Craig Alda (craig.alda, DESKTOP-JH1UZAE$, HewlettP_1c:47:ae (00:08:02:1c:47:ae), Windows 10) was compromised by IcedID at 00:26 on 13/11/2020 UTC and then CobaltStrike at 09:39.
00:26:49: first malicious GET request, 302 redirect to download 3.dll [IcedID]
00:28:05: first traffic to lezasopedrill.cyou at 143.110.191.95:433
00:29:14: last traffic to lezasopedrill.cyou at 143.110.191.95:433
00:30:03: first traffic to timerdisclaimer.tw at 198.211.99.24:433
00:33:13: last traffic to timerdisclaimer.tw at 198.211.99.24:433
00:32:12: first traffic to compactmuslimdeport.pw at 198.211.99.24:433
01:26:XX: syuHKYt/vFPKnDV/VSMecyU.dll last modified
01:28:XX: Users/craig.alda/AppData/Local/Temp/~2457218.tmp last modified
01:29:XX: Users/craig.alda/AppData/Local/Temp/~2559312.dll last modified
01:30:XX: Users/craig.alda/AppData/Roaming/Exijopac/uwsida3/baipuyac.png last modified
01:31:XX: Users/craig.alda/AppData/Roaming/craig.alda/Maaywuku2.dll last modified
01:32:XX: Users/craig.alda/AppData/Local/Temp/sqlite64.dll last modified
09:39:07: download winnit.exe [Cobaltstrike] from 185.141.24.71:80
09:40:12: first GET /update.rss to webintercom76delivery.net at 185.141.24.71:80 (77 total, last 09:49:01)
09:42:35: first POST /submit.php?id=123429382 to webintercom76delivery.net at 185.141.24.71:80 (14 total, last 09:49:01)
09:45:00: 192.168.200.8 ping scans 10.0.0.0/24, 192.168.0.0/24, 192.211.99.0/24