Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259395202.bat"	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\svchcst.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\svchost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\WerFault.exe	N/A
N/A	N/A	C:\Windows\system32\WerFault.exe	N/A
N/A	N/A	C:\Windows\system32\WerFault.exe	N/A
N/A	N/A	C:\Windows\system32\WerFault.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\svchost.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\svchcst.exe	N/A

Modifies system executable filetype association

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\259395202.bat	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A
File opened for modification	C:\Windows\SysWOW64\ini.ini	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A
File created	C:\Windows\SysWOW64\svchcst.exe	C:\Windows\SysWOW64\svchost.exe	N/A
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	C:\Windows\SysWOW64\svchost.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\svchost.com	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Enumerates physical storage devices

Modifies registry class

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1956 wrote to memory of 1628	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 1956 wrote to memory of 1628	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 1956 wrote to memory of 1628	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 1956 wrote to memory of 1628	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 1628 wrote to memory of 2968	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1628 wrote to memory of 2968	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1628 wrote to memory of 2968	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1628 wrote to memory of 2968	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1628 wrote to memory of 2528	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 1628 wrote to memory of 2528	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 1628 wrote to memory of 2528	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 1628 wrote to memory of 2528	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 2528 wrote to memory of 2568	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Windows\system32\WerFault.exe
PID 2528 wrote to memory of 2568	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Windows\system32\WerFault.exe
PID 2528 wrote to memory of 2568	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Windows\system32\WerFault.exe
PID 2660 wrote to memory of 356	N/A	C:\Windows\SysWOW64\svchost.exe	C:\Windows\SysWOW64\svchcst.exe
PID 2660 wrote to memory of 356	N/A	C:\Windows\SysWOW64\svchost.exe	C:\Windows\SysWOW64\svchcst.exe
PID 2660 wrote to memory of 356	N/A	C:\Windows\SysWOW64\svchost.exe	C:\Windows\SysWOW64\svchcst.exe
PID 2660 wrote to memory of 356	N/A	C:\Windows\SysWOW64\svchost.exe	C:\Windows\SysWOW64\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe"

C:\Users\Admin\AppData\Local\Temp\look2.exe

C:\Users\Admin\AppData\Local\Temp\\look2.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2528 -s 96

C:\Windows\SysWOW64\svchcst.exe

C:\Windows\system32\svchcst.exe "c:\windows\system32\259395202.bat",MainThread

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	kinh.xmcxmr.com	udp

Files

\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

MD5	25331b8a4c64e7bce6fe63eeef2f9f24
SHA1	8af4d49674224934df94c101eb706e02c8bcd8c5
SHA256	e02db10472e7672f82eed2bc1c9e33ff0b422b3fe502f7096543553f59035882
SHA512	46b8ccc3935c46872ee862448d0b3b4511290724cbc9bfbf7959d17393cdd5f61bc5e9bf724ad320d9c8586d3521afba2f499441eeb66a60b83f0a360a5eefab

\Users\Admin\AppData\Local\Temp\look2.exe

MD5	2f3b6f16e33e28ad75f3fdaef2567807
SHA1	85e907340faf1edfc9210db85a04abd43d21b741
SHA256	86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857
SHA512	db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5	cf6c595d3e5e9667667af096762fd9c4
SHA1	9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256	593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512	ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

\Windows\SysWOW64\259395202.bat

MD5	c1eb26588523e42c666005dc7cebea53
SHA1	ff019d8680324733828b549e00d8d7255b493d07
SHA256	2e27c2fa08e00af3fd66189b765b38cb75774cb8c647cc19f7a1fde29c8063ba
SHA512	be27846c081f6a974e2354dc0fe103e669ce29ffd5ff169219343f033580bfbf82086b9b14080d0ce76b39ba93eb8321b70df894d2d09157150226535308becb

\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

MD5	d03630dc968aae232a10fc0507727977
SHA1	c1fb90cbcfc414d013e02aa49dc6654b6ff45d51
SHA256	c9b5ab87aa09c521ab00abe664291bb2e833f018f0c8f3c00b719e35f101f140
SHA512	f559405af54194bc925f49377ce29d602084d15cfe7234f3d62644eba8129ebca57718a96c0e4099de233a2f0252e89958ec109a740a4eba4af3675569d67e2a

memory/1628-30-0x0000000002960000-0x0000000002B69000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5	34b496de3e42f44274e64328cd2bf91d
SHA1	62af4747fb62e4a0d26e0071ca4940a8e089a368
SHA256	c0b82f23137ef1cc172c6f20a159dd76b44a7f1183b89c33bf27ff0835737f0b
SHA512	5c57098a760e1ce3e932a95c3548c71886a94761999126e469f79f6fed9b51c20956526053e912d724ac1324645fea625d4886a3954830fd3f8550c25fbcad0f

memory/2528-44-0x000000013F3B0000-0x000000013F5B9000-memory.dmp

C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

MD5	7e36ae4418e02e94495ab03be05e71e3
SHA1	833bd1e34ddf85486f0e6c1be377bb5ae71929c4
SHA256	6040a64e64a54562186ed5132b8669941adb97ee8cff483ea888790da6b4277e
SHA512	c92fcc286f707e7f6958d3c4a49cdd6bca80ce338c78dc2d429bcc413a22e9d0a23525e37e9a4bb2d637c4ef26d9fe5cf7b197e085d1f312367515b9ef069ec9

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5	9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1	ec66cda99f44b62470c6930e5afda061579cde35
SHA256	8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512	2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Windows\SysWOW64\svchcst.exe

MD5	51138beea3e2c21ec44d0932c71762a8
SHA1	8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256	5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512	794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/1628-128-0x0000000002960000-0x0000000002B69000-memory.dmp

memory/1956-130-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2528-131-0x000000013F3B0000-0x000000013F5B9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 03:23

Reported

2024-05-25 03:26

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

161s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Detect Neshta payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Gh0st RAT payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Gh0strat

rat gh0strat

Neshta

persistence spyware neshta

Sets DLL path for service in the registry

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240652140.bat"	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\svchcst.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\svchost.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\svchcst.exe	N/A

Modifies system executable filetype association

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\240652140.bat	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A
File opened for modification	C:\Windows\SysWOW64\ini.ini	C:\Users\Admin\AppData\Local\Temp\look2.exe	N/A
File created	C:\Windows\SysWOW64\svchcst.exe	C:\Windows\SysWOW64\svchost.exe	N/A
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	C:\Windows\SysWOW64\svchost.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 1724 set thread context of 3944	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Windows\System32\RuntimeBroker.exe

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_click_helper.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_proxy.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\elevation_service.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\svchost.com	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Enumerates physical storage devices

Modifies registry class

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\RuntimeBroker.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\RuntimeBroker.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\RuntimeBroker.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 648 wrote to memory of 2876	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 648 wrote to memory of 2876	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 648 wrote to memory of 2876	N/A	C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 2876 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 2876 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 2876 wrote to memory of 2028	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 2876 wrote to memory of 1724	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 2876 wrote to memory of 1724	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe
PID 1724 wrote to memory of 3944	N/A	C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe	C:\Windows\System32\RuntimeBroker.exe
PID 2140 wrote to memory of 3956	N/A	C:\Windows\SysWOW64\svchost.exe	C:\Windows\SysWOW64\svchcst.exe
PID 2140 wrote to memory of 3956	N/A	C:\Windows\SysWOW64\svchost.exe	C:\Windows\SysWOW64\svchcst.exe
PID 2140 wrote to memory of 3956	N/A	C:\Windows\SysWOW64\svchost.exe	C:\Windows\SysWOW64\svchcst.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe"

C:\Users\Admin\AppData\Local\Temp\look2.exe

C:\Users\Admin\AppData\Local\Temp\\look2.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

C:\Windows\SysWOW64\svchcst.exe

C:\Windows\system32\svchcst.exe "c:\windows\system32\240652140.bat",MainThread

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	241.150.49.20.in-addr.arpa	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	74.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	13.86.106.20.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	morgellonsfocusonhealth.com	udp
IT	185.196.9.203:443	morgellonsfocusonhealth.com	tcp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	203.9.196.185.in-addr.arpa	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	22.236.111.52.in-addr.arpa	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	chromewebstore.googleapis.com	udp
US	8.8.8.8:53	chromewebstore.googleapis.com	udp
GB	142.250.179.234:443	chromewebstore.googleapis.com	tcp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	234.179.250.142.in-addr.arpa	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
IT	185.196.9.203:443	morgellonsfocusonhealth.com	tcp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	10.179.89.13.in-addr.arpa	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
US	8.8.8.8:53	kinh.xmcxmr.com	udp
IT	185.196.9.203:443	morgellonsfocusonhealth.com	tcp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

MD5	25331b8a4c64e7bce6fe63eeef2f9f24
SHA1	8af4d49674224934df94c101eb706e02c8bcd8c5
SHA256	e02db10472e7672f82eed2bc1c9e33ff0b422b3fe502f7096543553f59035882
SHA512	46b8ccc3935c46872ee862448d0b3b4511290724cbc9bfbf7959d17393cdd5f61bc5e9bf724ad320d9c8586d3521afba2f499441eeb66a60b83f0a360a5eefab

memory/648-8-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\look2.exe

MD5	2f3b6f16e33e28ad75f3fdaef2567807
SHA1	85e907340faf1edfc9210db85a04abd43d21b741
SHA256	86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857
SHA512	db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

C:\Windows\SysWOW64\240652140.bat

MD5	7321138abfa97177b4d30b342e1e4ff4
SHA1	7248f5d36b5fe6761bb2fd85f175ad27010b24e6
SHA256	c9019b0f8f54ba6a0092aed44fd3e6c3f4af96f06b674bcec9d0894890704a85
SHA512	aa99ee126d91d55e5fc3595980bb27e23772be36190e27afaeef575b8b8bbce3e70c7b5db028296af1b24f683d08c63819825d0708715e18251359187bd2d990

C:\Users\Admin\AppData\Local\Temp\3582-490\HD_2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta.exe

MD5	d03630dc968aae232a10fc0507727977
SHA1	c1fb90cbcfc414d013e02aa49dc6654b6ff45d51
SHA256	c9b5ab87aa09c521ab00abe664291bb2e833f018f0c8f3c00b719e35f101f140
SHA512	f559405af54194bc925f49377ce29d602084d15cfe7234f3d62644eba8129ebca57718a96c0e4099de233a2f0252e89958ec109a740a4eba4af3675569d67e2a

memory/1724-32-0x00007FF669840000-0x00007FF669A49000-memory.dmp

memory/3944-44-0x000001BE740F0000-0x000001BE7413C000-memory.dmp

memory/1724-45-0x00007FF669840000-0x00007FF669A49000-memory.dmp

C:\Windows\SysWOW64\svchcst.exe

MD5	889b99c52a60dd49227c5e485a016679
SHA1	8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256	6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512	08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/648-50-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5	8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1	919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256	8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512	0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

memory/648-74-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-133-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-149-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-160-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3944-161-0x00007FF9EA360000-0x00007FF9EA4AB000-memory.dmp

memory/3944-162-0x000001BE74150000-0x000001BE74152000-memory.dmp

memory/648-163-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-164-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-165-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-166-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-167-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-168-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-169-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-170-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-171-0x0000000000400000-0x000000000041B000-memory.dmp

Sample ID	240525-dxsxpacg51
Target	2024-05-25_03b1a6c3ca32de4fa42d45ae67ac976f_cobalt-strike_cobaltstrike_neshta
SHA256	861ec218c522da4af8ede69ccd8f31954bd37d0b2107f8768a1b72d6457f9771
Tags	neshta gh0strat persistence rat spyware stealer

Malware Analysis Report

2024-09-11 03:27

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files