Malware Analysis Report

2025-06-15 23:17

Sample ID 241102-2mnf8axerf
Target 2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig
SHA256 e384bc77d95c91a446821a738b61c7f2d2c6e9bee219e54acaa6b4121e40d2c0
Tags
miner blackmoon xmrig banker discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e384bc77d95c91a446821a738b61c7f2d2c6e9bee219e54acaa6b4121e40d2c0

Threat Level: Known bad

The file 2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig was found to be: Known bad.

Malicious Activity Summary

miner blackmoon xmrig banker discovery evasion persistence spyware stealer trojan

XMRig Miner payload

Detect Blackmoon payload

Xmrig family

Blackmoon family

UAC bypass

Blackmoon, KrBanker

xmrig

XMRig Miner payload

Event Triggered Execution: Image File Execution Options Injection

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 22:42

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 22:42

Reported

2024-11-02 22:45

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe"

Signatures

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MuiUnattend.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\openfiles.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\PkgMgr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\proquota.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\verifier.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\DevicePairingWizard.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\drvinst.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\LocationNotifications.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\mode.com C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\Mystify.scr C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\tcmsetup.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\timeout.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\TpmInit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\wevtutil.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\ftp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\label.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\RMActivate.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\isoburn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\notepad.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\powercfg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\SyncHost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\cmstp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\dvdupgrd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\extrac32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\sxstrace.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\wermgr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\wextract.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\cscript.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\iscsicli.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\RMActivate_isv.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\dllhst3g.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\dpnsvr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\secinit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\sdbinst.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\wininit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\wusa.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\PING.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\reg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\WPDShextAutoplay.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\bootcfg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\convert.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\perfmon.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\TsWpfWrp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\dialer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\Magnify.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\eventvwr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\netiougc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\sbunattend.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesComputerName.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\AtBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\autochk.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\cipher.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\taskkill.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\Ribbons.scr C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\SetIEInstalledDate.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\winrs.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\sidebar.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_4f466e7a0fbb1a04\systray.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\rwinsta.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_6.1.7601.17514_none_e1cb175aef3b13bb\UserAccountControlSettings.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-where_31bf3856ad364e35_6.1.7600.16385_none_b9c82ac6f7db99ae\where.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca\WinMgmt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_655452efe0fb810b\SvcIni.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7601.17514_none_4458ac8eafdacbdd\isoburn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\qappsrv.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_459ccaf008ff34f6\mtstocom.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.22091_none_d2b1c721321aadf8\conhost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\Backup\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7_ntkrnlpa.exe_165c312a C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-i..lified-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_808c0da292f3ca46\IMSCPROP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_6.1.7600.16385_none_3142c61b8ada510f\ReAgentc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\msil_ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_53678ee8c3f93f6b\IEExec.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-19.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-anytime-upgradeui_31bf3856ad364e35_6.1.7600.16385_none_4aadf3be188c056d\WindowsAnytimeUpgradeui.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.16428_none_a56da9e617d4f97e\ieetwcollector.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_netfx-netfxsbs10_exe_31bf3856ad364e35_6.1.7601.17514_none_3d9659600c3683e3\NETFXSBS10.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\ehome\RegisterMCEApp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_wpf-presentationfontcache_31bf3856ad364e35_6.1.7601.17514_none_63bf9c3e28cd9bfb\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_8.0.7601.17514_none_055d8a4166e66f09\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\iisreset.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_fed8c13f0d90a8cf_winmgmt.exe_8f8eb7b1 C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-robocopy_31bf3856ad364e35_6.1.7601.17514_none_c90e996c4aa655c4\Robocopy.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-11.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_f885d1129806720d\CasPol.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496\wowreg32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_6.1.7601.17514_none_036ad230212a39ce_lsm.exe_ecbd567a C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\MigSetup.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-utilman_31bf3856ad364e35_6.1.7600.16385_none_028006129290e443\Utilman.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config.comments C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\406.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-cttune_31bf3856ad364e35_6.1.7600.16385_none_0f797e18d8361ef2\cttune.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..xing-service-server_31bf3856ad364e35_6.1.7601.17514_none_0db5e5844ed6ffe9\CISVC.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_bbdd3aeb771e694e\runas.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-telnet-client_31bf3856ad364e35_6.1.7600.16385_none_1426830c3ebb712d\telnet.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-choice_31bf3856ad364e35_6.1.7600.16385_none_c33d412fed16819c\choice.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-logagent_31bf3856ad364e35_6.1.7601.17514_none_ed47f623204af12a\logagent.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9ea273bf74e2d7d\weather.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-wlan-extension_31bf3856ad364e35_6.1.7600.16385_none_f9b9855184ad1e6d\wlanext.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-12.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500-13.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\wscript.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..ageengine-utilities_31bf3856ad364e35_6.1.7600.16385_none_3580dea4def227d4\esentutl.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_6.1.7601.17514_none_d71fb1d63f05ef22\WFS.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\NETSTAT.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_aeb1ef0f4e6bba1d\wscript.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_2831d06e8295c671\upnpcont.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_403307e9ac829b13\CasPol.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-getmac_31bf3856ad364e35_6.1.7600.16385_none_0bd4ecde034ea7da\getmac.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhst3g.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-security-secedit_31bf3856ad364e35_6.1.7600.16385_none_aebd843e13122315\SecEdit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-irftp_31bf3856ad364e35_6.1.7600.16385_none_b2af329397f29f60\irftp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.5.7601.17514_none_af500e3c7fc49bc4\wuapp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.1.7600.16385_none_8fbb77bb3cd808d1\pcalua.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_6.1.7601.17514_none_726f4033dc35da15\cvtres.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-runlegacycplelevated_31bf3856ad364e35_6.1.7600.16385_none_10e2654156a06b06\RunLegacyCPLElevated.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_16699919077609d2\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cd9932e5aaee1f78\flyout.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500-16.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mine.ppxxmr.com udp

Files

memory/1568-0-0x0000000000400000-0x0000000000613000-memory.dmp

C:\Windows\svchost.exe

MD5 4a87a4d6677558706db4afaeeeb58d20
SHA1 7738dc6a459f8415f0265d36c626b48202cd6764
SHA256 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512 bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

C:\Windows\config.json

MD5 88c5c5706d2e237422eda18490dc6a59
SHA1 bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA256 4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512 a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

C:\Program Files\ReadBlock.exe

MD5 6559038909c0f37301ac77fee21f7b29
SHA1 c18ea0a9758937994900379f5f00f82b23626c9c
SHA256 35d89799cba675f750c56d27c76852ccf1dd09e85ef3eaa8745dfbca08be408b
SHA512 cf9b3eb3241ec2818ee243457137ca35a8269e6ebc18d632da35340d7f2f72abd556f9c46561a94783f52715db56aea59b2cb969866aee3c5e97bf35748f4e9b

memory/1608-342-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-365-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-366-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-387-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-388-0x0000000000400000-0x00000000004DA000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

MD5 cdea5d1cccee27144519c75bcf3015bd
SHA1 c36862abb1ada006b3dd4c28adc8b393a92fd325
SHA256 1184f2316c36648a2d457b602c713d5d5eb980e86e5e8ed388e94a47f8573dbd
SHA512 5d0ea1cef2af7111098c19578c42bfdfd7bb00ec3259fe026df6dd867a24f9a94f3299b035235e3cb87b1c9010f0d1be434a08318dae0412e03ecfdb439edfe9

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

MD5 bc3e199345ad8ba54e2fe4acad95433d
SHA1 c93cb69c27e1c03069de3c952534a52f391e3fb9
SHA256 462c197c83ee3d677b07fe000b2c4e64ac4be4ceaaea80c1c77a5e67d832edd8
SHA512 c1941c9106ff0d665dfee1888afcdc3c54e4db8fdb11e3313cd92a147a1084264dba8f1f9cbac5216d3c5ce1f97ff7f8d7d7493826ec3538d5db57a933fe32e4

memory/1608-497-0x0000000000400000-0x00000000004DA000-memory.dmp

C:\vcredist2010_x86.log.html

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html

MD5 ed1191da9c4f74a60d695a25686f374e
SHA1 3a427657c16a716be332587425101653c25221d0
SHA256 ab8cafd1958c27d70adc747259495e35592f8a06ae00969964f5f34f72896f3f
SHA512 68098c1342f87939b3f57cd3e3a799ff316d2f1eb5c52f8d9c0c9e7c214281bff68a1260a91527b7175ad031798f42125cf9ee2e0d49772eb03b5836b67d9fbf

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

MD5 657eb3527d651515f97b960a67d19fda
SHA1 27404b587183bc2f3b3b6919fbb91892f505b60d
SHA256 f301745232a72d84f277980ad53b65d94b02479369e8b73fe0e6717adcf11a35
SHA512 1085550a8844de081a216bd864990e56fbe91498fb6186cce435173ab73e29932e7b8182078cd2876039addbdb7e3c9769d7d7923f7ed2a5422e6a2a36321b70

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html

MD5 26986f79440b7a706b65724e509f009f
SHA1 9d8ff0beef1c19fbecd28e3f632101acf3d02599
SHA256 e59b7fa34b947d5ada478ff17543204251955052fdace284e5a285bd2abec5d1
SHA512 2c240c4f7b8912bd5049bef22c2507c7c1af15432c860549d0f1ea35f03183270eb7315607fdf35be86703a61ec0ed7801e9e6ea627a026dbf93d98ff11d2ed6

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html

MD5 59e4add1732aef6b8e228ecfb880c299
SHA1 31a6380e878f89ec9d2c83716fe42faafdd828db
SHA256 089aaccbf4c17d2a0163f13820e926f8ce3122c9ed87e7e040a77439795b8fc4
SHA512 461240638f98f92a0df94a6a76470d7ed3a9bf45f845b545ff37355efd4fb3efdbe592e563b6624d2e42374a3bf7682a572c3bfd96c21be87fc96ec3b3bcfbaf

memory/1608-746-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-747-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-748-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-749-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-750-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-751-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-752-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1608-753-0x0000000000400000-0x00000000004DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 22:42

Reported

2024-11-02 22:44

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe"

Signatures

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\fsutil.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\instnm.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\net.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\rdrleakdiag.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\ReAgentc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\RMActivate.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\RpcPing.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\SettingSyncHost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\UserAccountBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\xwizard.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\autochk.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\userinit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\cmdkey.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\dialer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\EhStorAuthn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\fontview.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\msfeedssync.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\SndVol.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\findstr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\help.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\SystemUWPLauncher.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\typeperf.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\DevicePairingWizard.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\net1.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\RMActivate_ssp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\secinit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\tcmsetup.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\TSTheme.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\dtdump.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\fltMC.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\ndadmin.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\PackagedCWALauncher.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\chkntfs.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\cmmon32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\find.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\raserver.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\replace.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\WPDShextAutoplay.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\ktmutil.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\mcbuilder.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\NETSTAT.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\rekeywiz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\runonce.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\schtasks.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\stordiag.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\taskkill.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\Taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\tracerpt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\ttdinject.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\cmstp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\eudcedit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\nslookup.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\odbcad32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\PATHPING.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\RdpSa.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\credwiz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SysWOW64\dvdplay.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\Windows NT\Accessories\wordpad.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\WebviewOffline.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\index.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files (x86)\Windows Media Player\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_10.0.19041.1_none_e0dec3877978d84a\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.264_none_8adc8bd8b75d383f\r\UNPUXHost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.789_none_3136b8d712da0334\r\XblGameSaveTask.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\f\SettingSyncHost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_2dfbb21bd5166adc\f\LaunchTM.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrorunknownerror.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\memoryAnalyzer.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\pdferrorofflineaccessdenied.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..al-chinese-moimeexe_31bf3856ad364e35_10.0.19041.746_none_0f44a2d7a5e3a37a\f\ChtIME.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\f\FileExplorer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..cymanagerbrokerhost_31bf3856ad364e35_10.0.19041.746_none_5cc81a54cf095c95\f\EASPolicyManagerBrokerHost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mdmappinstaller_31bf3856ad364e35_10.0.19041.844_none_77a5d9aafae08e77\f\MDMAppInstaller.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\servbusy.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\DisableAboutFlag.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ces-backgroundagent_31bf3856ad364e35_10.0.19041.423_none_d8a242bf396f7d4d\r\SpaceAgent.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-4.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\defaultbrowser.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1202_none_3594628932065f23\r\wevtutil.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ddodiag_31bf3856ad364e35_10.0.19041.1_none_f69c49e870acf520\ddodiag.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-ie-iechooser_31bf3856ad364e35_11.0.19041.746_none_b60bd945ca2276e4\f\IEChooser.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\404-12.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devicepairingapp_31bf3856ad364e35_10.0.19041.1_none_258f6f31a16a0eac\DevicePairingWizard.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_10.0.19041.906_none_5f45625010b4cd19\InetMgr6.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_caspol_b03f5f7f11d50a3a_4.0.15805.0_none_f0aa60ae9c531752\CasPol.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-clip_31bf3856ad364e35_10.0.19041.1_none_682199f2efbfb806\clip.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.546_none_5163f0069562aff6\r\powershell.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoSecurityInclusive.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\unknownprotocol.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-6.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_10.0.19041.746_none_092d70d1898e5ff9\f\DismHost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.19041.546_none_380485edeba9f4c4\f\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\needhvsi.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.0.19041.1_none_4e5e653d48e95632\wextract.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\main.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\f\printui.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.844_none_7eaa07ee55c22dcc_winmgmt.exe_8f8eb7b1 C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeoemregistration-main.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\view\common-listview-template.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.19041.1_none_14f1e9e91239944a\MdmDiagnosticsTool.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_171488549e32a4d3\diskperf.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_ac2441dbb712f006\msra.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..tofservice-oposhost_31bf3856ad364e35_10.0.19041.1_none_3d1291badd9e7f22\OposHost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tieringengine_31bf3856ad364e35_10.0.19041.1_none_6568d39003c9a6d5\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\x86_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_10.0.19041.1_none_a6a8b89bc50eae31\cvtres.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeoutro-main.html C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\BlockSite.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\CapturePicker.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_10.0.19041.1_none_075470a68fcfb411\umount.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.19041.746_none_f7c1402f08d2457a\f\mmc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-b..onment-dvd-etfsboot_31bf3856ad364e35_10.0.19041.1_none_dc4e5ab15169832e\etfsboot.com C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.1_none_4c7da197e5837576\dtdump.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\PhishSiteEdge.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\WpcBlockFrame.htm C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-s..chservice-component_31bf3856ad364e35_10.0.19041.1266_none_2262e67641106c48\SpeechRuntime.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.264_none_c765d8a6c76ec25f\r\DataExchangeHost.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-regsvr32_31bf3856ad364e35_10.0.19041.1_none_389cd5270341e0a8\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\r\mstsc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\wow64_regasm_b03f5f7f11d50a3a_4.0.15805.0_none_9be7d950c1f8addd\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_10.0.19041.1_none_ad39955b83a3f25f\SystemPropertiesAdvanced.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..appserver-licensing_31bf3856ad364e35_10.0.19041.746_none_84af66409a2cad45\tlsbln.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_10.0.19041.1_none_5efb81c4b092852b\cvtres.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
File created C:\Windows\WinSxS\amd64_windows-application..egistrationverifier_31bf3856ad364e35_10.0.19041.1_none_3ce17495646dbeaa\AppHostRegistrationVerifier.exe C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-02_fb1e670df521315c4c7f6875a6bbedd0_cobalt-strike_icedid_xmrig.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 mine.ppxxmr.com udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/2236-0-0x0000000000400000-0x0000000000613000-memory.dmp

C:\Windows\svchost.exe

MD5 4a87a4d6677558706db4afaeeeb58d20
SHA1 7738dc6a459f8415f0265d36c626b48202cd6764
SHA256 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512 bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

C:\Program Files\7-Zip\Uninstall.exe

MD5 0f7a8a6ef72805d2501eeb4eb543104f
SHA1 291ba17fa02a80a1300c6e983bf2e7d9d0bea62a
SHA256 67ff9144b28cf7ba1c18bc0e362ddbb5dab72fdb74874445be6f1001d1a46f60
SHA512 0d064bd1f09b80d515aee252d876970a7fd7c2cf8afd55b47a408bd4f7960e9cd9ab433bced33a13c60f53ad6de6419e3457bc9decdc026ec383de72930307d5

C:\Windows\config.json

MD5 88c5c5706d2e237422eda18490dc6a59
SHA1 bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA256 4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512 a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

memory/1016-387-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-389-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-392-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-410-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-419-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-421-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-456-0x0000000000400000-0x00000000004DA000-memory.dmp

C:\vcredist2010_x86.log.html

MD5 fe34ca7c069698caddc76e95d7f3c2a5
SHA1 facfeb0b2fd090c323ab8ca5671eb0cddb8eaad9
SHA256 91a2f515ffb47ad040ae21c167d408b71f380835419edd9af496c2adc82f6486
SHA512 b1f3ae75915309537caa0c52fee3a459f0f9324e0d148fc745d6250fb54ef4d92d65bd61b5698648435c5e7c401adb64eb835cac3c1ad8e8b8fb1db276c6628a

memory/1016-528-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-529-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-530-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-531-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-532-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-533-0x0000000000400000-0x00000000004DA000-memory.dmp

memory/1016-534-0x0000000000400000-0x00000000004DA000-memory.dmp