dcrat | 619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Medal.exe.bin.exe
Size

1.8MB
MD5

42b89874d3138f40f32285be945f2ceb
SHA1

1766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512

df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
SSDEEP

49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2668	schtasks.exe	31

Executes dropped EXE 12 IoCs

pid	Process
2424	System.exe
788	System.exe
1732	System.exe
2820	System.exe
1940	System.exe
1148	System.exe
1764	System.exe
2336	System.exe
2524	System.exe
2080	System.exe
1516	System.exe
1640	System.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe	Medal.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe	Medal.exe.bin.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\886983d96e3d3e	Medal.exe.bin.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe	Medal.exe.bin.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6cb0b6c459d5d3	Medal.exe.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1980	PING.EXE
608	PING.EXE
1140	PING.EXE
2896	PING.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1980	PING.EXE
608	PING.EXE
1140	PING.EXE
2896	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe
616	schtasks.exe
2588	schtasks.exe
2764	schtasks.exe
2032	schtasks.exe
1820	schtasks.exe
1088	schtasks.exe
2724	schtasks.exe
580	schtasks.exe
1484	schtasks.exe
2740	schtasks.exe
532	schtasks.exe
984	schtasks.exe
2864	schtasks.exe
2652	schtasks.exe
2388	schtasks.exe
2360	schtasks.exe
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2804	Medal.exe.bin.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe
2424	System.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	Medal.exe.bin.exe
Token: SeDebugPrivilege	2424	System.exe
Token: SeDebugPrivilege	788	System.exe
Token: SeDebugPrivilege	1732	System.exe
Token: SeDebugPrivilege	2820	System.exe
Token: SeDebugPrivilege	1940	System.exe
Token: SeDebugPrivilege	1148	System.exe
Token: SeDebugPrivilege	1764	System.exe
Token: SeDebugPrivilege	2336	System.exe
Token: SeDebugPrivilege	2524	System.exe
Token: SeDebugPrivilege	2080	System.exe
Token: SeDebugPrivilege	1516	System.exe
Token: SeDebugPrivilege	1640	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2340	2804	Medal.exe.bin.exe	50
PID 2804 wrote to memory of 2340	2804	Medal.exe.bin.exe	50
PID 2804 wrote to memory of 2340	2804	Medal.exe.bin.exe	50
PID 2340 wrote to memory of 2936	2340	cmd.exe	52
PID 2340 wrote to memory of 2936	2340	cmd.exe	52
PID 2340 wrote to memory of 2936	2340	cmd.exe	52
PID 2340 wrote to memory of 1876	2340	cmd.exe	53
PID 2340 wrote to memory of 1876	2340	cmd.exe	53
PID 2340 wrote to memory of 1876	2340	cmd.exe	53
PID 2340 wrote to memory of 2424	2340	cmd.exe	54
PID 2340 wrote to memory of 2424	2340	cmd.exe	54
PID 2340 wrote to memory of 2424	2340	cmd.exe	54
PID 2424 wrote to memory of 2240	2424	System.exe	55
PID 2424 wrote to memory of 2240	2424	System.exe	55
PID 2424 wrote to memory of 2240	2424	System.exe	55
PID 2240 wrote to memory of 2512	2240	cmd.exe	57
PID 2240 wrote to memory of 2512	2240	cmd.exe	57
PID 2240 wrote to memory of 2512	2240	cmd.exe	57
PID 2240 wrote to memory of 1980	2240	cmd.exe	58
PID 2240 wrote to memory of 1980	2240	cmd.exe	58
PID 2240 wrote to memory of 1980	2240	cmd.exe	58
PID 2240 wrote to memory of 788	2240	cmd.exe	59
PID 2240 wrote to memory of 788	2240	cmd.exe	59
PID 2240 wrote to memory of 788	2240	cmd.exe	59
PID 788 wrote to memory of 812	788	System.exe	60
PID 788 wrote to memory of 812	788	System.exe	60
PID 788 wrote to memory of 812	788	System.exe	60
PID 812 wrote to memory of 880	812	cmd.exe	62
PID 812 wrote to memory of 880	812	cmd.exe	62
PID 812 wrote to memory of 880	812	cmd.exe	62
PID 812 wrote to memory of 608	812	cmd.exe	63
PID 812 wrote to memory of 608	812	cmd.exe	63
PID 812 wrote to memory of 608	812	cmd.exe	63
PID 812 wrote to memory of 1732	812	cmd.exe	64
PID 812 wrote to memory of 1732	812	cmd.exe	64
PID 812 wrote to memory of 1732	812	cmd.exe	64
PID 1732 wrote to memory of 3040	1732	System.exe	65
PID 1732 wrote to memory of 3040	1732	System.exe	65
PID 1732 wrote to memory of 3040	1732	System.exe	65
PID 3040 wrote to memory of 2120	3040	cmd.exe	67
PID 3040 wrote to memory of 2120	3040	cmd.exe	67
PID 3040 wrote to memory of 2120	3040	cmd.exe	67
PID 3040 wrote to memory of 2904	3040	cmd.exe	68
PID 3040 wrote to memory of 2904	3040	cmd.exe	68
PID 3040 wrote to memory of 2904	3040	cmd.exe	68
PID 3040 wrote to memory of 2820	3040	cmd.exe	69
PID 3040 wrote to memory of 2820	3040	cmd.exe	69
PID 3040 wrote to memory of 2820	3040	cmd.exe	69
PID 2820 wrote to memory of 2732	2820	System.exe	70
PID 2820 wrote to memory of 2732	2820	System.exe	70
PID 2820 wrote to memory of 2732	2820	System.exe	70
PID 2732 wrote to memory of 2628	2732	cmd.exe	72
PID 2732 wrote to memory of 2628	2732	cmd.exe	72
PID 2732 wrote to memory of 2628	2732	cmd.exe	72
PID 2732 wrote to memory of 2996	2732	cmd.exe	73
PID 2732 wrote to memory of 2996	2732	cmd.exe	73
PID 2732 wrote to memory of 2996	2732	cmd.exe	73
PID 2732 wrote to memory of 1940	2732	cmd.exe	74
PID 2732 wrote to memory of 1940	2732	cmd.exe	74
PID 2732 wrote to memory of 1940	2732	cmd.exe	74
PID 1940 wrote to memory of 1780	1940	System.exe	75
PID 1940 wrote to memory of 1780	1940	System.exe	75
PID 1940 wrote to memory of 1780	1940	System.exe	75
PID 1780 wrote to memory of 1080	1780	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PgjVKzz02U.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2936
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1876
- - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
    "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ot2Axq4KFg.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2512
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1980
    - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:788
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:608
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqzjdZvm8E.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2904
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vfMyBrE4tG.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2996
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yhfppzmMH9.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1880
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat"
        14⤵
        
        PID:1352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1140
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat"
        16⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2408
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jfRlwY95Mq.bat"
        18⤵
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1976
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CXBctguhxK.bat"
        20⤵
        
        PID:956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:880
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8MPHA9c1U6.bat"
        22⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1968
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s4Al4mMfKa.bat"
        24⤵
        
        PID:2872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2688
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat"
        26⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal.exe.binM" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal.exe.bin" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal.exe.binM" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
1.8MB

MD5
42b89874d3138f40f32285be945f2ceb

SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7

SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8MPHA9c1U6.bat

Filesize
235B

MD5
dcbfec0a926c2909d3fb6ee3d4e1363f

SHA1
ac1a70bc888ae4e99d22473a6037acf1cc400fe5

SHA256
20f6408899b61cb7b1df23b5bd4f13b8a797ddc3d695664064f1ddd1198669df

SHA512
2ba704ba1719c7b8b227da866cd752df05d95db9f3a566d10acaa3d4ee81f55b1e3690c7d2eaa4a12448f063afb841569e0b6ead2840c0c24c0b6ccb43b23c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\CXBctguhxK.bat

Filesize
235B

MD5
1a93e7f577b86d9cca142ee7e31fe739

SHA1
fe75e79daa02f8f295500c62b6240e54766e1525

SHA256
76714913c9b0db11280afda751087288aaec9bad1bd3ee3b8f860bb3780ece74

SHA512
e85e1239987d14128a2c3336dfacac3a4039f69d236b7f59c3a044d83dbdce319162cffffb2b8af68d8d71cc295edf6a5c938434d88c4fce3e6f7bb3edaa075f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JRGN3N9ZXF.bat

Filesize
187B

MD5
1fd43ec3f986f39f221394e171c8566b

SHA1
c49228379b26bb167c10af87ee88b5bb8ba3fa68

SHA256
8c8098435ea92f76976f65ce76d73a175d36e83bb0997b75c19d90bb3d0a41a4

SHA512
d391de4c561faf0039709c720ac830cda629cdceb53aeffd00ffbf132117f65b2b7be41bf7cc73b66b23f7ec99707b3ca9c7bdbff7965b5cbefe0f658905d920

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqzjdZvm8E.bat

Filesize
235B

MD5
9cb6e08cd0fd9578ca7c6c540dce4785

SHA1
a8a93a509ce135da409e55988eae15693a924d80

SHA256
20e4b96aad71e25e1eff94b6a9691017f3fc021586d11ad16b54571709a6dce3

SHA512
fe41e351fcf5e8d8a94d683fae80f0cf67d1ce63e6d0a6bf66a7b8a99d4db344be10692d54cb3f912657a806b0c510e318f9a4b446ed0d076d9e10d236c47b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ot2Axq4KFg.bat

Filesize
187B

MD5
79e7953eb4bc4fde4dcfb90f942a6c01

SHA1
21062991e22bf2d8b1c042ecd918b6aaf005020b

SHA256
fc6e8d1936a42ac34dc555848df0c0d48285f2492c3fd0a8647262bc04bfceb2

SHA512
788a7d1fc0c67951c0c3fd013e87be30313829445659a5c9858348b25b13019b2289ca496af55bc9b4a95cf21d93819f7a68e26aeab1b1d2bc7b4f0eeb4f575d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgjVKzz02U.bat

Filesize
235B

MD5
63d9d3d4a8d188954fd5d138eaef0da3

SHA1
f1a8b65685cee2f6381ceec894bce8438be56131

SHA256
b8ea42dbecf0c524ad4ba4832979aa2e9d1faea622387b0dbe9e4bb81bd4519c

SHA512
bdfc386e5efcd9332d6abb57709af1d7a7808e1d4ef2e6b93dbaef3ced2a2f44b2a7991492cb00fff36c2d5f4d63575a3c981d04ca572099f5222c1d89054eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat

Filesize
187B

MD5
87003c1b6c7ffc058b29730f0265ec8c

SHA1
4368bdf424acb0baac98c70884befaa432ba159a

SHA256
b2bfc7a93e007a6aeb6d1e73123439ce6e63de62ac31dbe3d76fdde7f25160bd

SHA512
227355dc0f3fc6695820481c331393eb06dd64cb18ff91ef5a4914ed0477b1916b1be2966938b62b796940ca141311a547b92506d3c97203b8100698463a7fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat

Filesize
235B

MD5
c27227e9885b1af8d96a4780a6391788

SHA1
f8285cf678ced70b937000f224e17fa6ca9df2ad

SHA256
efce4a72cf5f028cb8f994c25a4759eecdb32e44a801149aee14108c44704ece

SHA512
5b3eed9ef83eb7c1f2e4ef4b8e7ddac2baba71e93df577720e23c3de6ba578d1603fd41369421e95abe62c484014cf1d05cb57af7f4a169ab6617bec572c5621

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfRlwY95Mq.bat

Filesize
235B

MD5
0ceac63517cd7edf4483615a3e6836c6

SHA1
f8534fbcc9e88b3959ee7e958c73c8a46571c283

SHA256
173cd5b374ea7634dfa77280031390c1d3f41c532f9d25f29e44bd1eb2b78e0f

SHA512
069ec27b6a487aa4d5dff61e699f02b040857e923fced37fc91084515631f259af2f194ee00f852b1c3a5c6c5ee804b3f91e0ace08d8c957393509acaea20548

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4Al4mMfKa.bat

Filesize
235B

MD5
158ffecf85e727bc959d8e36be7e880c

SHA1
a9438691b1b1bfd85e74d50cb346cd73501207cb

SHA256
65e2382c16194cdaccbf191d44dee2bfc5041155a53c65615b8e54d906a9aa49

SHA512
4211c93a33bbb43737a8f81bd67abc12bf4244b17414ebaaedee59ea1678acfe1d1114a0871db1864e19184186cc2bc74cad4d7afd6d6c4ababb821ef9c135f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfMyBrE4tG.bat

Filesize
235B

MD5
4cb84bc3e1cb0d81f8c76dd5a20f2d37

SHA1
0ce55010a0165b4568a344fbc8d9113c3dcc40d2

SHA256
f358ded4e36cae03492caf0ec1f7af9778186a915caf72f4a8293ed4608c2cda

SHA512
a387da1afbd57f07dc09a286be1044c8242bde4c290b58867afdf2f2d1e33e2ae14183336392e84b3f346100e49640ca6ff8a3aaa536506220a5bc554f1286b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhfppzmMH9.bat

Filesize
235B

MD5
9baf043ac3ecd82ad14e73614cd2cc97

SHA1
84404d34b85e2ac1c6abd780a834300a08cede29

SHA256
176a16fffaafa4bada1f46b2e267c17bbb80f000f44b16f4b0168c3834df7c60

SHA512
f644a8e28beaf373c2694a9d1da9c4d206ec766b6e4efe2126a2db5eacf2107ec8e402b4def1ed51e8591d3a922831b92ed6fae5cd6c6f791e5a101a15b570a2

Download Submit
memory/1148-82-0x0000000001180000-0x0000000001352000-memory.dmp

Filesize
1.8MB

Download
memory/1640-141-0x00000000000E0000-0x00000000002B2000-memory.dmp

Filesize
1.8MB

Download
memory/1732-53-0x00000000003C0000-0x0000000000592000-memory.dmp

Filesize
1.8MB

Download
memory/1764-92-0x0000000001380000-0x0000000001552000-memory.dmp

Filesize
1.8MB

Download
memory/2080-121-0x0000000000EC0000-0x0000000001092000-memory.dmp

Filesize
1.8MB

Download
memory/2424-34-0x00000000011B0000-0x0000000001382000-memory.dmp

Filesize
1.8MB

Download
memory/2524-111-0x0000000000180000-0x0000000000352000-memory.dmp

Filesize
1.8MB

Download
memory/2804-7-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-30-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-3-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2804-4-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-6-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2804-10-0x0000000000650000-0x000000000066C000-memory.dmp

Filesize
112KB

Download
memory/2804-12-0x0000000000670000-0x0000000000688000-memory.dmp

Filesize
96KB

Download
memory/2804-2-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-25-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-8-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-1-0x0000000000EB0000-0x0000000001082000-memory.dmp

Filesize
1.8MB

Download
memory/2804-13-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2820-63-0x0000000000F10000-0x00000000010E2000-memory.dmp

Filesize
1.8MB

Download