Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 12:35

General

  • Target

    Medal.exe.bin.exe

  • Size

    1.8MB

  • MD5

    42b89874d3138f40f32285be945f2ceb

  • SHA1

    1766b4c4a040ba19afc4318e9b2eab775fee88d7

  • SHA256

    619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

  • SHA512

    df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

  • SSDEEP

    49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 18 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 17 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 18 IoCs
  • Runs ping.exe 1 TTPs 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g4wQvCfdjJ.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2648
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:2520
          • C:\Recovery\WindowsRE\sihost.exe
            "C:\Recovery\WindowsRE\sihost.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:452
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fMcktfRG2.bat"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2196
              • C:\Windows\system32\chcp.com
                chcp 65001
                5⤵
                  PID:3440
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  5⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4972
                • C:\Recovery\WindowsRE\sihost.exe
                  "C:\Recovery\WindowsRE\sihost.exe"
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3992
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EEIicgEf1j.bat"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4296
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      7⤵
                        PID:2696
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        7⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2380
                      • C:\Recovery\WindowsRE\sihost.exe
                        "C:\Recovery\WindowsRE\sihost.exe"
                        7⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4068
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AkiujJMGlN.bat"
                          8⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1824
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            9⤵
                              PID:1376
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              9⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:3476
                            • C:\Recovery\WindowsRE\sihost.exe
                              "C:\Recovery\WindowsRE\sihost.exe"
                              9⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:716
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat"
                                10⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2372
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  11⤵
                                    PID:4036
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    11⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:4976
                                  • C:\Recovery\WindowsRE\sihost.exe
                                    "C:\Recovery\WindowsRE\sihost.exe"
                                    11⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:4072
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat"
                                      12⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2756
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        13⤵
                                          PID:3120
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:5008
                                          • C:\Recovery\WindowsRE\sihost.exe
                                            "C:\Recovery\WindowsRE\sihost.exe"
                                            13⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:2060
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat"
                                              14⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:4124
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                15⤵
                                                  PID:1436
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:1872
                                                  • C:\Recovery\WindowsRE\sihost.exe
                                                    "C:\Recovery\WindowsRE\sihost.exe"
                                                    15⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:372
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UO0HaVbJ1O.bat"
                                                      16⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1396
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        17⤵
                                                          PID:3108
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          17⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:2068
                                                        • C:\Recovery\WindowsRE\sihost.exe
                                                          "C:\Recovery\WindowsRE\sihost.exe"
                                                          17⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3148
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nNv9Oq8evb.bat"
                                                            18⤵
                                                              PID:900
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                19⤵
                                                                  PID:3972
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  19⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:1512
                                                                • C:\Recovery\WindowsRE\sihost.exe
                                                                  "C:\Recovery\WindowsRE\sihost.exe"
                                                                  19⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:5000
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat"
                                                                    20⤵
                                                                      PID:1292
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        21⤵
                                                                          PID:2672
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          21⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:4964
                                                                        • C:\Recovery\WindowsRE\sihost.exe
                                                                          "C:\Recovery\WindowsRE\sihost.exe"
                                                                          21⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2904
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yIUjElxALT.bat"
                                                                            22⤵
                                                                              PID:2392
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                23⤵
                                                                                  PID:1916
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:2220
                                                                                  • C:\Recovery\WindowsRE\sihost.exe
                                                                                    "C:\Recovery\WindowsRE\sihost.exe"
                                                                                    23⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4064
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m961u58njg.bat"
                                                                                      24⤵
                                                                                        PID:1804
                                                                                        • C:\Windows\system32\chcp.com
                                                                                          chcp 65001
                                                                                          25⤵
                                                                                            PID:4996
                                                                                          • C:\Windows\system32\PING.EXE
                                                                                            ping -n 10 localhost
                                                                                            25⤵
                                                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                                                            • Runs ping.exe
                                                                                            PID:4976
                                                                                          • C:\Recovery\WindowsRE\sihost.exe
                                                                                            "C:\Recovery\WindowsRE\sihost.exe"
                                                                                            25⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:3860
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ahsqPXjhJl.bat"
                                                                                              26⤵
                                                                                                PID:1444
                                                                                                • C:\Windows\system32\chcp.com
                                                                                                  chcp 65001
                                                                                                  27⤵
                                                                                                    PID:4932
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    27⤵
                                                                                                      PID:4924
                                                                                                    • C:\Recovery\WindowsRE\sihost.exe
                                                                                                      "C:\Recovery\WindowsRE\sihost.exe"
                                                                                                      27⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Modifies registry class
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4720
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PmJFabuBut.bat"
                                                                                                        28⤵
                                                                                                          PID:1364
                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                            chcp 65001
                                                                                                            29⤵
                                                                                                              PID:2632
                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                              29⤵
                                                                                                                PID:1052
                                                                                                              • C:\Recovery\WindowsRE\sihost.exe
                                                                                                                "C:\Recovery\WindowsRE\sihost.exe"
                                                                                                                29⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Modifies registry class
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:4124
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tLBDHjzlZn.bat"
                                                                                                                  30⤵
                                                                                                                    PID:452
                                                                                                                    • C:\Windows\system32\chcp.com
                                                                                                                      chcp 65001
                                                                                                                      31⤵
                                                                                                                        PID:2196
                                                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                        31⤵
                                                                                                                          PID:2940
                                                                                                                        • C:\Recovery\WindowsRE\sihost.exe
                                                                                                                          "C:\Recovery\WindowsRE\sihost.exe"
                                                                                                                          31⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies registry class
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:3728
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat"
                                                                                                                            32⤵
                                                                                                                              PID:3256
                                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                                chcp 65001
                                                                                                                                33⤵
                                                                                                                                  PID:4800
                                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                                  ping -n 10 localhost
                                                                                                                                  33⤵
                                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                  • Runs ping.exe
                                                                                                                                  PID:2012
                                                                                                                                • C:\Recovery\WindowsRE\sihost.exe
                                                                                                                                  "C:\Recovery\WindowsRE\sihost.exe"
                                                                                                                                  33⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Modifies registry class
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:3724
                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ockHtb7V7W.bat"
                                                                                                                                    34⤵
                                                                                                                                      PID:768
                                                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                                                        chcp 65001
                                                                                                                                        35⤵
                                                                                                                                          PID:456
                                                                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                          35⤵
                                                                                                                                            PID:3500
                                                                                                                                          • C:\Recovery\WindowsRE\sihost.exe
                                                                                                                                            "C:\Recovery\WindowsRE\sihost.exe"
                                                                                                                                            35⤵
                                                                                                                                            • Checks computer location settings
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Modifies registry class
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:2380
                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\luGtQJ8wXl.bat"
                                                                                                                                              36⤵
                                                                                                                                                PID:4604
                                                                                                                                                • C:\Windows\system32\chcp.com
                                                                                                                                                  chcp 65001
                                                                                                                                                  37⤵
                                                                                                                                                    PID:3984
                                                                                                                                                  • C:\Windows\system32\PING.EXE
                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                    37⤵
                                                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                                    • Runs ping.exe
                                                                                                                                                    PID:3340
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:3788
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:1040
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2784
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4196
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2452
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4952
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2112
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4024
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:3712
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:1484
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:1376
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:3476
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:392
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2524
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:232
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "Medal.exe.binM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4416
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "Medal.exe.bin" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:3564
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks.exe /create /tn "Medal.exe.binM" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\Medal.exe.bin.exe'" /rl HIGHEST /f
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4036

                                                                          Network

                                                                          MITRE ATT&CK Enterprise v15

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe

                                                                            Filesize

                                                                            1.8MB

                                                                            MD5

                                                                            42b89874d3138f40f32285be945f2ceb

                                                                            SHA1

                                                                            1766b4c4a040ba19afc4318e9b2eab775fee88d7

                                                                            SHA256

                                                                            619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

                                                                            SHA512

                                                                            df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

                                                                            Filesize

                                                                            1KB

                                                                            MD5

                                                                            f8b2fca3a50771154571c11f1c53887b

                                                                            SHA1

                                                                            2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

                                                                            SHA256

                                                                            0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

                                                                            SHA512

                                                                            b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

                                                                          • C:\Users\Admin\AppData\Local\Temp\3fMcktfRG2.bat

                                                                            Filesize

                                                                            160B

                                                                            MD5

                                                                            383fbd80e97e6ddc20340a3bbdd05d92

                                                                            SHA1

                                                                            5f8450858ea3577768b228d206bd2cb82eed231f

                                                                            SHA256

                                                                            f54e38e1c70f9e5c95971b80b0cd664bf596eea90c9ae72af29fbf40b246e052

                                                                            SHA512

                                                                            7944d762d0c25fa04b162c0e23955b3985c90ac8762e5dd24f1930a5a23f9c64996fbff01dda6e8c4d96a85d01483d8d7cbd4738e2ce1d9b37cc81ec379bc655

                                                                          • C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat

                                                                            Filesize

                                                                            160B

                                                                            MD5

                                                                            2f533b23bc5352586104ff8f1c5c82c1

                                                                            SHA1

                                                                            3d5bcddc506f85389d2a2ab2a99a765af10169e9

                                                                            SHA256

                                                                            f1f557f5317588f5a94eb02530ad8425c9251e697527bc884bfb9e240b71f897

                                                                            SHA512

                                                                            430c986851831294cff009d7ffdf872ff24987628ca5bbab1a2b39632d07b71ade1b7dbd899fc455d13370077ca607e89bb4f5e7a9e007471190e3a4f3df1711

                                                                          • C:\Users\Admin\AppData\Local\Temp\AkiujJMGlN.bat

                                                                            Filesize

                                                                            160B

                                                                            MD5

                                                                            06ba6621c609c9afb63b9089cb013bc6

                                                                            SHA1

                                                                            cec51fb3bafb2d8e82129da8b09d6cbd89027d26

                                                                            SHA256

                                                                            a02fcc21e5a10cb25d6348010a7e31f210a7c077d6533fbda4a919ba89a72584

                                                                            SHA512

                                                                            136a16ea7fe9b8a2a405258f2fc8c05bcd0fd2d30e676bfad6e2b0394827e2f361596da7b8ebfd393d2005aa1cc565bf78010e3c20ebb58ef7d374d01ce74686

                                                                          • C:\Users\Admin\AppData\Local\Temp\EEIicgEf1j.bat

                                                                            Filesize

                                                                            160B

                                                                            MD5

                                                                            9f95ff2d3c8c713c5a42632a29d97c17

                                                                            SHA1

                                                                            88c3be96feddc7260ef01934e997a5a2e78a7424

                                                                            SHA256

                                                                            1c2e15221e5d778d3b3870fa2ddc085b692ba393ce58c5338f79b7658d1aed98

                                                                            SHA512

                                                                            9a4257461855b10e170302f81a44abcea41db6e3f2ab308433962460d32146201f1fb57a8d36510715d1871d50ca87470c5a06a7302cd570b9fac55e3ca5aaea

                                                                          • C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat

                                                                            Filesize

                                                                            208B

                                                                            MD5

                                                                            0fca92f7a29595b09221df2a9827a5ea

                                                                            SHA1

                                                                            862ab4a104a8f3c15df96456fe7bdb7ba3da6ba8

                                                                            SHA256

                                                                            d81de08534e42287f0cc43b461f76cb527622a614ed4eb7a6eb2e8447f2986c4

                                                                            SHA512

                                                                            65daed6eced222af0e162d427c78ecb6a4026808656327633aec4c02bbdb2c05f3178975bf2eed12bfb0c3bb8f47f0d5cd50a7443db9b3aa5c1219ee4c278a05

                                                                          • C:\Users\Admin\AppData\Local\Temp\PmJFabuBut.bat

                                                                            Filesize

                                                                            208B

                                                                            MD5

                                                                            8f643ddb7bdb2f89370330dbf8b77518

                                                                            SHA1

                                                                            f7e90de3a026d42ca13cc239ed66c7137f4eb31e

                                                                            SHA256

                                                                            e0a5e1efdf1e05a387c0aee428187ebdf5642192d1d7da122403c05586e1595d

                                                                            SHA512

                                                                            6b2ad3900fd97d1d032f46893b578f187c408ff516672ec3a5b247f5440df8d6a7b5152cea3f31d44d16e6619894880f818473c407873066108a74429486642b

                                                                          • C:\Users\Admin\AppData\Local\Temp\UO0HaVbJ1O.bat

                                                                            Filesize

                                                                            160B

                                                                            MD5

                                                                            4772ab8ddf5eebf251f2331564573ae9

                                                                            SHA1

                                                                            97322808f91f768ffa991a4cde74da51c2341cf4

                                                                            SHA256

                                                                            52d8ae57bf1b792fd69f8fc60b34053a1ded840d7bd4b4e6ff9d5592e14ef22f

                                                                            SHA512

                                                                            12dc9a3ced8391671608ee646d2a669bb585181f8e93c899843ef93ca167f476fb3a8f27c7a8ee4afb3f7a03719ead66c228e63503e5491e1adc644685a34282

                                                                          • C:\Users\Admin\AppData\Local\Temp\XDDaR1k0wv.bat

                                                                            Filesize

                                                                            160B

                                                                            MD5

                                                                            f01f2fc207e1f5abd94e86991920a795

                                                                            SHA1

                                                                            b60faf0be27e9d3cde96af4a6870b0c1fb786989

                                                                            SHA256

                                                                            b3ba7d21ec5af922fc12da5897fd2c7dbd2caf0d749cd987b2ea67c847a87cee

                                                                            SHA512

                                                                            0aa8ae9687885c9767337b17e8434d55a82950002b52ddd9660e2193a7bb9c582c8d37f03b8328cd0d7e7c5bbc485e4d0c81c8c8a083c03b5e1d781e4198280e

                                                                          • C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat

                                                                            Filesize

                                                                            208B

                                                                            MD5

                                                                            4854493d588040bd7ea702ad2aeb5558

                                                                            SHA1

                                                                            e96ae6ed6275da5ef86f6bad54d002873e96bc55

                                                                            SHA256

                                                                            ae033936d5609afcefd309b8432057e72b7e50c95fc6f7e6e93936ba568f6833

                                                                            SHA512

                                                                            b1bca6c2c788ff50821367af928dbc6b4dee01675e053a3678c1577a9b960a550b80070861b7b42682870154d5092053f4b0177a9741bcda8ca282ec1ff85313

                                                                          • C:\Users\Admin\AppData\Local\Temp\ahsqPXjhJl.bat

                                                                            Filesize

                                                                            208B

                                                                            MD5

                                                                            c3f6e602c883d29086af25a4c048bda1

                                                                            SHA1

                                                                            e27078641cd3ec48946f0311b154b915b2b65412

                                                                            SHA256

                                                                            e1a221672e7e71286cf6b1a13421e81d6c3e845de793c76e7fd456c7cf2275e9

                                                                            SHA512

                                                                            69dfdecfd650dc01376ea48605853097a1b4e53807e621dbc5b153c6b99da766b26d36eacf4609dc3dd2fd69d8617fc0c5b5a98f33857347dc0f27a4c1292f63

                                                                          • C:\Users\Admin\AppData\Local\Temp\g4wQvCfdjJ.bat

                                                                            Filesize

                                                                            208B

                                                                            MD5

                                                                            637712254baa021ad6e6e498aefdd37f

                                                                            SHA1

                                                                            44abe79b3d4c61e70787a8eaaf29a63a6bf57646

                                                                            SHA256

                                                                            dde0ffdfa97cccc3dd27105bacfb905486826646482ce1fbef60585d9ddbd2c6

                                                                            SHA512

                                                                            6ed9e3e4e6c6c04b37ad749630c298ba3f29c880d7e9a16eb8467230756af1c615bf46d32e60761d4ebd01f5962a36feea2020b038e66d024c5cccc216642220

                                                                          • C:\Users\Admin\AppData\Local\Temp\luGtQJ8wXl.bat

                                                                            Filesize

                                                                            160B

                                                                            MD5

                                                                            ad4883e53bc1d2433c9c74b189d38303

                                                                            SHA1

                                                                            cd73c614bb422c24bef1d5570f688f37d896a359

                                                                            SHA256

                                                                            112c63f2bb175c7db9080fb38628d31f1f51486191ab0eb13a44817177c62f62

                                                                            SHA512

                                                                            4aa34e6cd02dc2279deae31d4c9fde7aade2ead49dffb0e11fdb4ad261456dced364734b92291725005487e91205ceaafcd10a2a6eb1f371c34eab07b9ae18e0

                                                                          • C:\Users\Admin\AppData\Local\Temp\m961u58njg.bat

                                                                            Filesize

                                                                            160B

                                                                            MD5

                                                                            e0fbea772691aaa003a4819f0d8be136

                                                                            SHA1

                                                                            81a3fe69b7ff9ef31430ea995723908fbd6bc143

                                                                            SHA256

                                                                            b202da4389eddcf9c0620ba02f1fa77f8020cb0656e7447d080252f726ba6397

                                                                            SHA512

                                                                            6be9a292877a1c7a59b8ed21ceb6d7bf7bdfece615bac79838b1859fffa21e0206919a6e9707f05ac37fdcf6db22a05fcfa7550dbbb6ea3db364513675d51a3f

                                                                          • C:\Users\Admin\AppData\Local\Temp\nNv9Oq8evb.bat

                                                                            Filesize

                                                                            160B

                                                                            MD5

                                                                            15b990b45e3eaee2ae7893a2f82b6ca0

                                                                            SHA1

                                                                            858e09c6acfe6e38b99c6c31163643c2f5d09a16

                                                                            SHA256

                                                                            8fb56dbc52a43772c70094e14e248d9ebde185c11226d2eef2d7f82f2abefc7d

                                                                            SHA512

                                                                            616521f525562f8e527f068ef85794222ed1b2c8be1941fe12475ecb34098d920269efe2a8aeeabc8194fcd53aaae73745e684322e14a1dd8308debcfc71e8f7

                                                                          • C:\Users\Admin\AppData\Local\Temp\ockHtb7V7W.bat

                                                                            Filesize

                                                                            208B

                                                                            MD5

                                                                            19879966c0eaccc2c669a5e65710036f

                                                                            SHA1

                                                                            c2526d3038192645418de87a6f46670d73ce7084

                                                                            SHA256

                                                                            76ae3816440efee86dce55aa0c571e4979cf0758b8fe667ce0d119cc02a9b757

                                                                            SHA512

                                                                            d67fa80b7fa55bdfa075cd4e6005eebc2c26abace73d8f081e313b3af41c500fd8b22afa6f3ae30fc4dc9fd457b114499bb4ae11033d6a771b54747f6e1de96a

                                                                          • C:\Users\Admin\AppData\Local\Temp\tLBDHjzlZn.bat

                                                                            Filesize

                                                                            208B

                                                                            MD5

                                                                            b3afab7e444ea565b84b84b3ada15b94

                                                                            SHA1

                                                                            edaccac9b1f1728d9f385f09f399e676248a8376

                                                                            SHA256

                                                                            21560d8318b515484c34cf94b0d39c18e3ad2291597a982603ce64deee625f0c

                                                                            SHA512

                                                                            f6c9c06e6ffcb073c48b2c602093911c10b56221976ed5c861e668bdbb14002df914b595710acf32ac69f7dfdd197380087efb30567296e27a110ed02a9c8375

                                                                          • C:\Users\Admin\AppData\Local\Temp\yIUjElxALT.bat

                                                                            Filesize

                                                                            208B

                                                                            MD5

                                                                            ae8667009dec7f48742db407d649b561

                                                                            SHA1

                                                                            2b4e71dd8524c7719f259f55a0fc854c33977eb4

                                                                            SHA256

                                                                            fcd03bce9da672345dbc7ddfaa2382935f4ebe81a0d6b7560d7c52899302e04e

                                                                            SHA512

                                                                            284859c77173191ac39d0ba0ba3cf388fb1b55fa699bc258e18a3137825d3f6d66c2e035d491c6cd474d05b78573165f5d4ef907cd44293ae27987cf7bf05a19

                                                                          • memory/372-106-0x000000001CA50000-0x000000001CBBA000-memory.dmp

                                                                            Filesize

                                                                            1.4MB

                                                                          • memory/716-76-0x000000001BFE0000-0x000000001C14A000-memory.dmp

                                                                            Filesize

                                                                            1.4MB

                                                                          • memory/764-35-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-0-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

                                                                            Filesize

                                                                            8KB

                                                                          • memory/764-6-0x0000000002430000-0x000000000243E000-memory.dmp

                                                                            Filesize

                                                                            56KB

                                                                          • memory/764-12-0x00000000025E0000-0x00000000025F8000-memory.dmp

                                                                            Filesize

                                                                            96KB

                                                                          • memory/764-23-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-32-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-10-0x000000001B290000-0x000000001B2E0000-memory.dmp

                                                                            Filesize

                                                                            320KB

                                                                          • memory/764-3-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-7-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-4-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-1-0x0000000000090000-0x0000000000262000-memory.dmp

                                                                            Filesize

                                                                            1.8MB

                                                                          • memory/764-28-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-16-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-27-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-26-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-2-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

                                                                            Filesize

                                                                            10.8MB

                                                                          • memory/764-9-0x00000000025C0000-0x00000000025DC000-memory.dmp

                                                                            Filesize

                                                                            112KB

                                                                          • memory/2060-96-0x000000001C540000-0x000000001C6AA000-memory.dmp

                                                                            Filesize

                                                                            1.4MB

                                                                          • memory/3148-116-0x000000001C5E0000-0x000000001C74A000-memory.dmp

                                                                            Filesize

                                                                            1.4MB

                                                                          • memory/4072-86-0x000000001C620000-0x000000001C78A000-memory.dmp

                                                                            Filesize

                                                                            1.4MB