Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:13
General
-
Target
855deb7775f714f1fc46d29fea8008d7.exe
-
Size
1.6MB
-
MD5
855deb7775f714f1fc46d29fea8008d7
-
SHA1
421d56096458fc456190f7c8d13fa3435c051264
-
SHA256
795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf
-
SHA512
7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99
-
SSDEEP
24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe"C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\855deb7775f714f1fc46d29fea8008d7.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\Registry.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\upfc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkprmv8rHi.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Default\Desktop\fontdrvhost.exe"C:\Users\Default\Desktop\fontdrvhost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\815a817d-49d1-4872-8897-a36309c4aeb7.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e36f90d2-9a2d-4cb2-8c16-47bc1af7f855.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcc2f8b2-745d-43ae-ac7d-6cb790fc5bd3.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efedd493-badd-496f-897a-ad33805c049b.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4dd45fb-76c3-4e1e-84aa-0d49cb1692c0.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee8e13d9-871d-4256-8656-4d4e468c9b62.vbs"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d546cc7-7bf3-490e-9504-43a84b4386ca.vbs"16⤵
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee1b879b-78dc-4eca-90a5-6303fb3443dc.vbs"18⤵
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d818eeca-b70e-429e-af7f-b9e7e899014b.vbs"20⤵
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f2fe046-c80f-4076-8e57-26552bed0fee.vbs"22⤵
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0921e08-facb-437c-86e9-4599f3d1d464.vbs"24⤵
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73f49a77-53e2-45d5-854d-11d2c321ddd5.vbs"26⤵
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68d76e90-06e4-4d75-a167-d2719bd2f8ef.vbs"28⤵
-
C:\Users\Default\Desktop\fontdrvhost.exeC:\Users\Default\Desktop\fontdrvhost.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\032cd22e-470b-4865-9fa3-24639e958baf.vbs"30⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dedd763-5f08-4a8e-ac48-0f2cf9e538ed.vbs"30⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d7ae496-6c20-41e4-b3ad-de8c3e56fbdb.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a906ba29-5220-4b4b-8791-347cbaf630c5.vbs"26⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6533c22a-7b20-446b-96cf-7d2e8f2484aa.vbs"24⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1f61116-e26f-4a3f-ab7b-a16c7c71dea1.vbs"22⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2a44ae-8f22-4a76-972e-6abd51ae2aeb.vbs"20⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa4af9fe-4f1e-42b3-b869-0e41a57e3c2c.vbs"18⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\742489c8-fa75-4c67-a9af-f9d08e157d08.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13dfb60d-4218-4995-82d0-56144e05f4ed.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f80ae050-273a-44ab-9073-fab4bee4f263.vbs"12⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6ff8f09-0b3c-4d12-8885-99bbbeb0a966.vbs"10⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d4343e5-1f73-4711-b15a-1a2e64f9dee0.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3b6d25e-fe67-407d-b58b-9f433d0e4acd.vbs"6⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa003a3c-caa0-4f40-94c2-c99caac5ed6f.vbs"4⤵
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "855deb7775f714f1fc46d29fea8008d78" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\855deb7775f714f1fc46d29fea8008d7.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "855deb7775f714f1fc46d29fea8008d7" /sc ONLOGON /tr "'C:\Users\All Users\855deb7775f714f1fc46d29fea8008d7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "855deb7775f714f1fc46d29fea8008d78" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\855deb7775f714f1fc46d29fea8008d7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5855deb7775f714f1fc46d29fea8008d7
SHA1421d56096458fc456190f7c8d13fa3435c051264
SHA256795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf
SHA5127fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5f68785608a60c0961b2926f9c4d4ff87
SHA1e90357d9a679b851acf30e5e7aa6f76f2e6d3bb4
SHA256edeed8daa6363551c6ffe770dc95fc9a767da6a020004c61c8e3d81eccb9d673
SHA512fa369a235b3d4375e7856e39f42b17fb118fadb0b48fbe71074fa47354d0713662b950142ab5083c01cc850f79bbb0abe154eefe0e754b9b76e8d3b330daf652
-
Filesize
944B
MD55f3d606f9a5f1201bfc1f01c54e842c4
SHA1f1917e50b557b135953ecbe63e1fc1e675b541f1
SHA256dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a
SHA512d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38
-
Filesize
944B
MD516e669660431a76b6985bae6a3e0ca0f
SHA155aead2478e085cc4fa52035dc6d3e9ceb856485
SHA256df0d9b2a6f0538cdf02e7f2a69db35dbf92a48fb81fcf58c12f1f0ad2ea13fe2
SHA512ba3a159eca907f8cd6bce2a66b334250e1c6a3b60f14e2cd1ab8dbd0baf33b7b385d834ed1aa3ccb013711cbaf7607d51e7107f1f1783f46595a99a15d5a7d2a
-
Filesize
944B
MD55e4343881dc5fcb6305d29ef34a5ce28
SHA1823b588ad6905d682cc3b7ac7bf7184d71da3d45
SHA25627e82cc6e13b0db3a8b74798dffe21837cd4ef1f519519227bbd41ef05f428ac
SHA5127a8c265e8dc6b4ad85132c4182270322023b4d59c97b466b5cce24402426c32fe14500343938c069cb17f985c73ef00f06187669d5b0c2050839a4cf6eb91762
-
Filesize
944B
MD544ae12563d9f97ac1136baee629673df
SHA138790549497302c43bd3ff6c5225e8c7054829e2
SHA256b09202e29f036511a075523ebcaecef0a43ceeb4f2c8029e5c7931a8e2e72beb
SHA51207cf8ed791245485aae4ee05cd6b77eb0a36c8a839da6eae1554dc0487559c270241733ae8ed184c8d38a956452a2255169a3adeb40a0da1d9e2e487864a35e7
-
Filesize
716B
MD586fdf4c0e99c92c2e08eee754fddd88e
SHA131dec0c15c06e2b5fa867dc543212ea0acfbbbab
SHA256cc28d18c51e43573257dc294a728a16f40f7379c213cdf3f3f2d87ce95a9665a
SHA5122993979b90e9d31e9d2e263acf46e64fad30e8736f08462de6640e041b1c0e514354fe7e5dbb47b183a8347d23ceda745f44759de22774a53db2f689aea4e99d
-
Filesize
716B
MD5b6d7f47d945814814bb195ff2119ebd6
SHA12a49c74a586a98c4c6ded77ae7a55f81436cd382
SHA2563d55fbfeed0b18c1f3b3e6c1741f652aad560e1da5ccebe3823f9218c805ea8b
SHA512cd91af24de77bdaa02849e56d6eb5f03c6a986ba4e9c0a4b0343fab8e8ac4d69b074bb773ba98f76b05210abee2b38888c8f23e0cd4fa577622d3a58929b0bea
-
Filesize
716B
MD54b02fb08ea543bbe1825e6366d62e98b
SHA107037107efbe48bf37d8fc8ba36b2e6e7d1c13db
SHA2566b83a77008573c79314be1a9c420c0e5c6236318fb825c0afb92cc40cec7c89d
SHA51288d62c9c413b1bc0a58f8341e387341ccbf8413f04014a7cb0255af6c457d8119ad2f14e4e34f1ccae2c08519fc9307b339d21905b11dcd82131f3a5b5109c36
-
Filesize
716B
MD582f31fcf14f4ee65c342addabc392289
SHA1185d93ec2480306176676124b17becd9fec8e0e3
SHA25651632c903bf9028877cfc5e69ce0197215973f03ed771cc3f65d191466eba45a
SHA51224e69add943ee1f248ebe79fc66ffe26213599904edae73023ba1219208588d25097a3734903b4179cd170e1e0702c716a60b0ddbc773cdfd1c9f936fc9c7513
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
716B
MD51a957fcdbda67e2cfe2e3834fe121302
SHA11972b8fc0cd2b7ed63b0456f513b83ecde8e1eac
SHA256a8dc0a8641a64e29b545581e81d9af820b74f9617e19c3480bb3612dbff8156f
SHA512178fbe968de214c51a968b9cb224d30a07f2f55674ad5a919a50ad882e26b150fd8c4aa4a4fde383b240f9f45f92bfd5a8f7031b320e52481c62b5a8552a2f76
-
Filesize
716B
MD5dd9847cae438f542ac1c547b238ef6b7
SHA187f06868b136bc25ea4618fac5e7071ed587a1d7
SHA2566e72697ad8c98c6e0675edc50a7ee053c4f6317d176d63bbfd0ff7e461d0a24c
SHA5122599bffd2b6cc472088577d2870b8d2ea0359784c04b9667b8397afd70b0be5dac72cda405a93b84f94a21ac6357805ad873efe1a8f1e15d9904d5944b618317
-
Filesize
716B
MD512cdfeba4544b1f2fe61ef2d1d0ecbc2
SHA112550d0165535422cd921041ecc95b0ed84412e5
SHA256e425a5b6543ca716fa55a6894065d21f9c38a37c6b5df4c1ea24022f96f4d934
SHA512f349ebf48dafee418bcb4b8759f946cdcfb8725b9ca01cc3deb82dd661e426f81953b80f8e9b7f80318b77b67433c35066e9bb5ec1e76b3d479109b79263309e
-
Filesize
716B
MD5cc37c42c4a2a94badae6631d1012c450
SHA12c93f0aabc4f7a07c1affba5df6a469ebe917a9f
SHA256442415ce8489906fee94eca1b1c013069fab886255cf21a9bd950e289d1637d0
SHA5128828dfb32c81d7fc16255055a512ef5e38441b8693543cadd7d0f86c7ce7e3f8836456a93fb8b0302de1d020d9fe6ebd031eb6971a9c55984f959355cc5c8f1e
-
Filesize
716B
MD5728eb736821cd41eb9b96c479fe6ac3f
SHA1c6a925fabf23be903316fdf045cfb3a422eef3b2
SHA256159a52a0459a8fbca918be8749a34c63052120e893b59697f35e21f235ac37eb
SHA51229cfaaa5dd6d504cff5cf89cd101503dc1606929e25005af82fe03a048b4b9dc5511482e80ffcf3e74267857fbfef7885f29d8dff42293a78181ee464c7c9e8f
-
Filesize
716B
MD5a649abfbe6e3a0407ee2575cddda39a4
SHA1497465ecd9da0b94a5df0a1cd5576a658cbdf5f7
SHA256233cff386f558e24ef434785344755c82a991f1fe3b263771425600e087b93ef
SHA512f2193122a3a875f0785c9caa6a888de56c8ff9bb3fe712509b74e56531c2b391f3c1484098e927718a6fd6d9b7afe24eeacdad8a3d59175b01a5e87ffcc2b565
-
Filesize
716B
MD58e863dbc1867d5ccd98e59f8ec39e1b1
SHA17d6c75aad2fdcbda8481824776cec440b9b1a865
SHA256059c83469be6a210eb5117c2215759f76a8b4dbb0521e05b53a734f36af6a4ba
SHA51226c140882e0c2a37bb291a60527e00bbf2422933d8d4981709760a3e83a2f76b8ab4c952430c9cb45ef7f3ddd89ddd271d6ddf34ae14558d15c9935099fa558a
-
Filesize
492B
MD557a102d2478dd2822f6d8aabc5c10ca2
SHA1a8dcf181ba3cab2de12ce04252434748ce9d2c01
SHA25668fc5c2dcdf63f3b90406cf979e7d903a64ccc57d8a20d29f71807e9bb62034f
SHA512c3073fd78f92acf7742d80e02ac56210f71d4f1b532c3eb94083d30633f5e1c4a1b0340ea5d7ab92bcd0b9f8a206e1d0218d626fa9db0332efb94c6c7157cd74
-
Filesize
716B
MD5f08ae32b95916d2247d4baea2ca01b5a
SHA11a2c032125851447b42c1b8696327c8bd2009f8a
SHA256e671d658407994cf773c6ac633288839ea6befa5de48320576dc58761fce11d0
SHA51267adfa0af1c96b5a65f2a64e54818a7cad089bd61347218ac125954da2bd74a02217bc903c79e6876ead20dbd580bae3fff63932d36c50e99eeaae49120cecf4
-
Filesize
205B
MD53906362237fa1d0f69bc1f4c7918ffc3
SHA11b3b4067244386a0cff6431fbf69b3fb750f94e4
SHA256ef59aa378264a67fffc1632df75e228e28edac5e53f3bcc2265c3573b8f73e02
SHA5129b5a96f4cdfc972811b1bf71522df3abc7ff508a03aaaa4081f32c7863e6716faa7f10db896aa49e9ee7fb4485d5a5cfc69a109c7002ef934703a0dff00f636b
-
Filesize
1.6MB
MD50f3efb676c083735b72a654e95286dce
SHA1177934198889a3e1051d562cebb62a35f9877686
SHA256a6713fe5033d79dfda5675c23c352d00f6a6932a38e748b9f14c415972ac5709
SHA512f7cf47ab4b3cd21610dd0e54ba4a5d22eb55d970fa069b1f544633afeaf9e03ce62215aecb57ae6832e850df26373a6a86553b2c78845613c70045e6022e71a1
-
Filesize
1.6MB
MD592b180b45418d73dc67a76620eb3cd4e
SHA10ef0f216737367b53ea77e91e0827f63f10478d8
SHA2568c20fa8d6a449a1acd5bfa833d5bbd63ec5e6c6895c71a8010debc12f8550aa9
SHA5129ad7846b3f163e7fabc1c390cdc411a7a0eb9b3f0b996b0921ce57178f2702f029fe11b0b6b0be691fe0fc49d09eea51be8653c88b8f826ea2ce185388e1be4f
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
1.6MB