ef3644eb27b632bb6485a17d76a6edaf889a3af05f673513095cf4f6e3d357f0

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Medal = "\"C:\\Users\\Admin\\AppData\\Local\\Medal\\update.exe\" --processStart \"Medal.exe\""	reg.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Medal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Medal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Medal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Medal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Medal.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
6660	powershell.exe
6528	powershell.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
7108	tasklist.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 22 IoCs

pid	Process
1160	Update.exe
1464	Squirrel.exe
1656	Medal.exe
560	Medal.exe
2256	Update.exe
2892	Medal.exe
2080	Medal.exe
2016	Medal.exe
3932	Medal.exe
4092	Medal.exe
856	Medal.exe
4592	Medal.exe
3516	Medal.exe
4476	Medal.exe
1560	ffmpeg.exe
6068	Medal.exe
6080	Medal.exe
7068	ffmpeg.exe
6972	Medal.exe
4592	MedalEncoder.exe
6792	crashpad_handler.exe
7092	Medal.exe

Loads dropped DLL 43 IoCs

pid	Process
1656	Medal.exe
560	Medal.exe
2892	Medal.exe
2080	Medal.exe
2892	Medal.exe
2892	Medal.exe
2892	Medal.exe
2892	Medal.exe
2016	Medal.exe
3932	Medal.exe
4092	Medal.exe
856	Medal.exe
4092	Medal.exe
4092	Medal.exe
4092	Medal.exe
4092	Medal.exe
4592	Medal.exe
3516	Medal.exe
4476	Medal.exe
3516	Medal.exe
3516	Medal.exe
3516	Medal.exe
3516	Medal.exe
3516	Medal.exe
6068	Medal.exe
6080	Medal.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
7092	Medal.exe
7092	Medal.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MedalSetup.MjQzNjI1NDE1LDEsbm9yZWY=.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Medal.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Medal.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Medal.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Medal.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Medal.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Medal.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Medal.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Medal.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Medal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133684275092604751"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\medal\URL Protocol	Medal.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\medal\shell\open\command	Medal.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\medal\shell	Medal.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{BD3D8B58-126F-4698-9146-E4339089428D}	MedalEncoder.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\medal	Medal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\medal\ = "URL:medal"	Medal.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\medal\shell\open	Medal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\medal\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Medal\\app-4.2488.0\\Medal.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Medal\\app-4.2488.0\\--squirrel-firstrun\" \"%1\""	Medal.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{6A22630C-CCC1-4696-BD1C-B882AF7BBDC0}	Medal.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

pid	Process
556	reg.exe
4004	reg.exe
1208	reg.exe
4036	reg.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Medal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Medal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Medal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Medal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Medal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Medal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Medal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Medal.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Medal.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6836	WINWORD.EXE
6836	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	Medal.exe
1656	Medal.exe
1656	Medal.exe
1656	Medal.exe
1160	Update.exe
1160	Update.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
3516	Medal.exe
3516	Medal.exe
3516	Medal.exe
3516	Medal.exe
4476	Medal.exe
4476	Medal.exe
4476	Medal.exe
4476	Medal.exe
2408	chrome.exe
2408	chrome.exe
6660	powershell.exe
6660	powershell.exe
6660	powershell.exe
5024	powershell.exe
5024	powershell.exe
5024	powershell.exe
6528	powershell.exe
6528	powershell.exe
6528	powershell.exe
6972	Medal.exe
6972	Medal.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe
4592	MedalEncoder.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemProfilePrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeProfSingleProcessPrivilege	2648	WMIC.exe
Token: SeIncBasePriorityPrivilege	2648	WMIC.exe
Token: SeCreatePagefilePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeDebugPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeRemoteShutdownPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 33	2648	WMIC.exe
Token: 34	2648	WMIC.exe
Token: 35	2648	WMIC.exe
Token: 36	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4804	WMIC.exe
Token: SeSecurityPrivilege	4804	WMIC.exe
Token: SeTakeOwnershipPrivilege	4804	WMIC.exe
Token: SeLoadDriverPrivilege	4804	WMIC.exe
Token: SeSystemProfilePrivilege	4804	WMIC.exe
Token: SeSystemtimePrivilege	4804	WMIC.exe
Token: SeProfSingleProcessPrivilege	4804	WMIC.exe
Token: SeIncBasePriorityPrivilege	4804	WMIC.exe
Token: SeCreatePagefilePrivilege	4804	WMIC.exe
Token: SeBackupPrivilege	4804	WMIC.exe
Token: SeRestorePrivilege	4804	WMIC.exe
Token: SeShutdownPrivilege	4804	WMIC.exe
Token: SeDebugPrivilege	4804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4804	WMIC.exe
Token: SeRemoteShutdownPrivilege	4804	WMIC.exe
Token: SeUndockPrivilege	4804	WMIC.exe
Token: SeManageVolumePrivilege	4804	WMIC.exe
Token: 33	4804	WMIC.exe
Token: 34	4804	WMIC.exe
Token: 35	4804	WMIC.exe
Token: 36	4804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4804	WMIC.exe
Token: SeSecurityPrivilege	4804	WMIC.exe
Token: SeTakeOwnershipPrivilege	4804	WMIC.exe
Token: SeLoadDriverPrivilege	4804	WMIC.exe
Token: SeSystemProfilePrivilege	4804	WMIC.exe
Token: SeSystemtimePrivilege	4804	WMIC.exe
Token: SeProfSingleProcessPrivilege	4804	WMIC.exe
Token: SeIncBasePriorityPrivilege	4804	WMIC.exe
Token: SeCreatePagefilePrivilege	4804	WMIC.exe
Token: SeBackupPrivilege	4804	WMIC.exe
Token: SeRestorePrivilege	4804	WMIC.exe
Token: SeShutdownPrivilege	4804	WMIC.exe
Token: SeDebugPrivilege	4804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4804	WMIC.exe
Token: SeRemoteShutdownPrivilege	4804	WMIC.exe
Token: SeUndockPrivilege	4804	WMIC.exe
Token: SeManageVolumePrivilege	4804	WMIC.exe
Token: 33	4804	WMIC.exe
Token: 34	4804	WMIC.exe
Token: 35	4804	WMIC.exe
Token: 36	4804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1160	Update.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2408	chrome.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe
2016	Medal.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4592	MedalEncoder.exe
4592	MedalEncoder.exe
6836	WINWORD.EXE
6836	WINWORD.EXE
6836	WINWORD.EXE
6836	WINWORD.EXE
6836	WINWORD.EXE
6836	WINWORD.EXE
6836	WINWORD.EXE
6836	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 1160	4204	MedalSetup.MjQzNjI1NDE1LDEsbm9yZWY=.exe	88
PID 4204 wrote to memory of 1160	4204	MedalSetup.MjQzNjI1NDE1LDEsbm9yZWY=.exe	88
PID 1160 wrote to memory of 1464	1160	Update.exe	94
PID 1160 wrote to memory of 1464	1160	Update.exe	94
PID 1160 wrote to memory of 1656	1160	Update.exe	96
PID 1160 wrote to memory of 1656	1160	Update.exe	96
PID 1656 wrote to memory of 560	1656	Medal.exe	98
PID 1656 wrote to memory of 560	1656	Medal.exe	98
PID 1656 wrote to memory of 4576	1656	Medal.exe	99
PID 1656 wrote to memory of 4576	1656	Medal.exe	99
PID 1656 wrote to memory of 1172	1656	Medal.exe	100
PID 1656 wrote to memory of 1172	1656	Medal.exe	100
PID 1172 wrote to memory of 2648	1172	cmd.exe	103
PID 1172 wrote to memory of 2648	1172	cmd.exe	103
PID 4576 wrote to memory of 4804	4576	cmd.exe	104
PID 4576 wrote to memory of 4804	4576	cmd.exe	104
PID 1656 wrote to memory of 2800	1656	Medal.exe	105
PID 1656 wrote to memory of 2800	1656	Medal.exe	105
PID 2800 wrote to memory of 768	2800	cmd.exe	107
PID 2800 wrote to memory of 768	2800	cmd.exe	107
PID 1656 wrote to memory of 2256	1656	Medal.exe	108
PID 1656 wrote to memory of 2256	1656	Medal.exe	108
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2892	1656	Medal.exe	109
PID 1656 wrote to memory of 2080	1656	Medal.exe	110
PID 1656 wrote to memory of 2080	1656	Medal.exe	110
PID 1160 wrote to memory of 2016	1160	Update.exe	114

C:\Users\Admin\AppData\Local\Temp\MedalSetup.MjQzNjI1NDE1LDEsbm9yZWY=.exe
"C:\Users\Admin\AppData\Local\Temp\MedalSetup.MjQzNjI1NDE1LDEsbm9yZWY=.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Squirrel.exe
    "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:1464
- - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
    "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --squirrel-install 4.2488.0
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Medal /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Medal\Crashpad --url=https://f.a.k/e --annotation=_productName=Medal --annotation=_version=4.2488.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=22.3.27 --initial-client-data=0x514,0x51c,0x520,0x4e8,0x524,0x7ff7da001898,0x7ff7da0018a8,0x7ff7da0018b8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic CsProduct Get UUID
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController
        5⤵
        
        PID:768
  - - C:\Users\Admin\AppData\Local\Medal\Update.exe
      C:\Users\Admin\AppData\Local\Medal\Update.exe --createShortcut=Medal.exe
      4⤵
      Executes dropped EXE
      PID:2256
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 --field-trial-handle=2068,i,19200980108495263,12171143700140778242,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2892
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2232 --field-trial-handle=2068,i,19200980108495263,12171143700140778242,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2080
- - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
    "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --squirrel-firstrun
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2016
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Medal /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Medal\Crashpad --url=https://f.a.k/e --annotation=_productName=Medal --annotation=_version=4.2488.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=22.3.27 --initial-client-data=0x500,0x508,0x50c,0x4dc,0x510,0x7ff7da001898,0x7ff7da0018a8,0x7ff7da0018b8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController"
      4⤵
      PID:4220
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController
        5⤵
        
        PID:744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
      4⤵
      PID:3668
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic CsProduct Get UUID
        5⤵
        
        PID:1760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController"
      4⤵
      PID:456
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController
        5⤵
        
        PID:868
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1984,i,10797056641185586393,7517462790873146192,131072 --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4092
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --standard-schemes=medal --secure-schemes=medal,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2176 --field-trial-handle=1984,i,10797056641185586393,7517462790873146192,131072 --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:856
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --standard-schemes=medal --secure-schemes=medal,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id=com.squirrel.medal.medal --app-path="C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\resources\app" --no-sandbox --no-zygote --first-renderer-process --autoplay-policy=no-user-gesture-required --force-color-profile=srgb --js-flags="--max-old-space-size=8192 --max_old_space_size=8192" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3572 --field-trial-handle=1984,i,10797056641185586393,7517462790873146192,131072 --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --renderer_name=splash /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4592
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Medal
      4⤵
      Modifies registry key
      PID:556
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Medal /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Medal\update.exe\" --processStart \"Medal.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic datafile where name="C:\\Users\\Admin\\AppData\\Local\\Medal\\recorder-3.877.0-backup\\MedalEncoder.exe" get Version"
      4⤵
      PID:768
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic datafile where name="C:\\Users\\Admin\\AppData\\Local\\Medal\\recorder-3.877.0-backup\\MedalEncoder.exe" get Version
        5⤵
        
        PID:2080
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --standard-schemes=medal --secure-schemes=medal,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id=com.squirrel.medal.medal --app-path="C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\resources\app" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --force-color-profile=srgb --js-flags="--max-old-space-size=8192 --max_old_space_size=8192" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=4492 --field-trial-handle=1984,i,10797056641185586393,7517462790873146192,131072 --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --renderer_name=bridge /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
        5⤵
        
        PID:4848
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic CsProduct Get UUID
        6⤵
        
        PID:4916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic datafile where name="C:\\Users\\Admin\\AppData\\Local\\Medal\\recorder-3.877.0-backup\\MedalEncoder.exe" get Version"
        5⤵
        
        PID:2528
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic datafile where name="C:\\Users\\Admin\\AppData\\Local\\Medal\\recorder-3.877.0-backup\\MedalEncoder.exe" get Version
        6⤵
        
        PID:464
    - - C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\ffmpeg.exe
        
        "C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\ffmpeg.exe" -hide_banner -f lavfi -i nullsrc -c:v h264_nvenc -gpu list -f null -
        5⤵
        Executes dropped EXE
        
        PID:1560
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD HKCU\SOFTWARE\Medialooks\MFormats\MFFactory\MLLog /v log.modules /t REG_SZ /d "" /f
      4⤵
      Modifies registry key
      PID:1208
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD HKCU\SOFTWARE\Medialooks\MFormats\MFFactory\MLLog /v log.path /t REG_SZ /d "" /f
      4⤵
      Modifies registry key
      PID:4036
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --standard-schemes=medal --secure-schemes=medal,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id=com.squirrel.medal.medal --app-path="C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\resources\app" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --force-color-profile=srgb --js-flags="--max-old-space-size=8192 --max_old_space_size=8192" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=4536 --field-trial-handle=1984,i,10797056641185586393,7517462790873146192,131072 --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --renderer_name=main /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
        5⤵
        
        PID:3908
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic CsProduct Get UUID
        6⤵
        
        PID:4720
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "wmic datafile where name="C:\\Users\\Admin\\AppData\\Local\\Medal\\recorder-3.877.0-backup\\MedalEncoder.exe" get Version"
        5⤵
        
        PID:5396
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic datafile where name="C:\\Users\\Admin\\AppData\\Local\\Medal\\recorder-3.877.0-backup\\MedalEncoder.exe" get Version
        6⤵
        
        PID:5904
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --standard-schemes=medal --secure-schemes=medal,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=4516 --field-trial-handle=1984,i,10797056641185586393,7517462790873146192,131072 --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6068
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --standard-schemes=medal --secure-schemes=medal,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=5056 --field-trial-handle=1984,i,10797056641185586393,7517462790873146192,131072 --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:6080
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic /NAMESPACE:\\root\CIMV2 /NODE:'localhost' path Win32_PageFileUsage get /FORMAT:rawxml
      4⤵
      PID:6000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full""
      4⤵
      PID:6308
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full"
        5⤵
        
        PID:6580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd /c query session"
      4⤵
      PID:6316
    - - C:\Windows\system32\cmd.exe
        
        cmd /c query session
        5⤵
        
        PID:6572
      - C:\Windows\system32\query.exe
        
        query session
        6⤵
        
        PID:6628
        
        C:\Windows\system32\qwinsta.exe
        
        "C:\Windows\system32\qwinsta.exe"
        7⤵
        
        PID:6688
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:6324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "Get-CimInstance -ClassName Win32_LogicalDisk | Select-Object Caption, FreeSpace, Size"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\ffmpeg.exe" -version"
      4⤵
      PID:6808
    - - C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\ffmpeg.exe
        
        "C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\ffmpeg.exe" -version
        5⤵
        Executes dropped EXE
        
        PID:7068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist /fi "imagename eq MedalEncoder.exe" /fo csv"
      4⤵
      PID:6984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq MedalEncoder.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:7108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5024
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-MpComputerStatus | Out-File -Encoding utf8 -FilePath C:\Users\Admin\AppData\Local\Medal\Temp\c9923b5e.txt"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access""
      4⤵
      PID:6736
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access"
        5⤵
        
        PID:6772
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\resources\app\Medal.exe
      C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\resources\app\Medal.exe C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\resources\app\Medal.exe C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\MedalEncoder.exe C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\resources\app\suicide.lock 02dc7210-6d45-4dce-b466-d6cef22aa81b
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:6972
    - - C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\MedalEncoder.exe
        
        "C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\MedalEncoder.exe" soundOffset=
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4592
      - C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\DLLs\crashpad_handler.exe
        
        C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\DLLs\crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\sentry-db --metrics-dir=C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\sentry-db --url=https://o150878.ingest.sentry.io:443/api/1509393/minidump/?sentry_client=sentry.native/0.7.6&sentry_key=f2ea4e2bebb44129b30402d5b4076fd5 --attachment=C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\sentry-db\4b64e914-42fa-40e1-70e3-dda75d63d367.run\__sentry-event --attachment=C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\sentry-db\4b64e914-42fa-40e1-70e3-dda75d63d367.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Local\Medal\recorder-3.877.0-backup\sentry-db\4b64e914-42fa-40e1-70e3-dda75d63d367.run\__sentry-breadcrumb2 --initial-client-data=0xea0,0xea4,0xea8,0xe9c,0xeac,0x7fff880e9e40,0x7fff880e9e58,0x7fff880e9e70
        6⤵
        Executes dropped EXE
        
        PID:6792
  - - C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe
      "C:\Users\Admin\AppData\Local\Medal\app-4.2488.0\Medal.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Medal" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3836 --field-trial-handle=1984,i,10797056641185586393,7517462790873146192,131072 --disable-features=HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff90d1cc40,0x7fff90d1cc4c,0x7fff90d1cc58
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2452,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2444 /prefetch:2
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2612 /prefetch:3
  2⤵
  PID:5496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2008,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3304,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:6284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4944,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:6996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4708,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:7056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5168,i,15768839455922376063,5183017762730923214,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2772

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5888

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x498
1⤵
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6620

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\StartAdd.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery