rhadamanthys | d850df618ed03fd518cb4c52bb09657a2eda865702a0498b965b0279ea73b362

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BrowserUpdate.exe

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/2340-363-0x00007FF76D630000-0x00007FF770EC8000-memory.dmp	xmrig
behavioral2/memory/1392-367-0x00007FF777C50000-0x00007FF77843F000-memory.dmp	xmrig
behavioral2/memory/3228-368-0x00007FF6021C0000-0x00007FF6029AF000-memory.dmp	xmrig
behavioral2/memory/1392-372-0x00007FF777C50000-0x00007FF77843F000-memory.dmp	xmrig
behavioral2/memory/3228-373-0x00007FF6021C0000-0x00007FF6029AF000-memory.dmp	xmrig
behavioral2/memory/1392-376-0x00007FF777C50000-0x00007FF77843F000-memory.dmp	xmrig
behavioral2/memory/3228-381-0x00007FF6021C0000-0x00007FF6029AF000-memory.dmp	xmrig
behavioral2/memory/1392-384-0x00007FF777C50000-0x00007FF77843F000-memory.dmp	xmrig
behavioral2/memory/3228-385-0x00007FF6021C0000-0x00007FF6029AF000-memory.dmp	xmrig

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	n~n8ze1l.exe
File created	C:\Windows\System32\drivers\etc\hosts	q937-vn8.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BrowserUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BrowserUpdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	Tu[6gheX9k.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	BrowserUpdate.exe

Executes dropped EXE 5 IoCs

pid	Process
3420	n~n8ze1l.exe
4192	Tu[6gheX9k.exe
3220	q937-vn8.exe
1968	BrowserUpdate.exe
2340	updater.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Wine	BrowserUpdate.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Tu[6gheX9k.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google LLC = "C:\\Program Files\\Google\\Chrome\\Application\\BrowserUpdate.exe -l james5453545@protonmail.com"	Tu[6gheX9k.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1968	BrowserUpdate.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe	Tu[6gheX9k.exe
File created	C:\Program Files\Google\Chrome\updater.exe	n~n8ze1l.exe
File created	C:\Program Files\Google\Chrome\updater.exe	q937-vn8.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4552	sc.exe
4180	sc.exe
4376	sc.exe
380	sc.exe
2704	sc.exe
3636	sc.exe
2704	sc.exe
3292	sc.exe
1440	sc.exe
4132	sc.exe
4660	sc.exe
1484	sc.exe
3636	sc.exe
4024	sc.exe
700	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4308	file.exe
4308	file.exe
4308	file.exe
4308	file.exe
1572	certreq.exe
1572	certreq.exe
1572	certreq.exe
1572	certreq.exe
3420	n~n8ze1l.exe
3420	n~n8ze1l.exe
3428	powershell.exe
3428	powershell.exe
3420	n~n8ze1l.exe
3420	n~n8ze1l.exe
3420	n~n8ze1l.exe
3420	n~n8ze1l.exe
3420	n~n8ze1l.exe
3420	n~n8ze1l.exe
4148	powershell.exe
4148	powershell.exe
3220	q937-vn8.exe
3220	q937-vn8.exe
2728	powershell.exe
2728	powershell.exe
3220	q937-vn8.exe
3220	q937-vn8.exe
1968	BrowserUpdate.exe
1968	BrowserUpdate.exe
3420	n~n8ze1l.exe
3420	n~n8ze1l.exe
3220	q937-vn8.exe
3220	q937-vn8.exe
3220	q937-vn8.exe
3220	q937-vn8.exe
4684	powershell.exe
4684	powershell.exe
3220	q937-vn8.exe
3220	q937-vn8.exe
2340	updater.exe
2340	updater.exe
2476	powershell.exe
2476	powershell.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
2340	updater.exe
3632	powershell.exe
3632	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeShutdownPrivilege	764	powercfg.exe
Token: SeCreatePagefilePrivilege	764	powercfg.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeShutdownPrivilege	3284	powercfg.exe
Token: SeCreatePagefilePrivilege	3284	powercfg.exe
Token: SeShutdownPrivilege	1612	powercfg.exe
Token: SeCreatePagefilePrivilege	1612	powercfg.exe
Token: SeShutdownPrivilege	3128	powercfg.exe
Token: SeCreatePagefilePrivilege	3128	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4148	powershell.exe
Token: SeSecurityPrivilege	4148	powershell.exe
Token: SeTakeOwnershipPrivilege	4148	powershell.exe
Token: SeLoadDriverPrivilege	4148	powershell.exe
Token: SeSystemProfilePrivilege	4148	powershell.exe
Token: SeSystemtimePrivilege	4148	powershell.exe
Token: SeProfSingleProcessPrivilege	4148	powershell.exe
Token: SeIncBasePriorityPrivilege	4148	powershell.exe
Token: SeCreatePagefilePrivilege	4148	powershell.exe
Token: SeBackupPrivilege	4148	powershell.exe
Token: SeRestorePrivilege	4148	powershell.exe
Token: SeShutdownPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeSystemEnvironmentPrivilege	4148	powershell.exe
Token: SeRemoteShutdownPrivilege	4148	powershell.exe
Token: SeUndockPrivilege	4148	powershell.exe
Token: SeManageVolumePrivilege	4148	powershell.exe
Token: 33	4148	powershell.exe
Token: 34	4148	powershell.exe
Token: 35	4148	powershell.exe
Token: 36	4148	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeIncreaseQuotaPrivilege	4148	powershell.exe
Token: SeSecurityPrivilege	4148	powershell.exe
Token: SeTakeOwnershipPrivilege	4148	powershell.exe
Token: SeLoadDriverPrivilege	4148	powershell.exe
Token: SeSystemProfilePrivilege	4148	powershell.exe
Token: SeSystemtimePrivilege	4148	powershell.exe
Token: SeProfSingleProcessPrivilege	4148	powershell.exe
Token: SeIncBasePriorityPrivilege	4148	powershell.exe
Token: SeCreatePagefilePrivilege	4148	powershell.exe
Token: SeBackupPrivilege	4148	powershell.exe
Token: SeRestorePrivilege	4148	powershell.exe
Token: SeShutdownPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeSystemEnvironmentPrivilege	4148	powershell.exe
Token: SeRemoteShutdownPrivilege	4148	powershell.exe
Token: SeUndockPrivilege	4148	powershell.exe
Token: SeManageVolumePrivilege	4148	powershell.exe
Token: 33	4148	powershell.exe
Token: 34	4148	powershell.exe
Token: 35	4148	powershell.exe
Token: 36	4148	powershell.exe
Token: SeIncreaseQuotaPrivilege	4148	powershell.exe
Token: SeSecurityPrivilege	4148	powershell.exe
Token: SeTakeOwnershipPrivilege	4148	powershell.exe
Token: SeLoadDriverPrivilege	4148	powershell.exe
Token: SeSystemProfilePrivilege	4148	powershell.exe
Token: SeSystemtimePrivilege	4148	powershell.exe
Token: SeProfSingleProcessPrivilege	4148	powershell.exe
Token: SeIncBasePriorityPrivilege	4148	powershell.exe
Token: SeCreatePagefilePrivilege	4148	powershell.exe
Token: SeBackupPrivilege	4148	powershell.exe
Token: SeRestorePrivilege	4148	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1968	BrowserUpdate.exe
1968	BrowserUpdate.exe
1968	BrowserUpdate.exe
1968	BrowserUpdate.exe
1968	BrowserUpdate.exe
1968	BrowserUpdate.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 1572	4308	file.exe	81
PID 4308 wrote to memory of 1572	4308	file.exe	81
PID 4308 wrote to memory of 1572	4308	file.exe	81
PID 4308 wrote to memory of 1572	4308	file.exe	81
PID 4192 wrote to memory of 1968	4192	Tu[6gheX9k.exe	88
PID 4192 wrote to memory of 1968	4192	Tu[6gheX9k.exe	88
PID 4192 wrote to memory of 1968	4192	Tu[6gheX9k.exe	88
PID 3048 wrote to memory of 3636	3048	cmd.exe	137
PID 3048 wrote to memory of 3636	3048	cmd.exe	137
PID 3048 wrote to memory of 2704	3048	cmd.exe	131
PID 3048 wrote to memory of 2704	3048	cmd.exe	131
PID 3048 wrote to memory of 3292	3048	cmd.exe	135
PID 3048 wrote to memory of 3292	3048	cmd.exe	135
PID 3048 wrote to memory of 4552	3048	cmd.exe	95
PID 3048 wrote to memory of 4552	3048	cmd.exe	95
PID 3048 wrote to memory of 4180	3048	cmd.exe	100
PID 3048 wrote to memory of 4180	3048	cmd.exe	100
PID 4504 wrote to memory of 764	4504	cmd.exe	101
PID 4504 wrote to memory of 764	4504	cmd.exe	101
PID 4504 wrote to memory of 3284	4504	cmd.exe	102
PID 4504 wrote to memory of 3284	4504	cmd.exe	102
PID 4504 wrote to memory of 1612	4504	cmd.exe	142
PID 4504 wrote to memory of 1612	4504	cmd.exe	142
PID 4504 wrote to memory of 3128	4504	cmd.exe	143
PID 4504 wrote to memory of 3128	4504	cmd.exe	143
PID 2096 wrote to memory of 4376	2096	cmd.exe	109
PID 2096 wrote to memory of 4376	2096	cmd.exe	109
PID 2096 wrote to memory of 4024	2096	cmd.exe	110
PID 2096 wrote to memory of 4024	2096	cmd.exe	110
PID 2096 wrote to memory of 1440	2096	cmd.exe	111
PID 2096 wrote to memory of 1440	2096	cmd.exe	111
PID 2096 wrote to memory of 380	2096	cmd.exe	112
PID 2096 wrote to memory of 380	2096	cmd.exe	112
PID 2096 wrote to memory of 700	2096	cmd.exe	113
PID 2096 wrote to memory of 700	2096	cmd.exe	113
PID 4984 wrote to memory of 2008	4984	cmd.exe	121
PID 4984 wrote to memory of 2008	4984	cmd.exe	121
PID 4984 wrote to memory of 412	4984	cmd.exe	122
PID 4984 wrote to memory of 412	4984	cmd.exe	122
PID 4984 wrote to memory of 2856	4984	cmd.exe	123
PID 4984 wrote to memory of 2856	4984	cmd.exe	123
PID 4984 wrote to memory of 4612	4984	cmd.exe	124
PID 4984 wrote to memory of 4612	4984	cmd.exe	124
PID 3800 wrote to memory of 1484	3800	cmd.exe	141
PID 3800 wrote to memory of 1484	3800	cmd.exe	141
PID 3800 wrote to memory of 4660	3800	cmd.exe	139
PID 3800 wrote to memory of 4660	3800	cmd.exe	139
PID 3800 wrote to memory of 4132	3800	cmd.exe	138
PID 3800 wrote to memory of 4132	3800	cmd.exe	138
PID 3800 wrote to memory of 3636	3800	cmd.exe	137
PID 3800 wrote to memory of 3636	3800	cmd.exe	137
PID 3800 wrote to memory of 2704	3800	cmd.exe	131
PID 3800 wrote to memory of 2704	3800	cmd.exe	131
PID 3292 wrote to memory of 3644	3292	cmd.exe	136
PID 3292 wrote to memory of 3644	3292	cmd.exe	136
PID 3292 wrote to memory of 1632	3292	cmd.exe	140
PID 3292 wrote to memory of 1632	3292	cmd.exe	140
PID 3292 wrote to memory of 1612	3292	cmd.exe	142
PID 3292 wrote to memory of 1612	3292	cmd.exe	142
PID 3292 wrote to memory of 3128	3292	cmd.exe	143
PID 3292 wrote to memory of 3128	3292	cmd.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3172
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4308
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3636
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2704
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3292
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4552
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vjciy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3284
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1612
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4376
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4024
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1440
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:380
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:700
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2692
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2008
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:412
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2856
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zmjvgdgm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2704
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3636
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4132
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4660
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vjciy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3632
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3644
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1632
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1464
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1392
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3228

C:\Users\Admin\AppData\Local\Microsoft\n~n8ze1l.exe
"C:\Users\Admin\AppData\Local\Microsoft\n~n8ze1l.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3420

C:\Users\Admin\AppData\Local\Microsoft\Tu[6gheX9k.exe
"C:\Users\Admin\AppData\Local\Microsoft\Tu[6gheX9k.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe
  "C:\Program Files\Google\Chrome\Application\BrowserUpdate.exe" -l james5453545@protonmail.com
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1968

C:\Users\Admin\AppData\Local\Microsoft\q937-vn8.exe
"C:\Users\Admin\AppData\Local\Microsoft\q937-vn8.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3220

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2340

Network

DNS

18.11.98.141.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.11.98.141.in-addr.arpa

IN PTR

Response

18.11.98.141.in-addr.arpa

IN PTR

squeamishwoinstacom
DNS

62.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

62.13.109.52.in-addr.arpa

IN PTR

Response
DNS

api.peer2profit.global

BrowserUpdate.exe

Remote address:

8.8.8.8:53

Request

api.peer2profit.global

IN A

Response

api.peer2profit.global

IN A

104.26.9.6

api.peer2profit.global

IN A

172.67.69.54

api.peer2profit.global

IN A

104.26.8.6
DNS

6.9.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.9.26.104.in-addr.arpa

IN PTR

Response
DNS

46.72.251.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.72.251.87.in-addr.arpa

IN PTR

Response

46.72.251.87.in-addr.arpa

IN PTR

devops-zbrexamplecom
DNS

xmr.2miners.com

Remote address:

8.8.8.8:53

Request

xmr.2miners.com

IN A

Response

xmr.2miners.com

IN A

162.19.139.184
DNS

46.72.251.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.72.251.87.in-addr.arpa

IN PTR

Response

46.72.251.87.in-addr.arpa

IN PTR

devops-zbrexamplecom
DNS

184.139.19.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

184.139.19.162.in-addr.arpa

IN PTR

Response

184.139.19.162.in-addr.arpa

IN PTR

p062minerscom
DNS

fp.check.peer2profit.site

Remote address:

8.8.8.8:53

Request

fp.check.peer2profit.site

IN A

Response

fp.check.peer2profit.site

IN A

162.19.176.4
DNS

github.com

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

140.82.112.4
DNS

www.wikipedia.org

Remote address:

8.8.8.8:53

Request

www.wikipedia.org

IN A

Response

www.wikipedia.org

IN CNAME

dyna.wikimedia.org

dyna.wikimedia.org

IN A

208.80.154.224
DNS

twitter.com

Remote address:

8.8.8.8:53

Request

twitter.com

IN A

Response

twitter.com

IN A

104.244.42.129

twitter.com

IN A

104.244.42.1

twitter.com

IN A

104.244.42.193

twitter.com

IN A

104.244.42.65
DNS

en.wikipedia.org

Remote address:

8.8.8.8:53

Request

en.wikipedia.org

IN A

Response

en.wikipedia.org

IN CNAME

dyna.wikimedia.org

dyna.wikimedia.org

IN A

208.80.154.224
DNS

4.176.19.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.176.19.162.in-addr.arpa

IN PTR

Response

4.176.19.162.in-addr.arpa

IN PTR

ip4 ip-162-19-176eu
DNS

206.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.179.250.142.in-addr.arpa

IN PTR

Response

206.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f141e100net
DNS

196.168.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.168.217.172.in-addr.arpa

IN PTR

Response

196.168.217.172.in-addr.arpa

IN PTR

ams16s32-in-f41e100net
DNS

129.42.244.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.42.244.104.in-addr.arpa

IN PTR

Response
DNS

4.112.82.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.112.82.140.in-addr.arpa

IN PTR

Response

4.112.82.140.in-addr.arpa

IN PTR

lb-140-82-112-4-iadgithubcom
DNS

224.154.80.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.154.80.208.in-addr.arpa

IN PTR

Response

224.154.80.208.in-addr.arpa

IN PTR

text-lbeqiad wikimediaorg
DNS

api.blocklist.de

Remote address:

8.8.8.8:53

Request

api.blocklist.de

IN A

Response

api.blocklist.de

IN A

185.21.103.31
GET

http://api.blocklist.de/api.php?ip=154.61.71.13&start=1

Remote address:

185.21.103.31:80

Request

GET http://api.blocklist.de/api.php?ip=154.61.71.13&start=1 HTTP/1.1
Host: api.blocklist.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 22 Jun 2023 05:42:20 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 46
Connection: keep-alive
Keep-Alive: timeout=20
Expires: Thu, 22 Jun 2023 05:27:20 GMT
Cache-Control: private, max-age=1687411640, pre-check=86400
Last-Modified: Thu, 22 Jun 2023 05:42:18 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
X-Frame-Options: sameorigin
Cache-Control: public
DNS

31.103.21.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.103.21.185.in-addr.arpa

IN PTR

Response

31.103.21.185.in-addr.arpa

IN PTR

webserver3 blocklistde
DNS

otx.alienvault.com

Remote address:

8.8.8.8:53

Request

otx.alienvault.com

IN A

Response

otx.alienvault.com

IN A

108.156.60.62

otx.alienvault.com

IN A

108.156.60.87

otx.alienvault.com

IN A

108.156.60.81

otx.alienvault.com

IN A

108.156.60.60
DNS

www.threatcrowd.org

Remote address:

8.8.8.8:53

Request

www.threatcrowd.org

IN A

Response

www.threatcrowd.org

IN CNAME

prod-otxb-threatcrowd.otxb.io

prod-otxb-threatcrowd.otxb.io

IN CNAME

prod-ecsel-o1gfruenxfub-825410333.us-west-2.elb.amazonaws.com

prod-ecsel-o1gfruenxfub-825410333.us-west-2.elb.amazonaws.com

IN A

44.237.49.181
DNS

62.60.156.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

62.60.156.108.in-addr.arpa

IN PTR

Response

62.60.156.108.in-addr.arpa

IN PTR

server-108-156-60-62ams1r cloudfrontnet
DNS

181.49.237.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

181.49.237.44.in-addr.arpa

IN PTR

Response

181.49.237.44.in-addr.arpa

IN PTR

ec2-44-237-49-181 us-west-2compute amazonawscom
DNS

fp-4.check.peer2profit.site

Remote address:

8.8.8.8:53

Request

fp-4.check.peer2profit.site

IN A

Response

fp-4.check.peer2profit.site

IN A

51.79.216.136
DNS

ubuntu.com

Remote address:

8.8.8.8:53

Request

ubuntu.com

IN A

Response

ubuntu.com

IN A

185.125.190.20

ubuntu.com

IN A

185.125.190.21

ubuntu.com

IN A

185.125.190.29
DNS

one.one.one.one

Remote address:

8.8.8.8:53

Request

one.one.one.one

IN A

Response

one.one.one.one

IN A

1.0.0.1

one.one.one.one

IN A

1.1.1.1
DNS

twitch.tv

Remote address:

8.8.8.8:53

Request

twitch.tv

IN A

Response

twitch.tv

IN A

151.101.66.167

twitch.tv

IN A

151.101.2.167

twitch.tv

IN A

151.101.130.167

twitch.tv

IN A

151.101.194.167
DNS

www.twitch.tv

Remote address:

8.8.8.8:53

Request

www.twitch.tv

IN A

Response

www.twitch.tv

IN CNAME

twitch.map.fastly.net

twitch.map.fastly.net

IN A

199.232.150.167
DNS

136.216.79.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.216.79.51.in-addr.arpa

IN PTR

Response

136.216.79.51.in-addr.arpa

IN PTR

ip136ip-51-79-216net
DNS

20.190.125.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.190.125.185.in-addr.arpa

IN PTR

Response

20.190.125.185.in-addr.arpa

IN PTR

website-content-cache-1ps5 canonicalcom
DNS

167.66.101.151.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.66.101.151.in-addr.arpa

IN PTR

Response
DNS

1.0.0.1.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.0.0.1.in-addr.arpa

IN PTR

Response

1.0.0.1.in-addr.arpa

IN PTR

oneoneoneone
DNS

167.150.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.150.232.199.in-addr.arpa

IN PTR

Response

141.98.11.18:5351

tls

file.exe

34.2kB
2.0MB
721
1433
52.168.117.170:443

322 B
7
141.98.11.18:5351

tls

certreq.exe

72.1kB
4.3kB
66
41
141.98.11.18:5351

tls

certreq.exe

2.2MB
123.3MB
46370
88152
96.16.110.41:443

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
104.26.9.6:443

api.peer2profit.global

tls

BrowserUpdate.exe

1.2kB
3.6kB
8
9
87.251.72.46:443

https

1.7kB
4.2kB
33
50
162.19.139.184:12222

xmr.2miners.com

tls

1.4kB
7.2kB
9
11
162.19.139.184:12222

xmr.2miners.com

tls

1.1kB
7.3kB
9
11
162.19.139.184:12222

xmr.2miners.com

tls

1.1kB
7.3kB
9
11
162.19.139.184:12222

xmr.2miners.com

tls

1.1kB
7.3kB
9
11
162.19.176.4:443

fp.check.peer2profit.site

tls

939 B
5.4kB
10
12
87.251.72.46:443

https

5.7kB
1.1kB
13
15
87.251.72.46:443

https

8.2kB
1.2kB
13
15
208.80.154.224:443

www.wikipedia.org

tls

1.2kB
7.7kB
13
12
140.82.112.4:443

github.com

tls

1.0kB
4.5kB
12
10
87.251.72.46:443

https

5.7kB
1.0kB
11
13
104.244.42.129:443

twitter.com

tls

1.1kB
3.7kB
12
10
87.251.72.46:443

https

3.9kB
1.0kB
10
12
87.251.72.46:443

https

4.8kB
1.0kB
11
12
87.251.72.46:443

https

7.9kB
1.2kB
13
15
208.80.154.224:443

en.wikipedia.org

tls

1.2kB
7.7kB
12
12
87.251.72.46:443

https

8.0kB
1.2kB
13
15
162.19.176.4:443

fp.check.peer2profit.site

tls

978 B
5.4kB
11
12
87.251.72.46:443

https

5.8kB
1.1kB
14
16
185.21.103.31:80

http://api.blocklist.de/api.php?ip=154.61.71.13&start=1

http

481 B
643 B
6
4

HTTP Request

GET http://api.blocklist.de/api.php?ip=154.61.71.13&start=1

HTTP Response

200
87.251.72.46:443

https

993 B
256 B
7
6
162.19.139.184:12222

xmr.2miners.com

tls

1.1kB
7.3kB
9
11
162.19.139.184:12222

xmr.2miners.com

tls

1.1kB
7.3kB
9
11
108.156.60.62:443

otx.alienvault.com

tls

1.2kB
9.7kB
13
15
87.251.72.46:443

https

9.9kB
1.3kB
15
17
44.237.49.181:443

www.threatcrowd.org

tls

774 B
5.9kB
11
12
87.251.72.46:443

https

6.1kB
770 B
11
12
162.19.139.184:12222

xmr.2miners.com

tls

1.1kB
7.3kB
9
11
51.79.216.136:443

fp-4.check.peer2profit.site

tls

1.0kB
5.2kB
10
10
87.251.72.46:443

https

5.6kB
1.1kB
14
14
185.125.190.20:443

ubuntu.com

tls

1.1kB
6.6kB
13
12
208.80.154.224:443

www.wikipedia.org

tls

1.2kB
7.7kB
14
12
87.251.72.46:443

https

6.8kB
1.1kB
13
15
151.101.66.167:443

twitch.tv

tls

981 B
5.7kB
10
11
87.251.72.46:443

https

5.9kB
1.0kB
12
12
1.0.0.1:443

one.one.one.one

tls

1.0kB
6.0kB
11
9
87.251.72.46:443

https

6.3kB
1.1kB
12
14
87.251.72.46:443

https

8.2kB
1.2kB
13
15
199.232.150.167:443

www.twitch.tv

tls

1.1kB
6.2kB
11
13
87.251.72.46:443

https

6.0kB
1.2kB
12
14
87.251.72.46:443

https

7.9kB
1.2kB
13
15
208.80.154.224:443

en.wikipedia.org

tls

1.2kB
7.7kB
13
12
87.251.72.46:443

https

8.0kB
1.3kB
14
16
162.19.139.184:12222

xmr.2miners.com

tls

1.1kB
7.3kB
9
11
162.19.139.184:12222

xmr.2miners.com

tls

1.1kB
7.3kB
9
11

8.8.8.8:53

18.11.98.141.in-addr.arpa

dns

71 B
106 B
1
1

DNS Request

18.11.98.141.in-addr.arpa
8.8.8.8:53

62.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

62.13.109.52.in-addr.arpa
8.8.8.8:53

api.peer2profit.global

dns

BrowserUpdate.exe

68 B
116 B
1
1

DNS Request

api.peer2profit.global

DNS Response

104.26.9.6

172.67.69.54

104.26.8.6
8.8.8.8:53

6.9.26.104.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

6.9.26.104.in-addr.arpa
8.8.8.8:53

46.72.251.87.in-addr.arpa

dns

71 B
107 B
1
1

DNS Request

46.72.251.87.in-addr.arpa
8.8.8.8:53

xmr.2miners.com

dns

61 B
77 B
1
1

DNS Request

xmr.2miners.com

DNS Response

162.19.139.184
8.8.8.8:53

46.72.251.87.in-addr.arpa

dns

71 B
107 B
1
1

DNS Request

46.72.251.87.in-addr.arpa
8.8.8.8:53

184.139.19.162.in-addr.arpa

dns

73 B
102 B
1
1

DNS Request

184.139.19.162.in-addr.arpa
8.8.8.8:53

fp.check.peer2profit.site

dns

71 B
87 B
1
1

DNS Request

fp.check.peer2profit.site

DNS Response

162.19.176.4
8.8.8.8:53

github.com

dns

56 B
72 B
1
1

DNS Request

github.com

DNS Response

140.82.112.4
8.8.8.8:53

www.wikipedia.org

dns

63 B
108 B
1
1

DNS Request

www.wikipedia.org

DNS Response

208.80.154.224
8.8.8.8:53

twitter.com

dns

57 B
121 B
1
1

DNS Request

twitter.com

DNS Response

104.244.42.129

104.244.42.1

104.244.42.193

104.244.42.65
8.8.8.8:53

en.wikipedia.org

dns

62 B
107 B
1
1

DNS Request

en.wikipedia.org

DNS Response

208.80.154.224
8.8.8.8:53

4.176.19.162.in-addr.arpa

dns

71 B
105 B
1
1

DNS Request

4.176.19.162.in-addr.arpa
8.8.8.8:53

206.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.179.250.142.in-addr.arpa
8.8.8.8:53

196.168.217.172.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.168.217.172.in-addr.arpa
8.8.8.8:53

129.42.244.104.in-addr.arpa

dns

73 B
73 B
1
1

DNS Request

129.42.244.104.in-addr.arpa
8.8.8.8:53

4.112.82.140.in-addr.arpa

dns

71 B
115 B
1
1

DNS Request

4.112.82.140.in-addr.arpa
8.8.8.8:53

224.154.80.208.in-addr.arpa

dns

73 B
114 B
1
1

DNS Request

224.154.80.208.in-addr.arpa
8.8.8.8:53

api.blocklist.de

dns

62 B
78 B
1
1

DNS Request

api.blocklist.de

DNS Response

185.21.103.31
8.8.8.8:53

31.103.21.185.in-addr.arpa

dns

72 B
109 B
1
1

DNS Request

31.103.21.185.in-addr.arpa
8.8.8.8:53

otx.alienvault.com

dns

64 B
128 B
1
1

DNS Request

otx.alienvault.com

DNS Response

108.156.60.62

108.156.60.87

108.156.60.81

108.156.60.60
8.8.8.8:53

www.threatcrowd.org

dns

65 B
199 B
1
1

DNS Request

www.threatcrowd.org

DNS Response

44.237.49.181
8.8.8.8:53

62.60.156.108.in-addr.arpa

dns

72 B
128 B
1
1

DNS Request

62.60.156.108.in-addr.arpa
8.8.8.8:53

181.49.237.44.in-addr.arpa

dns

72 B
135 B
1
1

DNS Request

181.49.237.44.in-addr.arpa
8.8.8.8:53

fp-4.check.peer2profit.site

dns

73 B
89 B
1
1

DNS Request

fp-4.check.peer2profit.site

DNS Response

51.79.216.136
8.8.8.8:53

ubuntu.com

dns

56 B
104 B
1
1

DNS Request

ubuntu.com

DNS Response

185.125.190.20

185.125.190.21

185.125.190.29
8.8.8.8:53

one.one.one.one

dns

61 B
93 B
1
1

DNS Request

one.one.one.one

DNS Response

1.0.0.1

1.1.1.1
8.8.8.8:53

twitch.tv

dns

55 B
119 B
1
1

DNS Request

twitch.tv

DNS Response

151.101.66.167

151.101.2.167

151.101.130.167

151.101.194.167
8.8.8.8:53

www.twitch.tv

dns

59 B
110 B
1
1

DNS Request

www.twitch.tv

DNS Response

199.232.150.167
8.8.8.8:53

136.216.79.51.in-addr.arpa

dns

72 B
108 B
1
1

DNS Request

136.216.79.51.in-addr.arpa
8.8.8.8:53

20.190.125.185.in-addr.arpa

dns

73 B
128 B
1
1

DNS Request

20.190.125.185.in-addr.arpa
8.8.8.8:53

167.66.101.151.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

167.66.101.151.in-addr.arpa
8.8.8.8:53

1.0.0.1.in-addr.arpa

dns

66 B
95 B
1
1

DNS Request

1.0.0.1.in-addr.arpa
8.8.8.8:53

167.150.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

167.150.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion