 2904 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3000 wrote to memory of 2904 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3000 wrote to memory of 5008 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3000 wrote to memory of 5008 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3000 wrote to memory of 4816 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3000 wrote to memory of 4816 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3000 wrote to memory of 1524 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3000 wrote to memory of 1524 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3000 wrote to memory of 2968 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3000 wrote to memory of 2968 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3000 wrote to memory of 1752 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3000 wrote to memory of 1752 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3000 wrote to memory of 3308 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3000 wrote to memory of 3308 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3000 wrote to memory of 1936 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3000 wrote to memory of 1936 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3000 wrote to memory of 3132 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3000 wrote to memory of 3132 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3000 wrote to memory of 1160 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3000 wrote to memory of 1160 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3000 wrote to memory of 4392 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3000 wrote to memory of 4392 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3000 wrote to memory of 908 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3000 wrote to memory of 908 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3000 wrote to memory of 1716 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3000 wrote to memory of 1716 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3000 wrote to memory of 4008 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3000 wrote to memory of 4008 3000 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\System\AikdlhE.exeC:\Windows\System\AikdlhE.exe2⤵
- Executes dropped EXE
PID:3512
-
-
C:\Windows\System\DlhrASY.exeC:\Windows\System\DlhrASY.exe2⤵
- Executes dropped EXE
PID:1956
-
-
C:\Windows\System\ZxJLmWR.exeC:\Windows\System\ZxJLmWR.exe2⤵
- Executes dropped EXE
PID:2280
-
-
C:\Windows\System\zxShMCC.exeC:\Windows\System\zxShMCC.exe2⤵
- Executes dropped EXE
PID:3696
-
-
C:\Windows\System\gqVaDnH.exeC:\Windows\System\gqVaDnH.exe2⤵
- Executes dropped EXE
PID:2244
-
-
C:\Windows\System\HIMjgsB.exeC:\Windows\System\HIMjgsB.exe2⤵
- Executes dropped EXE
PID:2744
-
-
C:\Windows\System\nbxrFiB.exeC:\Windows\System\nbxrFiB.exe2⤵
- Executes dropped EXE
PID:2960
-
-
C:\Windows\System\TlfnAYe.exeC:\Windows\System\TlfnAYe.exe2⤵
- Executes dropped EXE
PID:2904
-
-
C:\Windows\System\rWRXKaS.exeC:\Windows\System\rWRXKaS.exe2⤵
- Executes dropped EXE
PID:5008
-
-
C:\Windows\System\KctMqqC.exeC:\Windows\System\KctMqqC.exe2⤵
- Executes dropped EXE
PID:4816
-
-
C:\Windows\System\INCOoCF.exeC:\Windows\System\INCOoCF.exe2⤵
- Executes dropped EXE
PID:1524
-
-
C:\Windows\System\kugoGIG.exeC:\Windows\System\kugoGIG.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\System\YAeXbJT.exeC:\Windows\System\YAeXbJT.exe2⤵
- Executes dropped EXE
PID:1752
-
-
C:\Windows\System\iBSrVcy.exeC:\Windows\System\iBSrVcy.exe2⤵
- Executes dropped EXE
PID:3308
-
-
C:\Windows\System\QeAIVrD.exeC:\Windows\System\QeAIVrD.exe2⤵
- Executes dropped EXE
PID:1936
-
-
C:\Windows\System\otejBUs.exeC:\Windows\System\otejBUs.exe2⤵
- Executes dropped EXE
PID:3132
-
-
C:\Windows\System\ABagijM.exeC:\Windows\System\ABagijM.exe2⤵
- Executes dropped EXE
PID:1160
-
-
C:\Windows\System\FjSwNNg.exeC:\Windows\System\FjSwNNg.exe2⤵
- Executes dropped EXE
PID:4392
-
-
C:\Windows\System\VSKvxoF.exeC:\Windows\System\VSKvxoF.exe2⤵
- Executes dropped EXE
PID:908
-
-
C:\Windows\System\oypJoDb.exeC:\Windows\System\oypJoDb.exe2⤵
- Executes dropped EXE
PID:1716
-
-
C:\Windows\System\Itbmddo.exeC:\Windows\System\Itbmddo.exe2⤵
- Executes dropped EXE
PID:4008
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5d61b8b06ce4d5d3de29771efd1083371
SHA144cb202031ee3a58f1364d061ac3769bb5c63629
SHA256e9f60ac597f7575a56f0be6f201e288b9cf7833e8843fcbfb393842112f32091
SHA512c0b5621d58b643714e5b573965644a593a453f175e16fc6a8edc5491e187553b1c83181967bd041332a5f8c09a30836a0396e4d63df3f2cb2432cb32a9251a2b
-
Filesize
5.2MB
MD592d8543a2a161f9e64a530651574e360
SHA16af2aa86d9a030124e80de1cbbe81407f5db3959
SHA2562b267b8d5a5e3ccf57e95df0fd2276574f382d6211dfdd0a24d8279d9ba6df03
SHA512836f699ed640acc3f023005edd4b151a412bb1c56014a56a784967e3830448f6681fc184fbb01e50fd5badbe8df2ba953c27fa2ea75a7881e6e7c58642f8f093
-
Filesize
5.2MB
MD51e46b7893d7e63a240d1955692e77521
SHA166216a0b8d3e4458fb4e8f3b255c2b7e1d49f625
SHA25656b60e36b161c704b29a4a07d1d526f4ba8b475b1d3c9ac78a738fd34cb8dc1e
SHA51258832daa934f560b6e765a648ce5832b0671f3e35eba3949c0b43c0d464d2d6343a090a253ae4e9271cb5cc2814631d8f14e7c345bd5f46d6195a7eef228e8d1
-
Filesize
5.2MB
MD597b89f99656db47133feb93f9beb70e2
SHA1a84ce949c0eae235d1fed788ed52dff689cb352c
SHA25684f6561416a87cb6976e2143cfec6ac7d074fc66d24f13f46ceac504d4450738
SHA5128d0310a7a6cffc9d3c182941509463b6bdec2796e9de3ef362dd1be4aff227a6f03b43ec6436f94901dbc2f27fbd9e7784375a77a4925c703ad0cfc09625a3c6
-
Filesize
5.2MB
MD58ec6b0c211b677d586d29563490f0ef0
SHA1f0f6c17bfc06bcba65031088106589ec938c30c3
SHA256eb3114953f1861051143ad9409e6297d7d9ab83da8af56f5d3463195d8eb7e51
SHA5122b656fb76a0e9ca1f44d3e26dbbd34294f9d288c26e81ef556447cdc2ff0258b762e4de4195996af40726c886013d3b2a8c1819567755723f6cfb7b34c540099
-
Filesize
5.2MB
MD5e182c5e45f3defd6c1914438a06e7189
SHA1fcc293ecf8ac2b03ca8c38af43dd940ee665081d
SHA256320e566b189cec7d9e6c4c838d0ce25b0866964af0656c1b61b2d598497dc92c
SHA51246da11dd74ec021c9feb8c06e130f594c8ee51d4b916d5425ad5db2de5ec7caf2581eb5e76992f85863cb53cfe4aa594dd3e77cbab3854275bd5bfb1d0d3e8fa
-
Filesize
5.2MB
MD505616a33de4c71390530b44e2f29d753
SHA173cabd04176ce645d521e494f07c03d0323ba99d
SHA256fa26a6c3b3bccfa553ad2b3b2d57c321d3f0823051cbdce9c9dd84a9ce52b015
SHA512dc765361b8a6f6139115205097cebd135d98c02a2c7a7ff855f4bf19d691c279fc17ee1079e2678dfeb63ee7922c0c5b048ecd51f4e4cddd5be1c0abf49946ca
-
Filesize
5.2MB
MD5eb8a4e4c6ca9d5906dbdad69ff8cad67
SHA12fc9e05e690576d4d6f5f32ad491735ade1989cb
SHA25635564b54ac7eb97db007ac8d8a0da050def5f8280e00a5c8b4c15dbf48e5f635
SHA512b5418bc1d285b0651a45d3c4865bb214f5b170a780c87fb16f8322b971ae9cd1f95d0edf3658895313b97a2527e89720b002a00a45cb69fe57990aa7aee4e7a3
-
Filesize
5.2MB
MD5c33c607750787c54e0e99ba17a45623c
SHA1c24b360a1ff3f4bcfb28d73394e30474946af0b8
SHA25688de352b2fa97a6ed24eafb767344c9252940a792ce373fb1c7365820c998002
SHA512a824295dfe2ec643ca2bf5255552bd216f2ced91904ceb55d205e88ad9a0fe441ff5a5d5da9329c1830aee0a5eedc40e3ea569116bceb50400cf7407c2630212
-
Filesize
5.2MB
MD56d66314c645d9320648db4fcb16092e3
SHA1f4b7684299b4806510d5da41cf15668ebde74e35
SHA25616e01ef7c298acb34dcbdcdaf61ee4550c5f17ffc03452c01b6dc55c557e7f41
SHA512183184e54b1a0b95614b87c8940ac0062701335465287ad2b368f5faed5d4c1fb4a64d9426e082b7b622d581bdcb6825ea83fd68fd376ad1cd2a23850f6640e7
-
Filesize
5.2MB
MD55665e3568ffaccc41e7469c7efaf855e
SHA1519b0663911829594b7333864e07c370a786513b
SHA25644a83b08ae3e51a6c3408cf30200cb1b4f1f5cbcfadc399b80cc2403085dc819
SHA5120b57ba3cea3f87b8f5053fe620a9d837f7e88577fd63e96426e9bbbe57fbeecf8925656ee22b9beca71f0be75d29234858313521f7dcffcaf7fea561779092cc
-
Filesize
5.2MB
MD5eb683221617c26036d25f9144b256fbb
SHA16dcca45dc52e1098f1c923ebaea8e9f45d62894d
SHA256f9295cd783dcc7c39d2bbdf8ab1170808ea3a61dc28a8b98d12554dada564b16
SHA5127cecc81de3ef035c9c623e2d6c5f1ada631ce3f73164b6f596be6c446f57238fb41c5c82bef8a1fb3a8537757d90dc698a760d7dcdef0fd0b3ca4409c3f47244
-
Filesize
5.2MB
MD5f4f7779e228832904bd42253e320b6f6
SHA1a99c76f75a2ba3cfd6c9b78800de5e4c34758174
SHA256b04cd53afdf3c95b92f64c90f9ccd660e090bf1ca72abb38e2be2e68055f2a6d
SHA512ba50d255677a937a848ccc2e75a019e6562631b94666ed99b2773de624f9085aa8ba3d1bf73792c3dd8ac229ac1574160482d2286a4149b881c12343c9832b2e
-
Filesize
5.2MB
MD5dff11f2bba55c33b4e2a3fdf841934f8
SHA1773586fb08623d1d027eff68323778d224c09b82
SHA256e6b7101367be295e63903d74ba712e5709c6c72b25ed0c0729d304e22662f25d
SHA512bae9ae5cba1f3a1372a2a5544115d0e458e209cafdf5b53dc5f567ed113179db972bda9e737e5f11f95bf4cc176c0c5aa13a012c239766d461f47bea92fe29f4
-
Filesize
5.2MB
MD5c11444a303917648c5c85b802e87e861
SHA114aac14177a68296c9c39da64c356cfc966fa3de
SHA2565cc32e82ef5848d157a7457b68fc76b4583c879b57f8d321a85334f5beb6f6bc
SHA5124b2ffdbb445edd824656bd07cd3558bba1203c805a649d77ce6901dbd1935ebd5b9f0dcda10b5bd6192f1578e871d569c859d9d2db192d137c1377304509644e
-
Filesize
5.2MB
MD55944afcb16ba0be5201e786c3300396a
SHA1b66170853733acc3c5278b4f8d1acc1d88a4f50b
SHA256aacf581533ee45bd5ca9fa732b92c8d9159164e5d9ff6f5d9e56781972a80025
SHA5125f2ecbe25b8bea4571b4b249f48387d247a2ca07bc05b9ccaf5e98cab61aee9c5505daf07529dcc28ecde105112fe41e4d8a069f8acba20e2ea1b307b93f385c
-
Filesize
5.2MB
MD5099864b6b059cf72c4b36446b2534b0b
SHA1750d08310a6dcb0c82765c6323e4de08354c876d
SHA256621de712af8259b3f83910467c8ba17ca1effbe43f632c153bfc018946896d59
SHA5128bf5693a172c327b83b6a0eeafe9357aa2ec5d4efe4e8473b9657c97fdcc19c1691e18c980e682fbfb03cf5e4ea26680411b17a2c44ba5946d604302c45bb628
-
Filesize
5.2MB
MD57c92dcb030a350e085513ec8ec2c6555
SHA1fa28b2f0c70fbeb482bac2fcc4c51d311cef8b43
SHA2566eff39ed2d388e49d47e800dddda5c6331da0e8b9cca6566a1408537d7e2a937
SHA5127affad651532ba81d4fb384d014df304156796d313cfbb4d873fe8c820a0ae3b8e3b405be3c7268dc30114c9fba6127004ea421d9d591222b18e326e707006f1
-
Filesize
5.2MB
MD5b74e9479479167ca3b5116d692741dfe
SHA1efde9e1e6db4d8017236ff1dab0437766300b3a7
SHA25612aa025bc907484e501256f61d22c74ef140c6cb24a46b40b53912e0d9b1d132
SHA5129602a78266bef37099ce404fabb21a64c7a99c2f88ce540f429b675af6019569ba66b7ade9e7021ebf8ad44ecd84748c22ef32792ee155e73ecd799e5dbbd71a
-
Filesize
5.2MB
MD5dcd486581d196cca59542ff9ad67cf80
SHA1bb640ea3f9baabba0236dc0b45e09c0a4a3e0195
SHA256f6a6d645278935cd71f788228dbad25e98d3e47d0496488b0a32f0fce91913ad
SHA5123df3be2b1aa6b3ab6adf7096e4f0483adb51dbb4765fd8692333bc63b2047b5489c9ca55eee575217344a8e0333e282364c3b4c86a5037443d19f327cb9b4ad1
-
Filesize
5.2MB
MD5344a54fc841c5da26d0891e9c0319501
SHA11fe1e7a14f71935a1a182201aa75c5a14eca7166
SHA256cf6e569ca21ed84688fd7bf26a831b158a897143cbe0bf677021f23a7243bc41
SHA5120983f941f27703bcef4bf92df8eb3a030a2c3a0c4c59a232355ca5e73e255d15f1ef904412c6704e47336423fdab6a36230027dc86b38f2d467ad2aa7e320bef