URL:

https://medal.tv/download?ref=586375195

Full analysis: https://app.any.run/tasks/01723a47-81d4-4f59-abb6-8d264eaaa072
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 25, 2026, 19:39:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
stealer
obfuscated-js
anti-evasion
Indicators:
MD5:

E26064D87CF8265F5A1902573811B95D

SHA1:

D9E25E076E8A788FB6013FB4D75B02717AF91975

SHA256:

FDEBA96E94B5CF75212A1C20B5E84D0D5756E9298995D41306DB561B50256AE7

SSDEEP:

3:N8CHaF2QSq:2C6FAq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • CCleaner64.exe (PID: 8720)
      • reg.exe (PID: 8368)

    • Get Video Controller Information (POWERSHELL)

      • Medal.exe (PID: 8120)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 3684)
      • Medal.exe (PID: 1116)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MedalSetup.NTg2NDUyNzQ2LDEsNTg2Mzc1MTk1.exe (PID: 8876)
      • Update.exe (PID: 8904)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 3684)
      • MedalEncoder.exe (PID: 7192)

    • Application launched itself

      • CCleaner64.exe (PID: 8576)
      • CCleaner64.exe (PID: 8644)
      • Medal.exe (PID: 8120)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 1304)
      • Medal.exe (PID: 3684)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 8576)
      • CCleaner64.exe (PID: 8644)
      • Update.exe (PID: 8904)

    • Reads Internet Explorer settings

      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)

    • Searches for installed software

      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)
      • CCleaner64.exe (PID: 5716)
      • Update.exe (PID: 8904)

    • Checks for external IP

      • CCleaner64.exe (PID: 8644)

    • The process verifies whether the antivirus software is installed

      • CCleaner64.exe (PID: 8720)

    • The process executes via Task Scheduler

      • CCleaner.exe (PID: 8984)

    • Possible stealing of VPN data

      • CCleaner64.exe (PID: 8720)

    • Potential Corporate Privacy Violation

      • CCleaner64.exe (PID: 8644)

    • Starts POWERSHELL.EXE for commands execution

      • Medal.exe (PID: 8120)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 1116)
      • Medal.exe (PID: 3684)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1972)
      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 2160)
      • cmd.exe (PID: 5664)
      • cmd.exe (PID: 8452)
      • cmd.exe (PID: 8124)
      • cmd.exe (PID: 8348)
      • cmd.exe (PID: 4968)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 8948)
      • cmd.exe (PID: 8696)
      • cmd.exe (PID: 224)
      • cmd.exe (PID: 9084)

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 1972)
      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 2160)
      • cmd.exe (PID: 5664)
      • cmd.exe (PID: 8452)
      • cmd.exe (PID: 8124)
      • cmd.exe (PID: 8348)
      • cmd.exe (PID: 4968)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 8948)
      • cmd.exe (PID: 8696)
      • cmd.exe (PID: 224)
      • cmd.exe (PID: 9084)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 1972)
      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 2160)
      • cmd.exe (PID: 5664)
      • cmd.exe (PID: 8452)
      • cmd.exe (PID: 8124)
      • cmd.exe (PID: 8348)
      • cmd.exe (PID: 4968)
      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 8948)
      • cmd.exe (PID: 8696)
      • cmd.exe (PID: 224)
      • cmd.exe (PID: 9084)

    • The process drops C-runtime libraries

      • Medal.exe (PID: 3684)

    • The process creates files with name similar to system file names

      • Medal.exe (PID: 3684)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 7188)

    • Checks supported languages

      • Update.exe (PID: 8904)
      • identity_helper.exe (PID: 5764)
      • MedalSetup.NTg2NDUyNzQ2LDEsNTg2Mzc1MTk1.exe (PID: 8876)
      • CCleaner64.exe (PID: 8576)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)
      • CCleaner64.exe (PID: 9020)
      • CCleaner.exe (PID: 8984)
      • CCleaner64.exe (PID: 5716)
      • squirrel.exe (PID: 7452)
      • Medal.exe (PID: 8120)
      • Update.exe (PID: 6212)
      • Medal.exe (PID: 5484)
      • Medal.exe (PID: 4656)
      • Medal.exe (PID: 3168)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 8560)
      • Medal.exe (PID: 7836)
      • Medal.exe (PID: 416)
      • Medal.exe (PID: 8364)
      • Medal.exe (PID: 1304)
      • Medal.exe (PID: 3684)
      • Medal.exe (PID: 7784)
      • Medal.exe (PID: 8828)
      • Medal.exe (PID: 8400)
      • Medal.exe (PID: 4592)
      • Medal.exe (PID: 1116)
      • MedalEncoder.exe (PID: 7192)
      • crashpad_handler.exe (PID: 9104)

    • Reads the computer name

      • identity_helper.exe (PID: 5764)
      • Update.exe (PID: 8904)
      • CCleaner64.exe (PID: 8576)
      • CCleaner64.exe (PID: 8720)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 9020)
      • CCleaner64.exe (PID: 5716)
      • CCleaner.exe (PID: 8984)
      • squirrel.exe (PID: 7452)
      • Medal.exe (PID: 8120)
      • Update.exe (PID: 6212)
      • Medal.exe (PID: 3168)
      • Medal.exe (PID: 4656)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 416)
      • Medal.exe (PID: 7836)
      • Medal.exe (PID: 3684)
      • Medal.exe (PID: 7784)
      • Medal.exe (PID: 8400)
      • Medal.exe (PID: 1116)
      • MedalEncoder.exe (PID: 7192)

    • Reads Environment values

      • identity_helper.exe (PID: 5764)
      • CCleaner64.exe (PID: 8576)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 9020)
      • CCleaner64.exe (PID: 8720)
      • CCleaner64.exe (PID: 5716)
      • CCleaner.exe (PID: 8984)
      • Medal.exe (PID: 8120)
      • Medal.exe (PID: 8544)
      • Update.exe (PID: 8904)
      • Medal.exe (PID: 8364)
      • Medal.exe (PID: 3684)
      • Medal.exe (PID: 4592)
      • Medal.exe (PID: 1116)
      • MedalEncoder.exe (PID: 7192)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7188)

    • Creates files or folders in the user directory

      • MedalSetup.NTg2NDUyNzQ2LDEsNTg2Mzc1MTk1.exe (PID: 8876)
      • Update.exe (PID: 8904)
      • CCleaner64.exe (PID: 8644)
      • squirrel.exe (PID: 7452)
      • Medal.exe (PID: 8120)
      • Medal.exe (PID: 5484)
      • Update.exe (PID: 6212)
      • Medal.exe (PID: 4656)
      • Medal.exe (PID: 8560)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 416)
      • Medal.exe (PID: 3684)
      • Medal.exe (PID: 8828)
      • Medal.exe (PID: 8400)
      • Medal.exe (PID: 1116)
      • MedalEncoder.exe (PID: 7192)
      • crashpad_handler.exe (PID: 9104)

    • Reads the machine GUID from the registry

      • Update.exe (PID: 8904)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)
      • CCleaner64.exe (PID: 5716)
      • squirrel.exe (PID: 7452)
      • Update.exe (PID: 6212)
      • Medal.exe (PID: 8120)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 3684)
      • MedalEncoder.exe (PID: 7192)

    • Manual execution by a user

      • CCleaner64.exe (PID: 8576)
      • CCleaner64.exe (PID: 9020)

    • The sample compiled with english language support

      • Update.exe (PID: 8904)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 3684)
      • MedalEncoder.exe (PID: 7192)

    • Create files in a temporary directory

      • Update.exe (PID: 8904)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 3684)

    • Reads security settings of Internet Explorer

      • CCleaner64.exe (PID: 8576)
      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)
      • Update.exe (PID: 8904)
      • MedalEncoder.exe (PID: 7192)

    • Reads product name

      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)
      • Medal.exe (PID: 8120)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 8364)
      • Medal.exe (PID: 4592)
      • Medal.exe (PID: 1116)
      • Medal.exe (PID: 3684)

    • Reads CPU info

      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)
      • CCleaner64.exe (PID: 5716)
      • Medal.exe (PID: 8120)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 3684)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 8644)
      • CCleaner64.exe (PID: 8720)
      • MedalEncoder.exe (PID: 7192)

    • Launching a file from a Registry key

      • CCleaner64.exe (PID: 8720)
      • reg.exe (PID: 8368)

    • Detects AutoHotkey samples (YARA)

      • CCleaner64.exe (PID: 8720)

    • Search a value from a registry key

      • cmd.exe (PID: 1972)
      • reg.exe (PID: 7580)
      • cmd.exe (PID: 2340)
      • reg.exe (PID: 8608)
      • reg.exe (PID: 8620)
      • reg.exe (PID: 8632)
      • reg.exe (PID: 5008)
      • cmd.exe (PID: 7304)
      • cmd.exe (PID: 2160)
      • reg.exe (PID: 4300)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • Medal.exe (PID: 8120)
      • Medal.exe (PID: 8544)
      • Medal.exe (PID: 3684)

    • Disables trace logs

      • Update.exe (PID: 8904)
      • MedalEncoder.exe (PID: 7192)

    • Creates a software uninstall entry

      • Update.exe (PID: 8904)

    • The sample compiled with czech language support

      • Medal.exe (PID: 3684)

    • The sample compiled with german language support

      • Medal.exe (PID: 3684)

    • The sample compiled with french language support

      • Medal.exe (PID: 3684)

    • The sample compiled with Italian language support

      • Medal.exe (PID: 3684)

    • The sample compiled with spanish language support

      • Medal.exe (PID: 3684)

    • The sample compiled with japanese language support

      • Medal.exe (PID: 3684)

    • The sample compiled with korean language support

      • Medal.exe (PID: 3684)

    • The sample compiled with polish language support

      • Medal.exe (PID: 3684)

    • The sample compiled with portuguese language support

      • Medal.exe (PID: 3684)

    • The sample compiled with russian language support

      • Medal.exe (PID: 3684)

    • The sample compiled with turkish language support

      • Medal.exe (PID: 3684)

    • The sample compiled with chinese language support

      • Medal.exe (PID: 3684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
283
Monitored processes
135
Malicious processes
7
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs medalsetup.ntg2nduynzq2ldesntg2mzc1mtk1.exe update.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs ccleaner64.exe no specs ccleaner64.exe ccleaner64.exe ccleaner64.exe no specs ccleaner.exe no specs ccleaner64.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs squirrel.exe no specs medal.exe powershell.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs fsutil.exe no specs conhost.exe no specs medal.exe no specs update.exe no specs medal.exe no specs medal.exe medal.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs fsutil.exe no specs conhost.exe no specs medal.exe no specs fsutil.exe no specs conhost.exe no specs medal.exe no specs medal.exe reg.exe no specs conhost.exe no specs medal.exe no specs reg.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs medal.exe no specs medal.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs fsutil.exe no specs conhost.exe no specs medal.exe no specs fsutil.exe no specs conhost.exe no specs medal.exe no specs medal.exe reg.exe no specs conhost.exe no specs medal.exe no specs medal.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs where.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs medalencoder.exe conhost.exe no specs crashpad_handler.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
224C:\WINDOWS\system32\cmd.exe /d /s /c "mklink /h "C:\Users\admin\AppData\Local\Medal\swscale-8.dll" "C:\Users\admin\AppData\Local\Medal\recorder-2613.909.1\swscale-8.dll""C:\Windows\System32\cmd.exeMedal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
416"C:\Users\admin\AppData\Local\Medal\app-2613.29.1\Medal.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Medal" --standard-schemes=medal,medal-fs --secure-schemes=medal,medal-fs,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=medal-fs,sentry-ipc --streaming-schemes=medal-fs --field-trial-handle=2060,i,6349253021498604543,9133069934934720857,262144 --enable-features=DocumentPolicyIncludeJSCallStacksInCrashReports,EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=HardwareMediaKeyHandling,LocalNetworkAccessChecks,MediaSessionService,NetworkServiceSandbox,ScreenAIOCREnabled,SpareRendererForSitePerProcess,TraceSiteInstanceGetProcessCreation --variations-seed-version --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2328 /prefetch:3C:\Users\admin\AppData\Local\Medal\app-2613.29.1\Medal.exe
Medal.exe
User:
admin
Company:
Medal B.V.
Integrity Level:
MEDIUM
Description:
Medal
Exit code:
0
Version:
2613.29.1
Modules
Images
c:\users\admin\appdata\local\medal\app-2613.29.1\medal.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116"C:\Users\admin\AppData\Local\Medal\app-2613.29.1\Medal.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Medal" --standard-schemes=medal,medal-fs --secure-schemes=medal,medal-fs,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=medal-fs,sentry-ipc --streaming-schemes=medal-fs --app-user-model-id=com.squirrel.medal.medal --app-path="C:\Users\admin\AppData\Local\Medal\app-2613.29.1\resources\app" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --force-color-profile=srgb --js-flags=--max-old-space-size=8192 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2052,i,12220610573245812206,12920192137038199135,262144 --enable-features=DocumentPolicyIncludeJSCallStacksInCrashReports,EnableTransparentHwndEnlargement,PdfUseShowSaveFilePicker --disable-features=HardwareMediaKeyHandling,LocalNetworkAccessChecks,MediaSessionService,NetworkServiceSandbox,ScreenAIOCREnabled,SpareRendererForSitePerProcess,TraceSiteInstanceGetProcessCreation --variations-seed-version --trace-process-track-uuid=3190708990997080739 --mojo-platform-channel-handle=3824 --renderer_name=main --app-path="C:\Users\admin\AppData\Local\Medal\app-2613.29.1\resources\app" --user-data-path="C:\Users\admin\AppData\Roaming\Medal" /prefetch:1C:\Users\admin\AppData\Local\Medal\app-2613.29.1\Medal.exe
Medal.exe
User:
admin
Company:
Medal B.V.
Integrity Level:
MEDIUM
Description:
Medal
Version:
2613.29.1
Modules
Images
c:\users\admin\appdata\local\medal\app-2613.29.1\medal.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
1304"C:\Users\admin\AppData\Local\Medal\app-2613.29.1\Medal.exe" --type=relauncher --no-sandbox --- "C:\Users\admin\AppData\Local\Medal\app-2613.29.1\Medal.exe" --squirrel-firstrunC:\Users\admin\AppData\Local\Medal\app-2613.29.1\Medal.exeMedal.exe
User:
admin
Company:
Medal B.V.
Integrity Level:
MEDIUM
Description:
Medal
Exit code:
0
Version:
2613.29.1
Modules
Images
c:\users\admin\appdata\local\medal\app-2613.29.1\medal.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
1868C:\WINDOWS\system32\cmd.exe /d /s /c "mklink /h "C:\Users\admin\AppData\Local\Medal\ffmpeg7.exe" "C:\Users\admin\AppData\Local\Medal\recorder-2613.909.1\ffmpeg7.exe""C:\Windows\System32\cmd.exeMedal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1972C:\WINDOWS\system32\cmd.exe /d /s /c "reg query HKLM\Software\Microsoft\Cryptography /v MachineGuid"C:\Windows\System32\cmd.exeMedal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1972\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2032"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3616,i,13472807801941919794,6688434609275115271,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
59 556
Read events
59 292
Write events
153
Delete events
111

Modification events

(PID) Process:(8644) CCleaner64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:writeName:SystemRestorePointCreationFrequency
Value:
0
(PID) Process:(8644) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:CCleaner PostInstall
Value:
(PID) Process:(8644) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:writeName:FTU
Value:
06/02/2024|3|1
(PID) Process:(8644) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:delete valueName:GUID
Value:
(PID) Process:(8644) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:delete valueName:GD
Value:
(PID) Process:(8644) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:delete valueName:SetupGD
Value:
(PID) Process:(8644) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:writeName:DAST
Value:
03/25/2026 15:40:32
(PID) Process:(8644) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:writeName:T8062
Value:
0
(PID) Process:(8644) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:writeName:UpdateBackground
Value:
1
(PID) Process:(8720) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CCleaner Smart Cleaning
Value:
"C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Executable files
350
Suspicious files
489
Text files
5 338
Unknown types
5

Dropped files

PID
Process
Filename
Type
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFdfb58.TMP
MD5:
SHA256:
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFdfb68.TMP
MD5:
SHA256:
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFdfb68.TMP
MD5:
SHA256:
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFdfb68.TMP
MD5:
SHA256:
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFdfb77.TMP
MD5:
SHA256:
7188msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
502
TCP/UDP connections
273
DNS requests
327
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5760
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
text
314 b
whitelisted
5760
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1766135237&lafgdate=0
unknown
text
4.59 Kb
whitelisted
5760
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:bJRmG6O8asrNEprJ97imQPrxp-RwNs528jNpAl7P8aE&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
5760
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
unknown
text
25 b
whitelisted
5760
msedge.exe
GET
200
104.16.207.165:443
https://medal.tv/download?ref=586375195
unknown
html
131 Kb
unknown
5760
msedge.exe
GET
200
150.171.109.193:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
unknown
binary
82 b
whitelisted
5760
msedge.exe
GET
200
104.16.207.165:443
https://medal.tv/_next/static/chunks/6e32da0c3f0e9a72.css
unknown
text
3.08 Kb
unknown
5760
msedge.exe
GET
200
104.16.207.165:443
https://medal.tv/_next/static/chunks/43d32ac6c128bc26.css
unknown
text
200 Kb
unknown
5760
msedge.exe
GET
200
104.16.207.165:443
https://medal.tv/_next/static/media/83afe278b6a6bb3c-s.p.3a6ba036.woff2
unknown
binary
47.3 Kb
unknown
5760
msedge.exe
GET
200
104.16.207.165:443
https://medal.tv/_next/static/media/d3f3f01dfc015e12-s.p.efb60e83.woff2
unknown
binary
17.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4044
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
128.24.231.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
2.16.204.158:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
5532
SearchApp.exe
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
5760
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5760
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5760
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.64
whitelisted
www.bing.com
  • 2.16.204.158
  • 2.16.204.151
  • 2.16.204.161
  • 2.16.204.160
  • 2.16.204.152
  • 2.16.204.157
  • 2.16.204.134
  • 2.16.204.148
  • 2.16.204.139
whitelisted
google.com
  • 216.58.206.78
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
medal.tv
  • 104.16.207.165
  • 104.18.80.168
whitelisted
api.edgeoffer.microsoft.com
  • 150.171.109.193
whitelisted
copilot.microsoft.com
  • 104.18.22.222
  • 104.18.23.222
whitelisted

Threats

PID
Process
Class
Message
5760
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
5760
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
4044
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
5760
msedge.exe
Misc activity
ET INFO EXE - Served Attached HTTP
5760
msedge.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2232
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
8644
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
5760
msedge.exe
Misc activity
SUSPICIOUS [ANY.RUN] JavaScript Obfuscation (ParseInt)
8644
CCleaner64.exe
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
Process
Message
CCleaner64.exe
[2026-03-25 19:40:32.917] [error ] [settings ] [ 8644: 8652] [000000: 0] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2026-03-25 19:40:32.918] [error ] [ini_access ] [ 8644: 8652] [000000: 0] Incorrect ini_accessor configuration! Fixing relative input path to avoid recursion. Input was: Setup
CCleaner64.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner64.exe
OnLanguage - en
CCleaner64.exe
[2026-03-25 19:40:33.352] [error ] [settings ] [ 8644: 680] [D2EC45: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2026-03-25 19:40:33.363] [error ] [Burger ] [ 8644: 680] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
[2026-03-25 19:40:33.363] [error ] [Burger ] [ 8644: 680] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
file:///tis/optimizer.tis(1131) : warning :'await' should be used only inside 'async' or 'event'
CCleaner64.exe
file:///tis/optimizer.tis(1288) : warning :'async' does not contain any 'await'
CCleaner64.exe
OnLanguage - en
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://medal.tv/download?ref=586375195