Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2025, 03:32
Behavioral task
behavioral1
Sample
2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240903-en
General
-
Target
2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.7MB
-
MD5
35a575428e2b33bcb3bfb04e565ab220
-
SHA1
88f437fb93ec31ed8b0c878bf9f06ba61a41fa16
-
SHA256
f1107562d8cf2ae8f14490b79b786c1a7a2379dea35ebd5024935d52f1bedd76
-
SHA512
3cdf035683545b8b9951e8828915be423372538159621e84d7aa78984087991e35fc396b6fed764b70dcc8af1aead0773d526d40bd2a5540c3f6e1a3ce03e121
-
SSDEEP
98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUs:j+R56utgpPF8u/7s
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x0008000000023ca7-5.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cac-11.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cab-12.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cad-23.dat cobalt_reflective_dll behavioral2/files/0x0007000000023caf-39.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb3-59.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb5-71.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb4-68.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb2-55.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb0-49.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb1-45.dat cobalt_reflective_dll behavioral2/files/0x0008000000023ca8-30.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb6-77.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb8-90.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb7-87.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cb9-96.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbb-108.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbc-114.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cba-102.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbd-118.dat cobalt_reflective_dll behavioral2/files/0x0007000000023cbf-123.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 43 IoCs
resource yara_rule behavioral2/memory/3356-0-0x00007FF7F42A0000-0x00007FF7F45ED000-memory.dmp xmrig behavioral2/files/0x0008000000023ca7-5.dat xmrig behavioral2/memory/4016-7-0x00007FF6FE740000-0x00007FF6FEA8D000-memory.dmp xmrig behavioral2/files/0x0007000000023cac-11.dat xmrig behavioral2/memory/5056-13-0x00007FF6377D0000-0x00007FF637B1D000-memory.dmp xmrig behavioral2/memory/860-18-0x00007FF6D6420000-0x00007FF6D676D000-memory.dmp xmrig behavioral2/files/0x0007000000023cab-12.dat xmrig behavioral2/files/0x0007000000023cad-23.dat xmrig behavioral2/memory/2552-25-0x00007FF7657C0000-0x00007FF765B0D000-memory.dmp xmrig behavioral2/files/0x0007000000023caf-39.dat xmrig behavioral2/memory/2736-40-0x00007FF687480000-0x00007FF6877CD000-memory.dmp xmrig behavioral2/memory/3628-51-0x00007FF6484B0000-0x00007FF6487FD000-memory.dmp xmrig behavioral2/memory/5084-56-0x00007FF793D00000-0x00007FF79404D000-memory.dmp xmrig behavioral2/files/0x0007000000023cb3-59.dat xmrig behavioral2/memory/2716-69-0x00007FF79E2F0000-0x00007FF79E63D000-memory.dmp xmrig behavioral2/memory/4344-72-0x00007FF714140000-0x00007FF71448D000-memory.dmp xmrig behavioral2/files/0x0007000000023cb5-71.dat xmrig behavioral2/files/0x0007000000023cb4-68.dat xmrig behavioral2/memory/1816-65-0x00007FF623960000-0x00007FF623CAD000-memory.dmp xmrig behavioral2/files/0x0007000000023cb2-55.dat xmrig behavioral2/files/0x0007000000023cb0-49.dat xmrig behavioral2/memory/2156-46-0x00007FF765250000-0x00007FF76559D000-memory.dmp xmrig behavioral2/files/0x0007000000023cb1-45.dat xmrig behavioral2/memory/4000-33-0x00007FF7D4580000-0x00007FF7D48CD000-memory.dmp xmrig behavioral2/files/0x0008000000023ca8-30.dat xmrig behavioral2/memory/1968-78-0x00007FF7AEBB0000-0x00007FF7AEEFD000-memory.dmp xmrig behavioral2/files/0x0007000000023cb6-77.dat xmrig behavioral2/memory/3832-88-0x00007FF7B6C50000-0x00007FF7B6F9D000-memory.dmp xmrig behavioral2/memory/2160-91-0x00007FF712CB0000-0x00007FF712FFD000-memory.dmp xmrig behavioral2/files/0x0007000000023cb8-90.dat xmrig behavioral2/files/0x0007000000023cb7-87.dat xmrig behavioral2/memory/5016-97-0x00007FF7CA9E0000-0x00007FF7CAD2D000-memory.dmp xmrig behavioral2/files/0x0007000000023cb9-96.dat xmrig behavioral2/memory/3112-103-0x00007FF7F42F0000-0x00007FF7F463D000-memory.dmp xmrig behavioral2/files/0x0007000000023cbb-108.dat xmrig behavioral2/memory/2068-115-0x00007FF7BBF70000-0x00007FF7BC2BD000-memory.dmp xmrig behavioral2/files/0x0007000000023cbc-114.dat xmrig behavioral2/memory/3084-111-0x00007FF657370000-0x00007FF6576BD000-memory.dmp xmrig behavioral2/files/0x0007000000023cba-102.dat xmrig behavioral2/files/0x0007000000023cbd-118.dat xmrig behavioral2/memory/2000-122-0x00007FF778B30000-0x00007FF778E7D000-memory.dmp xmrig behavioral2/files/0x0007000000023cbf-123.dat xmrig behavioral2/memory/3152-126-0x00007FF64E480000-0x00007FF64E7CD000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 4016 AYYnurQ.exe 5056 OsJaUll.exe 860 pcpycGD.exe 2552 sQqbezs.exe 4000 AFhQKMn.exe 2736 znbEWEu.exe 3628 FdvGDdt.exe 2156 JTjNGio.exe 5084 noxPdNa.exe 1816 cvwZukZ.exe 2716 YiKSzxl.exe 4344 lgrPStc.exe 1968 MrrMYuU.exe 3832 wONTYCU.exe 2160 wmssOVf.exe 5016 JwqPxBB.exe 3112 DqniXEB.exe 3084 qeCZZEv.exe 2068 hLuRybE.exe 2000 nerglHS.exe 3152 bQnRYkp.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\AFhQKMn.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\FdvGDdt.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\lgrPStc.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sQqbezs.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\znbEWEu.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JTjNGio.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\noxPdNa.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\cvwZukZ.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wONTYCU.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\DqniXEB.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qeCZZEv.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\nerglHS.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\YiKSzxl.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\MrrMYuU.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JwqPxBB.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AYYnurQ.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\OsJaUll.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\pcpycGD.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\wmssOVf.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hLuRybE.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\bQnRYkp.exe 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3356 wrote to memory of 4016 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 83 PID 3356 wrote to memory of 4016 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 83 PID 3356 wrote to memory of 5056 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3356 wrote to memory of 5056 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 84 PID 3356 wrote to memory of 860 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3356 wrote to memory of 860 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 85 PID 3356 wrote to memory of 2552 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3356 wrote to memory of 2552 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 86 PID 3356 wrote to memory of 4000 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3356 wrote to memory of 4000 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 87 PID 3356 wrote to memory of 2736 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3356 wrote to memory of 2736 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 88 PID 3356 wrote to memory of 3628 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3356 wrote to memory of 3628 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 89 PID 3356 wrote to memory of 2156 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3356 wrote to memory of 2156 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 90 PID 3356 wrote to memory of 5084 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3356 wrote to memory of 5084 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 91 PID 3356 wrote to memory of 1816 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3356 wrote to memory of 1816 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3356 wrote to memory of 2716 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3356 wrote to memory of 2716 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3356 wrote to memory of 4344 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3356 wrote to memory of 4344 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3356 wrote to memory of 1968 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3356 wrote to memory of 1968 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3356 wrote to memory of 3832 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3356 wrote to memory of 3832 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3356 wrote to memory of 2160 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3356 wrote to memory of 2160 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3356 wrote to memory of 5016 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3356 wrote to memory of 5016 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3356 wrote to memory of 3112 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3356 wrote to memory of 3112 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3356 wrote to memory of 3084 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3356 wrote to memory of 3084 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3356 wrote to memory of 2068 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3356 wrote to memory of 2068 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 101 PID 3356 wrote to memory of 2000 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3356 wrote to memory of 2000 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3356 wrote to memory of 3152 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3356 wrote to memory of 3152 3356 2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-25_35a575428e2b33bcb3bfb04e565ab220_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\System\AYYnurQ.exeC:\Windows\System\AYYnurQ.exe2⤵
- Executes dropped EXE
PID:4016
-
-
C:\Windows\System\OsJaUll.exeC:\Windows\System\OsJaUll.exe2⤵
- Executes dropped EXE
PID:5056
-
-
C:\Windows\System\pcpycGD.exeC:\Windows\System\pcpycGD.exe2⤵
- Executes dropped EXE
PID:860
-
-
C:\Windows\System\sQqbezs.exeC:\Windows\System\sQqbezs.exe2⤵
- Executes dropped EXE
PID:2552
-
-
C:\Windows\System\AFhQKMn.exeC:\Windows\System\AFhQKMn.exe2⤵
- Executes dropped EXE
PID:4000
-
-
C:\Windows\System\znbEWEu.exeC:\Windows\System\znbEWEu.exe2⤵
- Executes dropped EXE
PID:2736
-
-
C:\Windows\System\FdvGDdt.exeC:\Windows\System\FdvGDdt.exe2⤵
- Executes dropped EXE
PID:3628
-
-
C:\Windows\System\JTjNGio.exeC:\Windows\System\JTjNGio.exe2⤵
- Executes dropped EXE
PID:2156
-
-
C:\Windows\System\noxPdNa.exeC:\Windows\System\noxPdNa.exe2⤵
- Executes dropped EXE
PID:5084
-
-
C:\Windows\System\cvwZukZ.exeC:\Windows\System\cvwZukZ.exe2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\System\YiKSzxl.exeC:\Windows\System\YiKSzxl.exe2⤵
- Executes dropped EXE
PID:2716
-
-
C:\Windows\System\lgrPStc.exeC:\Windows\System\lgrPStc.exe2⤵
- Executes dropped EXE
PID:4344
-
-
C:\Windows\System\MrrMYuU.exeC:\Windows\System\MrrMYuU.exe2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\System\wONTYCU.exeC:\Windows\System\wONTYCU.exe2⤵
- Executes dropped EXE
PID:3832
-
-
C:\Windows\System\wmssOVf.exeC:\Windows\System\wmssOVf.exe2⤵
- Executes dropped EXE
PID:2160
-
-
C:\Windows\System\JwqPxBB.exeC:\Windows\System\JwqPxBB.exe2⤵
- Executes dropped EXE
PID:5016
-
-
C:\Windows\System\DqniXEB.exeC:\Windows\System\DqniXEB.exe2⤵
- Executes dropped EXE
PID:3112
-
-
C:\Windows\System\qeCZZEv.exeC:\Windows\System\qeCZZEv.exe2⤵
- Executes dropped EXE
PID:3084
-
-
C:\Windows\System\hLuRybE.exeC:\Windows\System\hLuRybE.exe2⤵
- Executes dropped EXE
PID:2068
-
-
C:\Windows\System\nerglHS.exeC:\Windows\System\nerglHS.exe2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Windows\System\bQnRYkp.exeC:\Windows\System\bQnRYkp.exe2⤵
- Executes dropped EXE
PID:3152
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
MD5e082e63cda1c7a49e41017c1255f9acc
SHA19fb44eec7cb06c1c2bce62a7f23b629dc62c35b5
SHA256295c6b0e0d253552e7dc39de7b130784bea6b5df337f830df7871750180b7a5b
SHA512592300c79d09bd6e79408f5e6791717da32ef8b0b5f23f085a8e4c76536a70b6aef1f41a72dfdcd9eb119ae9b7a1f64f92ae0010cc23e03784917f05c4397858
-
Filesize
5.7MB
MD5cb0945bed90e2067c5b7428c65ebc692
SHA1c45b98b7fcea913104832d1c9872e8822f48c388
SHA256125e01973b714958860a624707deb94c0e114b2b9145e2cb270be60c0fc7493b
SHA512ff3705a1d7677c0901d8439363dca1fad4295ade34118665068977c803f83a33c54e4380a5a031a8592eaf6752da10c5138361e5998ee38e090492f4efc7c8e7
-
Filesize
5.7MB
MD51839444a6a1d1d4ca18d72b2b3d8fb6a
SHA11b52e40bd897a38e67443f539dd50a060ca56513
SHA256568b3ea48823a5053dfe21e21139c5935b0e6ef1eb1c9da9c1e214997e4e789e
SHA5128694c2909b45f8ce4a20909baddf967eee83f91541af864f4774c6aece521bf958b6e2c9dcb6b95542d5fbff982a415c4229ace4d695c54218b025066fb8ff0b
-
Filesize
5.7MB
MD5be2206bf0b743236dd61bd16b6cf72f8
SHA176ec6ec962101e62fe5cfd65bcfe7ed1cf8d0f14
SHA25651ae88a753423ba0115ce0f0f841435a802671d8858ca354a4bd9695f2d37399
SHA51258a66dac0c659ec5147a680d0fa78ff255861a8a16062360ed1e1b5f298415b88664ac08242c7b73929fb90888b015e5108b2b58d20fa0adc22ebe8c616c836f
-
Filesize
5.7MB
MD5e0fdb777a01e2c50c1778609df5fa864
SHA19946f592ada3169b497b0fb8d35ea9d696e13f16
SHA256993113db212e1f985694d5a20ebbba617810b5e60c83f22032eb3e8a0f01ae83
SHA51233869b993501f095a8a8a89dcd327fdb89635eb71e4dd7664d8960d787335eda5f214ca0e084939086a282c0e7a526edfc5a4cd5cbfe441260e65e9b521c7984
-
Filesize
5.7MB
MD5e2832d6748d18f912b215b6432e1b2cd
SHA1df114f83bb3823e03839060c183df6cff6c1dbc9
SHA25658353d495a1ef457c0eea37e6d5897330b395fc240ddfeeb6d6cd5f2dab097eb
SHA512b8435acfdac2d4f70c7e96e5d457ab5ca5717488994486699b677617663fac3b66452a86cde57771d10b2ddfa7fca1bb2e54c63508445a0f06f835ceaf753878
-
Filesize
5.7MB
MD57d4627f9599d6f0d2c10aedee66a0c0d
SHA1ecb5546aa2e9bb7ff8963cdb74b6884ffba313f2
SHA2568357beac0dd74053b26a424b945a1c2947e5ceb9354a03ec9de151ddf42a20b3
SHA51298a8ad96da10d11277c20fcdedbfc5480ac314b57db225fbd40a4f14b217fceb67851879ca0c73d6a01c2e3b6980c8796f979341f6e333daccbb4602fc9992de
-
Filesize
5.7MB
MD53aeedebc98c4a034fb498c947ff0eb07
SHA1c9f3270b8c6a7b5dee90663242c940ceed54596c
SHA256acd86474db823b2c1e0253913cdab07214d83dd1101ea69dd5fd2d794da75930
SHA512735144eed8fce845f004c2badb343690a8762c01855dc0f173dd82c17f6918b6313e1869d95a431c50bf9a2210cb45a14a63cb7ce1585ef84cdb04a6d2b27240
-
Filesize
5.7MB
MD520fd69d3bf6af94f0a1e3f9db6a930c2
SHA1eceec73db99f263f70a6f2e880768567bee284de
SHA256b30ca4d555a3359c4bc8cfacd48849588c1ecde32bbe158691d157f83633e171
SHA5122fc0001e1a3d2eb83894e98f78d862c1239a00b68f25d5f9148117be39cc3888143f5569eab2aba22bf3ad8e7b4aeeac86e74da07fbcb2844e4dde834d83536a
-
Filesize
5.7MB
MD544c3e61740b7ad452363c2747c3a0462
SHA1fa8faf66673ae561022f161673781c39f4e4a502
SHA2569e97d6d2c1c599b43de2f5afc1193ab68b74d5c5324b3e30e3513f43610f9c37
SHA51273ad53d1f552d1abd5e9e8589b74bed76cb34f0233c463e700ba5e64b0f2761168aeb5670c8ad1566fcab2e967e51503cde1d21da1cb62066e0a18ab53346ec8
-
Filesize
5.7MB
MD5c8f8e7413fa4635ea7a0e6419d8c43fe
SHA140fad29bf9b54be8ca40f1109d383089bf5310c9
SHA2568f4565afa284ebba35834ccf1321cad121693de54b2955e8e7e05cc3424112e7
SHA512f7cfdf34448ee9b951e49fcddb5136aad85d1b3f4899d1646c42da554731f9395615a299a531c239113496a1227e10fb16449f61d14126d271cbab7c7b17c657
-
Filesize
5.7MB
MD5061fada4edac380c3edc70104d427577
SHA1ed3301b5dae9eadbe50055c9c6d5c5a9fcdcc5b1
SHA256660b243a5e3dd7f671bdd8e469eb5b267ff5ed177b6a7ed75413f7c0e3b82df1
SHA512616dbaee49a074d2a7179b4865e95a9e8d46dcec7d47b7223cccbf198270a8071b2ecdb081ba16569effbd8e52ac492f5415bd7cae80cbe05ad234400a6d4daa
-
Filesize
5.7MB
MD51c8613e671496845d0f0250f7dc198a1
SHA12d4ade02678265e18692ea2afdd7d3a3cd8b79a9
SHA256385f60db026304ce59590f59ba187eeccc8be9a3934a60b715f9b1e11912f449
SHA512b7450955f27581317bfa03c01c586e65346823a95d2f3c18815f45f268b21dceada40ced049e6f437dfaf365bc0f795a090c263c5e51b0c3f1db20528641a1ec
-
Filesize
5.7MB
MD59e1b2df19bd6d8deb644e389a7766492
SHA116752086c477f519efa16da9f55ec5d2a86db697
SHA25631c1408c3975e9e940efd75072e389fdecde402832b08ee36440924ac1793d56
SHA5127b0cd3ad332b3e098c5150eb65d838918369ad7b92a9dbf8aa08cd57f9d1a46b01a4a5bf2938600897d11ab41ccff22ddf94661f62a5aa18d8437877edf44d3c
-
Filesize
5.7MB
MD5a526a62ac2956aa6b43b344ee85f51e1
SHA1252f75b16815f54e3559c85343d796705c4e98ce
SHA2560f172f0f39b971f9c3b2a7c1f9bfb3462f8b5c40554a16c5fae9fad8584b4709
SHA512bac15ec0faf731467d10f026ef461bbcdea4ff0fb57ae6230f8fcf5a75ef165e1c1a5a31261a9d64115f177e722b9deb94ff30a378882a244d9fdaedf5a02578
-
Filesize
5.7MB
MD58d5ff2a20569de960fcc937635c1732c
SHA192d83e741661cdd4166c21509d0ae3406835ea61
SHA256abd41be38fb692ef414f15bddef826743c2b546b4882f179c8e772aa1a90ac25
SHA5127d68470537d6af1d36470754aab81af194d80281ec3bf44db7b4084877848b40018f9b62d973e3af061a0e9536d68cc08f66d385e195382f057a3ba7f28cf631
-
Filesize
5.7MB
MD57eb94311c46b95e92e7bf0a9af2ac349
SHA1a9ce0ae581d51a0190e29c4f1210f9215a9bc1c1
SHA2564c40b23829a292a13c6c948711de907b59d1e6576c760db6b0d26f36cd159f11
SHA5126c1155e4f6f1e24cede5d1124bf57d2087d8454cfdb9f7010023357c1d0115d5fa3808c13fe27de8a1aef2849f18b5bc55090364ab961d41ea5b3e0f1e12374f
-
Filesize
5.7MB
MD520e1b0479002b2aefe861d498a7f2d75
SHA16502ff99ac0493155141c895c357967e9b1acbdc
SHA25686344083bfc7afa789e2433070b636f47899621ff77da1e855a5b6f87b2890e6
SHA512bc90c437324e440269b03f47e8490d41ee1ec334fb709a5fd1a7190bb102a101548fced7f77dc40084963446208331959abdd4529b2333cc20ab6a17e9a61723
-
Filesize
5.7MB
MD51d62f8052c828b8aa8c82bb38aa9604d
SHA184c0af7bc34fb1a31cee743d3242e822db769148
SHA25601cf610186a9a67e31e808eab78b36ecdade0f58c96fe33376d2426e1b2f8c36
SHA5128e21e58f9ad16c42478d400a2d3c0de7a89bccf3eada9f300fa8a2b9c184afd686786786c3c3d0d8c7b53d87a1b5458f500aa184f1843a05ef8a06f7c7005d22
-
Filesize
5.7MB
MD54e6d6c0ba4d3f58c0af8c1973f762dfd
SHA1fd2ef1c4433897f82d6d9eda57559042eb65e30d
SHA2560e3847fff9d97afbc418f8696c0ff9887316f33fb2c90bb0c3963eec6281fb8c
SHA512051ad599c3c2e8dfe49680eba5bdf194e9cdc5d650e5b99cd5bbec9e33f270461c9b6a5c1fd3b428a4051e089cac2d56cba6112403928044d0e12d1b3ede80be
-
Filesize
5.7MB
MD5bd9dc3ae0e73b246f73ce8e6370d94c7
SHA1528cacff9e97345e09497b164266d3aadae76372
SHA2560532a45b7c9a15abed365f8205ba25043f2fbb9562b7faddf4eb7399eb207aab
SHA5125c1564cf4c3ea1f694dca1b20e54f94fb4053d25b4c26876be53f2f1f1e8d772ba21204d0cad8d7ea8b38943190f6c2d1283ab579d27375ed1fed885b64661b8