Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:16
Behavioral task
behavioral1
Sample
2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
97462f5569857562779fc32f03db63b5
-
SHA1
c4b8261397967debed679492f0f20e4884e084f5
-
SHA256
07255353ae5e995a465f5685e5de3b2691fd0ec17e4b35615bd81556253d596f
-
SHA512
e5696c1d681b0d26eb25ae4605fcf8d524ab12081b1e391211daf8a41d651435c439fdc8b37e705ac7b557ca6ff0fd4889891d2bfcaaa224ca69c0c27e2d895e
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBibj56utgpPFotBER/mQ32lU/
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023567-4.dat cobalt_reflective_dll behavioral2/files/0x000700000002356c-9.dat cobalt_reflective_dll behavioral2/files/0x000700000002356b-12.dat cobalt_reflective_dll behavioral2/files/0x000700000002356d-22.dat cobalt_reflective_dll behavioral2/files/0x000700000002356e-31.dat cobalt_reflective_dll behavioral2/files/0x0007000000023571-42.dat cobalt_reflective_dll behavioral2/files/0x0007000000023570-47.dat cobalt_reflective_dll behavioral2/files/0x0007000000023575-69.dat cobalt_reflective_dll behavioral2/files/0x0008000000023568-76.dat cobalt_reflective_dll behavioral2/files/0x0007000000023574-86.dat cobalt_reflective_dll behavioral2/files/0x000700000002357c-121.dat cobalt_reflective_dll behavioral2/files/0x000700000002357d-126.dat cobalt_reflective_dll behavioral2/files/0x000700000002357b-117.dat cobalt_reflective_dll behavioral2/files/0x000700000002357a-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023579-112.dat cobalt_reflective_dll behavioral2/files/0x0007000000023577-108.dat cobalt_reflective_dll behavioral2/files/0x0007000000023578-105.dat cobalt_reflective_dll behavioral2/files/0x0007000000023576-80.dat cobalt_reflective_dll behavioral2/files/0x0007000000023573-59.dat cobalt_reflective_dll behavioral2/files/0x0007000000023572-58.dat cobalt_reflective_dll behavioral2/files/0x000700000002356f-56.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 49 IoCs
resource yara_rule behavioral2/memory/1092-124-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp xmrig behavioral2/memory/4928-123-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp xmrig behavioral2/memory/2484-120-0x00007FF71FF00000-0x00007FF720251000-memory.dmp xmrig behavioral2/memory/1008-84-0x00007FF7A6970000-0x00007FF7A6CC1000-memory.dmp xmrig behavioral2/memory/1964-83-0x00007FF617D40000-0x00007FF618091000-memory.dmp xmrig behavioral2/memory/4644-38-0x00007FF7A6E00000-0x00007FF7A7151000-memory.dmp xmrig behavioral2/memory/1936-26-0x00007FF755D00000-0x00007FF756051000-memory.dmp xmrig behavioral2/memory/1704-16-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp xmrig behavioral2/memory/2888-142-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp xmrig behavioral2/memory/3036-137-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp xmrig behavioral2/memory/2916-130-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp xmrig behavioral2/memory/1232-144-0x00007FF7953D0000-0x00007FF795721000-memory.dmp xmrig behavioral2/memory/2864-150-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp xmrig behavioral2/memory/1492-147-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp xmrig behavioral2/memory/420-146-0x00007FF625460000-0x00007FF6257B1000-memory.dmp xmrig behavioral2/memory/1812-145-0x00007FF747280000-0x00007FF7475D1000-memory.dmp xmrig behavioral2/memory/4928-149-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp xmrig behavioral2/memory/1964-143-0x00007FF617D40000-0x00007FF618091000-memory.dmp xmrig behavioral2/memory/3644-140-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp xmrig behavioral2/memory/2500-139-0x00007FF642380000-0x00007FF6426D1000-memory.dmp xmrig behavioral2/memory/1300-138-0x00007FF624200000-0x00007FF624551000-memory.dmp xmrig behavioral2/memory/4640-136-0x00007FF622990000-0x00007FF622CE1000-memory.dmp xmrig behavioral2/memory/4844-135-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp xmrig behavioral2/memory/2280-134-0x00007FF658620000-0x00007FF658971000-memory.dmp xmrig behavioral2/memory/1936-132-0x00007FF755D00000-0x00007FF756051000-memory.dmp xmrig behavioral2/memory/1704-131-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp xmrig behavioral2/memory/1092-129-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp xmrig behavioral2/memory/1092-151-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp xmrig behavioral2/memory/2916-198-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp xmrig behavioral2/memory/1704-200-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp xmrig behavioral2/memory/1936-202-0x00007FF755D00000-0x00007FF756051000-memory.dmp xmrig behavioral2/memory/4644-204-0x00007FF7A6E00000-0x00007FF7A7151000-memory.dmp xmrig behavioral2/memory/2280-206-0x00007FF658620000-0x00007FF658971000-memory.dmp xmrig behavioral2/memory/4844-208-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp xmrig behavioral2/memory/2500-211-0x00007FF642380000-0x00007FF6426D1000-memory.dmp xmrig behavioral2/memory/1300-212-0x00007FF624200000-0x00007FF624551000-memory.dmp xmrig behavioral2/memory/1964-220-0x00007FF617D40000-0x00007FF618091000-memory.dmp xmrig behavioral2/memory/2888-222-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp xmrig behavioral2/memory/3036-218-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp xmrig behavioral2/memory/4640-217-0x00007FF622990000-0x00007FF622CE1000-memory.dmp xmrig behavioral2/memory/1008-215-0x00007FF7A6970000-0x00007FF7A6CC1000-memory.dmp xmrig behavioral2/memory/420-231-0x00007FF625460000-0x00007FF6257B1000-memory.dmp xmrig behavioral2/memory/3644-236-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp xmrig behavioral2/memory/1812-235-0x00007FF747280000-0x00007FF7475D1000-memory.dmp xmrig behavioral2/memory/1232-233-0x00007FF7953D0000-0x00007FF795721000-memory.dmp xmrig behavioral2/memory/1492-229-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp xmrig behavioral2/memory/2484-227-0x00007FF71FF00000-0x00007FF720251000-memory.dmp xmrig behavioral2/memory/2864-225-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp xmrig behavioral2/memory/4928-241-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2916 LpDkCQl.exe 1704 ubvJuWJ.exe 1936 WvAcTLN.exe 4644 KpfEotI.exe 2280 LkNCNUo.exe 4844 LxvXOHC.exe 3036 kGGTJzF.exe 1300 PGPVQqr.exe 4640 smqsRFf.exe 2500 GTPxnyy.exe 3644 ONDjsEn.exe 1008 sEBarEe.exe 2888 lINfzuD.exe 1964 OcDTPER.exe 1232 cetTRSd.exe 1812 gNolyja.exe 420 iuJgiHQ.exe 1492 GlAXLPo.exe 2484 ThfPmFt.exe 4928 rPSLNGk.exe 2864 VhOOMTW.exe -
resource yara_rule behavioral2/memory/1092-0-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp upx behavioral2/files/0x0008000000023567-4.dat upx behavioral2/files/0x000700000002356c-9.dat upx behavioral2/files/0x000700000002356b-12.dat upx behavioral2/files/0x000700000002356d-22.dat upx behavioral2/files/0x000700000002356e-31.dat upx behavioral2/files/0x0007000000023571-42.dat upx behavioral2/files/0x0007000000023570-47.dat upx behavioral2/memory/2500-50-0x00007FF642380000-0x00007FF6426D1000-memory.dmp upx behavioral2/files/0x0007000000023575-69.dat upx behavioral2/files/0x0008000000023568-76.dat upx behavioral2/files/0x0007000000023574-86.dat upx behavioral2/memory/420-111-0x00007FF625460000-0x00007FF6257B1000-memory.dmp upx behavioral2/files/0x000700000002357c-121.dat upx behavioral2/files/0x000700000002357d-126.dat upx behavioral2/memory/2864-125-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp upx behavioral2/memory/1092-124-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp upx behavioral2/memory/4928-123-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp upx behavioral2/memory/2484-120-0x00007FF71FF00000-0x00007FF720251000-memory.dmp upx behavioral2/memory/1492-119-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp upx behavioral2/files/0x000700000002357b-117.dat upx behavioral2/files/0x000700000002357a-114.dat upx behavioral2/files/0x0007000000023579-112.dat upx behavioral2/memory/1812-110-0x00007FF747280000-0x00007FF7475D1000-memory.dmp upx behavioral2/files/0x0007000000023577-108.dat upx behavioral2/files/0x0007000000023578-105.dat upx behavioral2/memory/1232-104-0x00007FF7953D0000-0x00007FF795721000-memory.dmp upx behavioral2/memory/1008-84-0x00007FF7A6970000-0x00007FF7A6CC1000-memory.dmp upx behavioral2/memory/1964-83-0x00007FF617D40000-0x00007FF618091000-memory.dmp upx behavioral2/files/0x0007000000023576-80.dat upx behavioral2/memory/2888-73-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp upx behavioral2/memory/4640-67-0x00007FF622990000-0x00007FF622CE1000-memory.dmp upx behavioral2/memory/3036-66-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp upx behavioral2/memory/3644-72-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp upx behavioral2/files/0x0007000000023573-59.dat upx behavioral2/files/0x0007000000023572-58.dat upx behavioral2/files/0x000700000002356f-56.dat upx behavioral2/memory/4844-46-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp upx behavioral2/memory/1300-49-0x00007FF624200000-0x00007FF624551000-memory.dmp upx behavioral2/memory/4644-38-0x00007FF7A6E00000-0x00007FF7A7151000-memory.dmp upx behavioral2/memory/2280-37-0x00007FF658620000-0x00007FF658971000-memory.dmp upx behavioral2/memory/1936-26-0x00007FF755D00000-0x00007FF756051000-memory.dmp upx behavioral2/memory/1704-16-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp upx behavioral2/memory/2916-7-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp upx behavioral2/memory/2888-142-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp upx behavioral2/memory/3036-137-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp upx behavioral2/memory/2916-130-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp upx behavioral2/memory/1232-144-0x00007FF7953D0000-0x00007FF795721000-memory.dmp upx behavioral2/memory/2864-150-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp upx behavioral2/memory/1492-147-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp upx behavioral2/memory/420-146-0x00007FF625460000-0x00007FF6257B1000-memory.dmp upx behavioral2/memory/1812-145-0x00007FF747280000-0x00007FF7475D1000-memory.dmp upx behavioral2/memory/4928-149-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp upx behavioral2/memory/1964-143-0x00007FF617D40000-0x00007FF618091000-memory.dmp upx behavioral2/memory/3644-140-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp upx behavioral2/memory/2500-139-0x00007FF642380000-0x00007FF6426D1000-memory.dmp upx behavioral2/memory/1300-138-0x00007FF624200000-0x00007FF624551000-memory.dmp upx behavioral2/memory/4640-136-0x00007FF622990000-0x00007FF622CE1000-memory.dmp upx behavioral2/memory/4844-135-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp upx behavioral2/memory/2280-134-0x00007FF658620000-0x00007FF658971000-memory.dmp upx behavioral2/memory/1936-132-0x00007FF755D00000-0x00007FF756051000-memory.dmp upx behavioral2/memory/1704-131-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp upx behavioral2/memory/1092-129-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp upx behavioral2/memory/1092-151-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\lINfzuD.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rPSLNGk.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\KpfEotI.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LkNCNUo.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kGGTJzF.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ThfPmFt.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LxvXOHC.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GTPxnyy.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OcDTPER.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ONDjsEn.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cetTRSd.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\iuJgiHQ.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\GlAXLPo.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ubvJuWJ.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\smqsRFf.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\PGPVQqr.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\gNolyja.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\VhOOMTW.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LpDkCQl.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\WvAcTLN.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sEBarEe.exe 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1092 wrote to memory of 2916 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1092 wrote to memory of 2916 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 1092 wrote to memory of 1704 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1092 wrote to memory of 1704 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 1092 wrote to memory of 1936 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1092 wrote to memory of 1936 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 1092 wrote to memory of 4644 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1092 wrote to memory of 4644 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 1092 wrote to memory of 2280 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1092 wrote to memory of 2280 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 1092 wrote to memory of 4844 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1092 wrote to memory of 4844 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 1092 wrote to memory of 4640 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1092 wrote to memory of 4640 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 1092 wrote to memory of 3036 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1092 wrote to memory of 3036 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 1092 wrote to memory of 1300 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1092 wrote to memory of 1300 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 1092 wrote to memory of 2500 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1092 wrote to memory of 2500 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 1092 wrote to memory of 3644 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1092 wrote to memory of 3644 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 1092 wrote to memory of 1008 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1092 wrote to memory of 1008 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 1092 wrote to memory of 2888 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1092 wrote to memory of 2888 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 1092 wrote to memory of 1964 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1092 wrote to memory of 1964 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 1092 wrote to memory of 1232 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 1092 wrote to memory of 1232 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 1092 wrote to memory of 1812 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 1092 wrote to memory of 1812 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 1092 wrote to memory of 420 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 1092 wrote to memory of 420 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 1092 wrote to memory of 1492 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 1092 wrote to memory of 1492 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 1092 wrote to memory of 2484 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 1092 wrote to memory of 2484 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 1092 wrote to memory of 4928 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 1092 wrote to memory of 4928 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 1092 wrote to memory of 2864 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 112 PID 1092 wrote to memory of 2864 1092 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\System\LpDkCQl.exeC:\Windows\System\LpDkCQl.exe2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Windows\System\ubvJuWJ.exeC:\Windows\System\ubvJuWJ.exe2⤵
- Executes dropped EXE
PID:1704
-
-
C:\Windows\System\WvAcTLN.exeC:\Windows\System\WvAcTLN.exe2⤵
- Executes dropped EXE
PID:1936
-
-
C:\Windows\System\KpfEotI.exeC:\Windows\System\KpfEotI.exe2⤵
- Executes dropped EXE
PID:4644
-
-
C:\Windows\System\LkNCNUo.exeC:\Windows\System\LkNCNUo.exe2⤵
- Executes dropped EXE
PID:2280
-
-
C:\Windows\System\LxvXOHC.exeC:\Windows\System\LxvXOHC.exe2⤵
- Executes dropped EXE
PID:4844
-
-
C:\Windows\System\smqsRFf.exeC:\Windows\System\smqsRFf.exe2⤵
- Executes dropped EXE
PID:4640
-
-
C:\Windows\System\kGGTJzF.exeC:\Windows\System\kGGTJzF.exe2⤵
- Executes dropped EXE
PID:3036
-
-
C:\Windows\System\PGPVQqr.exeC:\Windows\System\PGPVQqr.exe2⤵
- Executes dropped EXE
PID:1300
-
-
C:\Windows\System\GTPxnyy.exeC:\Windows\System\GTPxnyy.exe2⤵
- Executes dropped EXE
PID:2500
-
-
C:\Windows\System\ONDjsEn.exeC:\Windows\System\ONDjsEn.exe2⤵
- Executes dropped EXE
PID:3644
-
-
C:\Windows\System\sEBarEe.exeC:\Windows\System\sEBarEe.exe2⤵
- Executes dropped EXE
PID:1008
-
-
C:\Windows\System\lINfzuD.exeC:\Windows\System\lINfzuD.exe2⤵
- Executes dropped EXE
PID:2888
-
-
C:\Windows\System\OcDTPER.exeC:\Windows\System\OcDTPER.exe2⤵
- Executes dropped EXE
PID:1964
-
-
C:\Windows\System\cetTRSd.exeC:\Windows\System\cetTRSd.exe2⤵
- Executes dropped EXE
PID:1232
-
-
C:\Windows\System\gNolyja.exeC:\Windows\System\gNolyja.exe2⤵
- Executes dropped EXE
PID:1812
-
-
C:\Windows\System\iuJgiHQ.exeC:\Windows\System\iuJgiHQ.exe2⤵
- Executes dropped EXE
PID:420
-
-
C:\Windows\System\GlAXLPo.exeC:\Windows\System\GlAXLPo.exe2⤵
- Executes dropped EXE
PID:1492
-
-
C:\Windows\System\ThfPmFt.exeC:\Windows\System\ThfPmFt.exe2⤵
- Executes dropped EXE
PID:2484
-
-
C:\Windows\System\rPSLNGk.exeC:\Windows\System\rPSLNGk.exe2⤵
- Executes dropped EXE
PID:4928
-
-
C:\Windows\System\VhOOMTW.exeC:\Windows\System\VhOOMTW.exe2⤵
- Executes dropped EXE
PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:81⤵PID:4656
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD547ed5564d5ba1a849fb961c3efd39c46
SHA1503562288cb337a6b7324d9461c5bd04899a1926
SHA2565088658cbde73f25ed99c5b89f1a4fd64974250e70728f629218ca57abb04e75
SHA512b43548e12c138cde947e6e382011be311ab75b683b3758edf03d97d43bc11b60bcd585a0fb1128ab480b74807c10cab0bad849ce2727ad94adff81e129e55be1
-
Filesize
5.2MB
MD50087fba98e74a8bcb2b7b2c3c13d2ae0
SHA1445a3504b557d082be5a8b368650372c0c218720
SHA256ed5a014408214eb754908ec154b53b40d5994487ec45ce9d692a27ce4d6b4395
SHA5129dc69140106e9bdf01a02e45966dc8e9d8dd85585a1b6b4e1e94d8b15a9b4d36ca6f8eececf344dd056b48ff2a4d9e32452b9cbb064509fc8c16b3cab663401d
-
Filesize
5.2MB
MD5eb7352b190adb3d10d94d6ddb92abd7d
SHA1d5096aa58a230969845b9e2cf8c2f8984858afc2
SHA25633b3cca43504e4689d105350bc78c53a15c326dc794030037ffedf74976dcf59
SHA5128cede28b377e383ee10edf92948482394faccded4f167972e30b7cd2b3386047b9749c7dde5b190b3f5b7c50112c214be43a77e03d21273954c167f95bb1ba63
-
Filesize
5.2MB
MD51c1979c9878466284dd340b000f431bf
SHA1a0f91cf7606e2f4460519772d1eecc91f00ebee8
SHA256ddaea488538436dfe056f4cdaa648d93a804f41498b1e329a4d4e3be35e482b2
SHA51253a4b19e75d6c70bee9a7561f3daef65b2f717eb3eb34abb7fa880d9a6e2f8953c600c36f13b525da0251157eaf1646f3b9a925016e945468caf9b9cae2bccd8
-
Filesize
5.2MB
MD5b3abca92f6ade5fff7d04ab521e24dc4
SHA13980b66c9924dacf644faea856004ac015cc7f9b
SHA25607f4d3c06fd42e874ab361f8b65420793dedd1303f006d32e6a737861311a223
SHA512fa2cc35588271450f9b01cc96d47a71b24b058adb4c4e93e23dce5c7262cc925a2a0cba67dee2387a62e4dd2c0f5ba6a9b2812ec41b07b8b5afa87b769dc310b
-
Filesize
5.2MB
MD5a73af8a7a1c43cda50cea112d4747f06
SHA18e3abe68e5f8b75978f533b3637f82c4217ae913
SHA2568bf6a3a98d29ca3f9696cf792c2fd1662a4f5ef9706e3456499764f97a7f7445
SHA5123fc799b59ff42ac0e5ad58155193d8238e42729215923e56d48193cdcb86bc357f6cbb41e52aea9897afbf6265895719efedb511475cd6ffffec60cfdd994fdb
-
Filesize
5.2MB
MD5a7ab74dd4a7e0411d1da9d95e4c0ec53
SHA115cd127f1eb74bccbcf0a2602d0cb1eddba1f9ea
SHA2568a340ee4bc7345c9c83d433be37564d14aff0ef9e79596d3a8349920b1ff3374
SHA5127c0a5e750e443b925878d5b1a1c4e4446bab3bf78b7c3d9708a8910a9fa4a4f731980239e2c8927a71502f493894eef3af8ad8cde2678a71732c02b2ba9bf8f8
-
Filesize
5.2MB
MD5f37fe66f10be0d1814032c7d0f78d20e
SHA17a086bb3df223fa03018d9c9e9a0d7dde9b8007b
SHA256160c6e3f200e81ef3c1ae7c1be6ddb0c3a91a0a700ecf45f015704947c05250a
SHA512a8e0cf41e49a496a7738c45c1deb62c4391f97405236e6f20d7c9cc843625a84f078f0cbd8ac6bf9446eac7ae7f3e0652e9d968573faea73562df0e69c20d8b2
-
Filesize
5.2MB
MD5b3b77e6e07a06dccdff8cd61098b032a
SHA1bac0130906ccb4f906114987610d3cf1e316db2e
SHA2561d125ab8e108c58540e609e0906db4bf2ae64e73294024baf47be23ce558254e
SHA5124fc20c5e9ea451f665fa6e53e9ec5a6855591a41f95d42cc10af8eac415194aae75603b55448c3fe50bd5f66b2b827a75967f82c559ed82b566802418670a558
-
Filesize
5.2MB
MD540315de74818e984696fcc8db9fd799d
SHA15631724e7c1b14cf1c5fef44395ebc699f2d865a
SHA256a7579b12893fe469a66e76c4928b8510cce94eb7e21535e8ddbfe18d65d549ec
SHA512a8ac3ed1f1f5986bec8bf262a81154a9078391ddde1d418d13299b4376a6bc677222c543ca0a66bc4aef5fd5035f412856bd1cb788998163eff007b3394114f4
-
Filesize
5.2MB
MD55805c7d562a7a40f32ffb74221910389
SHA137589801fc35756b883d9847a3122de63f9dccf0
SHA256f4aa5394f6cf14011a4fa1f20ae41db719eaa73429a801a0e238f10241c955cc
SHA51226894bccdd2e298b8d557b0c9d8d12cc29d18981843710939946665a0e9a9068daf5aaf8cb8b0fcce079bc8fd58d340789cb9e448ce3ab00dce8bdc8efca9a7d
-
Filesize
5.2MB
MD5406c5090804ef3d0607ff101d6facf93
SHA1cd92686a4f30fe7f983814ecce00f6c716392179
SHA2567ee5dd2ae9d1f1a58c0da0763ee7f135e390324d77a5ea5563324b63f5521a4b
SHA5129f39be358baa532ca9a6e2244c6aa6b6d6ac577b647a666640a4ae8493a832a94fb563ea43f93abc1d5aa42f9397043da31bf038866b40bbf5feb0d42c8109a5
-
Filesize
5.2MB
MD551fbdf8eec6a5d69ed680a98a58ed4ed
SHA1449f5aaac2a53ead782e59e62357b230644051f8
SHA256850e06b05700d7e6625aef491c875e26af5f69b3ed52f1953f6b699d53ec3596
SHA512bb8d5c53ae51777a656a4230816c77173d65bb417d31b68002a48c600a4dbdcc08c4478d63d1547a30ae00dcb5f52c02192324b9d970b4de51ced0ab90ccbb23
-
Filesize
5.2MB
MD551cb96e445ea803e0963a214459bbf40
SHA1e8c776e5692abaabaa3b66781cc1f320d6906932
SHA2569029c6ec17cba27f8bcb30a40b538c98fbc505827689af7c3357f6603d962725
SHA5121637fb2ab513766174d9ef7618f1470e87271c559fd291fff0e7ce53c1ff74064f448b554f62a74e679ffe8719dcf78ca40f2eaa31ba08f4ad1b6146277b4a47
-
Filesize
5.2MB
MD5b0cdd08fe6150a850d11077c11529e00
SHA1681134996046bd4a4f5786da020feb7ae1f29bf5
SHA2567b918ca2fe3f73741a81d905e7f8cb9f6aee0b2d75420de8a0de6be10554814c
SHA5125f9f18fa75f3f34a3c1d3a2a1d5832471b75c8d263978b7d7f963ea8e492377a03239e713ea5ea2e1cdcadaf02c7ba36814fc9554ad22c37f4efc37fd900b7b2
-
Filesize
5.2MB
MD5cffebf543abcdf0c8c47b46a153b46be
SHA191f77710fa40fb09b66e243a00b41ad68d601647
SHA25692395b9fd6ac20328bedfdd7d2c83ec4593ca2cd7202785d475e1df63961a0d8
SHA512c93f5f5856b8be9c8321a5b32db05be8a70e110e3bf6d64a0a9a0e0ca09b5eb3fa8284e8c47c1bcb90d8539e45c8608fad9be3af391948834c068fba17738c86
-
Filesize
5.2MB
MD5458b3b394417da20bb79ae6ebb93af0f
SHA1cf66d24ef222e2e108c44adda23c8e9e7e993b88
SHA25665c2c727d65232c45b2c2931d8a71f956dfd5574802d6b943e128c53a79ef0d2
SHA51205302c3b6cab94ae64ef8af7d1a1f273d35e91b528e00109ef2733869a16d32b79c977b18a784f2353789497f87019fb404d8a4cd50099d74806bf8ddee8da62
-
Filesize
5.2MB
MD58841c4a151f5d5ce6a775cafbb592aab
SHA1bf5a8c16dee9fdd5e67dc412996d9fb7958363e2
SHA25668261b3c152a09f6cd63db8013139ee9e71ba60aa885477b935bc1809d80b0fd
SHA51249876743a608b02d33694160580957cab2a8ba3f35d92b1a4e57aa6f172a23b8e8adf2630a5d4f8ee894dfe367ec218570254987eb7e53cecb6fd5685c096c1e
-
Filesize
5.2MB
MD5a04aee1be211c56b91b0c71267bc525a
SHA11e31b7b07197fa6edc398029479978235da41089
SHA25698ad0408cf1730f67c38f86d4639f818f8f2d09416c10f57145486f01def5f53
SHA512daf4c1c6794a24314cb63baab9c3f45bafb3f208d66df804b10736d90eb21c6ae1889d5aebb76c8d07322f4ab3cbdc6ae0add714cf22a8c9106fad70953ac84d
-
Filesize
5.2MB
MD5a5ec12a330e0a9d24cc8e85f63875a48
SHA1b18a8b9443c182c07107a419a1542dfd5af7469b
SHA2562a995049bfe5d971b6fcf24dd4e81cf1c75441851f5f348f6497ac12e33a1709
SHA512ddd8c9c98128d1f4dcb49b29c8f0fd8cbf5582cffe34cdbe386d4f88097cec1ee9850675421abe37df1dddd14f92feed76530f590a36ebca789c61d05b530926
-
Filesize
5.2MB
MD576864bdd5586675dbae022da540d1ecf
SHA11eaab402a602e157d0cfc756a37e363f16cc045f
SHA256130dcae26ca4a378e00780a00dc7bcef984d52ddabf65937aff0a391e51eaf55
SHA512693cc751759ac241e24a80c8248d0a944c96fb598c8e3637f4a754fef340e5f133b62fadc285af6b0789ea99af5cc82f91171043e2a3ad66aeebb6c079d0c779