Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
Medal.exe.bin.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Medal.exe.bin.exe
Resource
win10v2004-20241007-en
General
-
Target
Medal.exe.bin.exe
-
Size
1.8MB
-
MD5
42b89874d3138f40f32285be945f2ceb
-
SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7
-
SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
-
SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
-
SSDEEP
49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4024 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3476 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 116 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 116 schtasks.exe 82 -
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Medal.exe.bin.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation sihost.exe -
Executes dropped EXE 17 IoCs
pid Process 452 sihost.exe 3992 sihost.exe 4068 sihost.exe 716 sihost.exe 4072 sihost.exe 2060 sihost.exe 372 sihost.exe 3148 sihost.exe 5000 sihost.exe 2904 sihost.exe 4064 sihost.exe 3860 sihost.exe 4720 sihost.exe 4124 sihost.exe 3728 sihost.exe 3724 sihost.exe 2380 sihost.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\upfc.exe Medal.exe.bin.exe File created C:\Program Files\Windows Media Player\ea1d8f6d871115 Medal.exe.bin.exe File created C:\Program Files (x86)\Windows Portable Devices\System.exe Medal.exe.bin.exe File created C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0 Medal.exe.bin.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe Medal.exe.bin.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\27d1bcfc3c54e0 Medal.exe.bin.exe File created C:\Program Files\Windows Media Player\upfc.exe Medal.exe.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2380 PING.EXE 3476 PING.EXE 4976 PING.EXE 1512 PING.EXE 4976 PING.EXE 2012 PING.EXE 4972 PING.EXE 2068 PING.EXE 4964 PING.EXE 3340 PING.EXE -
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings Medal.exe.bin.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings sihost.exe -
Runs ping.exe 1 TTPs 10 IoCs
pid Process 2068 PING.EXE 2012 PING.EXE 4972 PING.EXE 2380 PING.EXE 4976 PING.EXE 4976 PING.EXE 3340 PING.EXE 3476 PING.EXE 1512 PING.EXE 4964 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4024 schtasks.exe 3712 schtasks.exe 1376 schtasks.exe 2524 schtasks.exe 392 schtasks.exe 4416 schtasks.exe 2452 schtasks.exe 1040 schtasks.exe 4952 schtasks.exe 1484 schtasks.exe 4036 schtasks.exe 3788 schtasks.exe 4196 schtasks.exe 2112 schtasks.exe 3476 schtasks.exe 232 schtasks.exe 3564 schtasks.exe 2784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 764 Medal.exe.bin.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe 452 sihost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 764 Medal.exe.bin.exe Token: SeDebugPrivilege 452 sihost.exe Token: SeDebugPrivilege 3992 sihost.exe Token: SeDebugPrivilege 4068 sihost.exe Token: SeDebugPrivilege 716 sihost.exe Token: SeDebugPrivilege 4072 sihost.exe Token: SeDebugPrivilege 2060 sihost.exe Token: SeDebugPrivilege 372 sihost.exe Token: SeDebugPrivilege 3148 sihost.exe Token: SeDebugPrivilege 5000 sihost.exe Token: SeDebugPrivilege 2904 sihost.exe Token: SeDebugPrivilege 4064 sihost.exe Token: SeDebugPrivilege 3860 sihost.exe Token: SeDebugPrivilege 4720 sihost.exe Token: SeDebugPrivilege 4124 sihost.exe Token: SeDebugPrivilege 3728 sihost.exe Token: SeDebugPrivilege 3724 sihost.exe Token: SeDebugPrivilege 2380 sihost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 764 wrote to memory of 4608 764 Medal.exe.bin.exe 101 PID 764 wrote to memory of 4608 764 Medal.exe.bin.exe 101 PID 4608 wrote to memory of 2648 4608 cmd.exe 103 PID 4608 wrote to memory of 2648 4608 cmd.exe 103 PID 4608 wrote to memory of 2520 4608 cmd.exe 104 PID 4608 wrote to memory of 2520 4608 cmd.exe 104 PID 4608 wrote to memory of 452 4608 cmd.exe 105 PID 4608 wrote to memory of 452 4608 cmd.exe 105 PID 452 wrote to memory of 2196 452 sihost.exe 106 PID 452 wrote to memory of 2196 452 sihost.exe 106 PID 2196 wrote to memory of 3440 2196 cmd.exe 108 PID 2196 wrote to memory of 3440 2196 cmd.exe 108 PID 2196 wrote to memory of 4972 2196 cmd.exe 109 PID 2196 wrote to memory of 4972 2196 cmd.exe 109 PID 2196 wrote to memory of 3992 2196 cmd.exe 114 PID 2196 wrote to memory of 3992 2196 cmd.exe 114 PID 3992 wrote to memory of 4296 3992 sihost.exe 117 PID 3992 wrote to memory of 4296 3992 sihost.exe 117 PID 4296 wrote to memory of 2696 4296 cmd.exe 119 PID 4296 wrote to memory of 2696 4296 cmd.exe 119 PID 4296 wrote to memory of 2380 4296 cmd.exe 120 PID 4296 wrote to memory of 2380 4296 cmd.exe 120 PID 4296 wrote to memory of 4068 4296 cmd.exe 121 PID 4296 wrote to memory of 4068 4296 cmd.exe 121 PID 4068 wrote to memory of 1824 4068 sihost.exe 123 PID 4068 wrote to memory of 1824 4068 sihost.exe 123 PID 1824 wrote to memory of 1376 1824 cmd.exe 125 PID 1824 wrote to memory of 1376 1824 cmd.exe 125 PID 1824 wrote to memory of 3476 1824 cmd.exe 126 PID 1824 wrote to memory of 3476 1824 cmd.exe 126 PID 1824 wrote to memory of 716 1824 cmd.exe 128 PID 1824 wrote to memory of 716 1824 cmd.exe 128 PID 716 wrote to memory of 2372 716 sihost.exe 129 PID 716 wrote to memory of 2372 716 sihost.exe 129 PID 2372 wrote to memory of 4036 2372 cmd.exe 131 PID 2372 wrote to memory of 4036 2372 cmd.exe 131 PID 2372 wrote to memory of 4976 2372 cmd.exe 132 PID 2372 wrote to memory of 4976 2372 cmd.exe 132 PID 2372 wrote to memory of 4072 2372 cmd.exe 133 PID 2372 wrote to memory of 4072 2372 cmd.exe 133 PID 4072 wrote to memory of 2756 4072 sihost.exe 134 PID 4072 wrote to memory of 2756 4072 sihost.exe 134 PID 2756 wrote to memory of 3120 2756 cmd.exe 136 PID 2756 wrote to memory of 3120 2756 cmd.exe 136 PID 2756 wrote to memory of 5008 2756 cmd.exe 137 PID 2756 wrote to memory of 5008 2756 cmd.exe 137 PID 2756 wrote to memory of 2060 2756 cmd.exe 138 PID 2756 wrote to memory of 2060 2756 cmd.exe 138 PID 2060 wrote to memory of 4124 2060 sihost.exe 139 PID 2060 wrote to memory of 4124 2060 sihost.exe 139 PID 4124 wrote to memory of 1436 4124 cmd.exe 141 PID 4124 wrote to memory of 1436 4124 cmd.exe 141 PID 4124 wrote to memory of 1872 4124 cmd.exe 142 PID 4124 wrote to memory of 1872 4124 cmd.exe 142 PID 4124 wrote to memory of 372 4124 cmd.exe 143 PID 4124 wrote to memory of 372 4124 cmd.exe 143 PID 372 wrote to memory of 1396 372 sihost.exe 144 PID 372 wrote to memory of 1396 372 sihost.exe 144 PID 1396 wrote to memory of 3108 1396 cmd.exe 146 PID 1396 wrote to memory of 3108 1396 cmd.exe 146 PID 1396 wrote to memory of 2068 1396 cmd.exe 147 PID 1396 wrote to memory of 2068 1396 cmd.exe 147 PID 1396 wrote to memory of 3148 1396 cmd.exe 148 PID 1396 wrote to memory of 3148 1396 cmd.exe 148 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g4wQvCfdjJ.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2648
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2520
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fMcktfRG2.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:3440
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4972
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EEIicgEf1j.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2696
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2380
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AkiujJMGlN.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3476
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:4036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4976
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:3120
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5008
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1436
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1872
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UO0HaVbJ1O.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3108
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2068
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nNv9Oq8evb.bat"18⤵PID:900
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:3972
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1512
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat"20⤵PID:1292
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2672
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4964
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yIUjElxALT.bat"22⤵PID:2392
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:1916
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2220
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m961u58njg.bat"24⤵PID:1804
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:4996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4976
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ahsqPXjhJl.bat"26⤵PID:1444
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:4932
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4924
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PmJFabuBut.bat"28⤵PID:1364
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:2632
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:1052
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tLBDHjzlZn.bat"30⤵PID:452
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:2196
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:2940
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat"32⤵PID:3256
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:4800
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2012
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ockHtb7V7W.bat"34⤵PID:768
-
C:\Windows\system32\chcp.comchcp 6500135⤵PID:456
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:3500
-
-
C:\Recovery\WindowsRE\sihost.exe"C:\Recovery\WindowsRE\sihost.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\luGtQJ8wXl.bat"36⤵PID:4604
-
C:\Windows\system32\chcp.comchcp 6500137⤵PID:3984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost37⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Medal.exe.binM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Medal.exe.bin" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Medal.exe.binM" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD542b89874d3138f40f32285be945f2ceb
SHA11766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
-
Filesize
1KB
MD5f8b2fca3a50771154571c11f1c53887b
SHA12e83b0c8e2f4c10b145b7fb4832ed1c78743de3f
SHA2560efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6
SHA512b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a
-
Filesize
160B
MD5383fbd80e97e6ddc20340a3bbdd05d92
SHA15f8450858ea3577768b228d206bd2cb82eed231f
SHA256f54e38e1c70f9e5c95971b80b0cd664bf596eea90c9ae72af29fbf40b246e052
SHA5127944d762d0c25fa04b162c0e23955b3985c90ac8762e5dd24f1930a5a23f9c64996fbff01dda6e8c4d96a85d01483d8d7cbd4738e2ce1d9b37cc81ec379bc655
-
Filesize
160B
MD52f533b23bc5352586104ff8f1c5c82c1
SHA13d5bcddc506f85389d2a2ab2a99a765af10169e9
SHA256f1f557f5317588f5a94eb02530ad8425c9251e697527bc884bfb9e240b71f897
SHA512430c986851831294cff009d7ffdf872ff24987628ca5bbab1a2b39632d07b71ade1b7dbd899fc455d13370077ca607e89bb4f5e7a9e007471190e3a4f3df1711
-
Filesize
160B
MD506ba6621c609c9afb63b9089cb013bc6
SHA1cec51fb3bafb2d8e82129da8b09d6cbd89027d26
SHA256a02fcc21e5a10cb25d6348010a7e31f210a7c077d6533fbda4a919ba89a72584
SHA512136a16ea7fe9b8a2a405258f2fc8c05bcd0fd2d30e676bfad6e2b0394827e2f361596da7b8ebfd393d2005aa1cc565bf78010e3c20ebb58ef7d374d01ce74686
-
Filesize
160B
MD59f95ff2d3c8c713c5a42632a29d97c17
SHA188c3be96feddc7260ef01934e997a5a2e78a7424
SHA2561c2e15221e5d778d3b3870fa2ddc085b692ba393ce58c5338f79b7658d1aed98
SHA5129a4257461855b10e170302f81a44abcea41db6e3f2ab308433962460d32146201f1fb57a8d36510715d1871d50ca87470c5a06a7302cd570b9fac55e3ca5aaea
-
Filesize
208B
MD50fca92f7a29595b09221df2a9827a5ea
SHA1862ab4a104a8f3c15df96456fe7bdb7ba3da6ba8
SHA256d81de08534e42287f0cc43b461f76cb527622a614ed4eb7a6eb2e8447f2986c4
SHA51265daed6eced222af0e162d427c78ecb6a4026808656327633aec4c02bbdb2c05f3178975bf2eed12bfb0c3bb8f47f0d5cd50a7443db9b3aa5c1219ee4c278a05
-
Filesize
208B
MD58f643ddb7bdb2f89370330dbf8b77518
SHA1f7e90de3a026d42ca13cc239ed66c7137f4eb31e
SHA256e0a5e1efdf1e05a387c0aee428187ebdf5642192d1d7da122403c05586e1595d
SHA5126b2ad3900fd97d1d032f46893b578f187c408ff516672ec3a5b247f5440df8d6a7b5152cea3f31d44d16e6619894880f818473c407873066108a74429486642b
-
Filesize
160B
MD54772ab8ddf5eebf251f2331564573ae9
SHA197322808f91f768ffa991a4cde74da51c2341cf4
SHA25652d8ae57bf1b792fd69f8fc60b34053a1ded840d7bd4b4e6ff9d5592e14ef22f
SHA51212dc9a3ced8391671608ee646d2a669bb585181f8e93c899843ef93ca167f476fb3a8f27c7a8ee4afb3f7a03719ead66c228e63503e5491e1adc644685a34282
-
Filesize
160B
MD5f01f2fc207e1f5abd94e86991920a795
SHA1b60faf0be27e9d3cde96af4a6870b0c1fb786989
SHA256b3ba7d21ec5af922fc12da5897fd2c7dbd2caf0d749cd987b2ea67c847a87cee
SHA5120aa8ae9687885c9767337b17e8434d55a82950002b52ddd9660e2193a7bb9c582c8d37f03b8328cd0d7e7c5bbc485e4d0c81c8c8a083c03b5e1d781e4198280e
-
Filesize
208B
MD54854493d588040bd7ea702ad2aeb5558
SHA1e96ae6ed6275da5ef86f6bad54d002873e96bc55
SHA256ae033936d5609afcefd309b8432057e72b7e50c95fc6f7e6e93936ba568f6833
SHA512b1bca6c2c788ff50821367af928dbc6b4dee01675e053a3678c1577a9b960a550b80070861b7b42682870154d5092053f4b0177a9741bcda8ca282ec1ff85313
-
Filesize
208B
MD5c3f6e602c883d29086af25a4c048bda1
SHA1e27078641cd3ec48946f0311b154b915b2b65412
SHA256e1a221672e7e71286cf6b1a13421e81d6c3e845de793c76e7fd456c7cf2275e9
SHA51269dfdecfd650dc01376ea48605853097a1b4e53807e621dbc5b153c6b99da766b26d36eacf4609dc3dd2fd69d8617fc0c5b5a98f33857347dc0f27a4c1292f63
-
Filesize
208B
MD5637712254baa021ad6e6e498aefdd37f
SHA144abe79b3d4c61e70787a8eaaf29a63a6bf57646
SHA256dde0ffdfa97cccc3dd27105bacfb905486826646482ce1fbef60585d9ddbd2c6
SHA5126ed9e3e4e6c6c04b37ad749630c298ba3f29c880d7e9a16eb8467230756af1c615bf46d32e60761d4ebd01f5962a36feea2020b038e66d024c5cccc216642220
-
Filesize
160B
MD5ad4883e53bc1d2433c9c74b189d38303
SHA1cd73c614bb422c24bef1d5570f688f37d896a359
SHA256112c63f2bb175c7db9080fb38628d31f1f51486191ab0eb13a44817177c62f62
SHA5124aa34e6cd02dc2279deae31d4c9fde7aade2ead49dffb0e11fdb4ad261456dced364734b92291725005487e91205ceaafcd10a2a6eb1f371c34eab07b9ae18e0
-
Filesize
160B
MD5e0fbea772691aaa003a4819f0d8be136
SHA181a3fe69b7ff9ef31430ea995723908fbd6bc143
SHA256b202da4389eddcf9c0620ba02f1fa77f8020cb0656e7447d080252f726ba6397
SHA5126be9a292877a1c7a59b8ed21ceb6d7bf7bdfece615bac79838b1859fffa21e0206919a6e9707f05ac37fdcf6db22a05fcfa7550dbbb6ea3db364513675d51a3f
-
Filesize
160B
MD515b990b45e3eaee2ae7893a2f82b6ca0
SHA1858e09c6acfe6e38b99c6c31163643c2f5d09a16
SHA2568fb56dbc52a43772c70094e14e248d9ebde185c11226d2eef2d7f82f2abefc7d
SHA512616521f525562f8e527f068ef85794222ed1b2c8be1941fe12475ecb34098d920269efe2a8aeeabc8194fcd53aaae73745e684322e14a1dd8308debcfc71e8f7
-
Filesize
208B
MD519879966c0eaccc2c669a5e65710036f
SHA1c2526d3038192645418de87a6f46670d73ce7084
SHA25676ae3816440efee86dce55aa0c571e4979cf0758b8fe667ce0d119cc02a9b757
SHA512d67fa80b7fa55bdfa075cd4e6005eebc2c26abace73d8f081e313b3af41c500fd8b22afa6f3ae30fc4dc9fd457b114499bb4ae11033d6a771b54747f6e1de96a
-
Filesize
208B
MD5b3afab7e444ea565b84b84b3ada15b94
SHA1edaccac9b1f1728d9f385f09f399e676248a8376
SHA25621560d8318b515484c34cf94b0d39c18e3ad2291597a982603ce64deee625f0c
SHA512f6c9c06e6ffcb073c48b2c602093911c10b56221976ed5c861e668bdbb14002df914b595710acf32ac69f7dfdd197380087efb30567296e27a110ed02a9c8375
-
Filesize
208B
MD5ae8667009dec7f48742db407d649b561
SHA12b4e71dd8524c7719f259f55a0fc854c33977eb4
SHA256fcd03bce9da672345dbc7ddfaa2382935f4ebe81a0d6b7560d7c52899302e04e
SHA512284859c77173191ac39d0ba0ba3cf388fb1b55fa699bc258e18a3137825d3f6d66c2e035d491c6cd474d05b78573165f5d4ef907cd44293ae27987cf7bf05a19