Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 09:07

General

  • Target

    b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    b6c83df257a00210c12b42d28a5df730

  • SHA1

    67a993a3c4547e8442f767575dafdbfe018ec0e4

  • SHA256

    8fdd38ee81442567732265fa944a19a51a26ec1254e8d2a54e41d254a52a35d6

  • SHA512

    1c0bdbae29e9761260b3f9284d41be1b63c921399e7e1822c5c725d9811bea555b64fd311ab8e86634b36fdfa381e686fe087b480de9cf958a4f944556f5f60c

  • SSDEEP

    49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1228
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVarqRTQ45.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2508
        • C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe
          "C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1012
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b0421b-1aa8-4c6c-8adc-57522200d294.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1848
            • C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe
              "C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2968
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31f6a87d-1896-4471-93fa-f47f584bed63.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1812
                • C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe
                  "C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1988
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79fbe3e9-56e5-45ac-b2e3-6bca4d45cff6.vbs"
                    8⤵
                      PID:1608
                      • C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe
                        "C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2488
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f877131-0027-4967-a8cf-2ffa3e904e5e.vbs"
                          10⤵
                            PID:484
                            • C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe
                              "C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:2792
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e84f8ea0-bcfc-420a-8ed1-d2bcd045a5b9.vbs"
                                12⤵
                                  PID:912
                                  • C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe
                                    "C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2564
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aa08017-455a-48f9-b645-2870aa3e95e9.vbs"
                                      14⤵
                                        PID:292
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b7bd833-3897-412e-b601-45bda62f7bb0.vbs"
                                        14⤵
                                          PID:2632
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3119429-7f84-4723-a0d1-472412eabcd4.vbs"
                                      12⤵
                                        PID:1864
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b53184b2-7422-4245-934b-96e353e0e4bd.vbs"
                                    10⤵
                                      PID:2748
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\096f9734-7ec3-4806-ae02-a4ab743584e9.vbs"
                                  8⤵
                                    PID:1488
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57b04c4d-e206-4b97-9ae0-eec4520ac19b.vbs"
                                6⤵
                                  PID:2264
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f91d1f7-c2ed-485e-b20d-a034420d14fb.vbs"
                              4⤵
                                PID:1116
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2520
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2680
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2608
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2504
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2524
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2664
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2284
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1604
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2836
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2864
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2868
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2884
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\dllhost.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1832
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3000
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\it-IT\dllhost.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1792
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "b6c83df257a00210c12b42d28a5df730_NeikiAnalyticsb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2040
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "b6c83df257a00210c12b42d28a5df730_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1628
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "b6c83df257a00210c12b42d28a5df730_NeikiAnalyticsb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1624
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1504
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2768
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\wininit.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2760
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:1304
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:620
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:820
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2592
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:3052
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\lsass.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2828
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\sppsvc.exe'" /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2676
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2476
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\sppsvc.exe'" /rl HIGHEST /f
                          1⤵
                          • Process spawned unexpected child process
                          • Creates scheduled task(s)
                          PID:2088

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files\Microsoft Office\Office14\1033\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe

                          Filesize

                          3.2MB

                          MD5

                          b83d495524afaba4069f73827665617a

                          SHA1

                          54d24f9f7b3c71c43e0e27d348b09dff8be072da

                          SHA256

                          73f641a0c43a965879117f540d6a3de0f83be85b833445954ec2aca042ca841e

                          SHA512

                          9c02a9c829d55488de2ac93457f74d4ce3e43c15eda78fe2c28da2ce2a16ce84f195919661f7c1e12a1bb87b88621c281d15858d0ff44ee80e7593ae8f57661e

                        • C:\Program Files\Windows Journal\it-IT\dllhost.exe

                          Filesize

                          3.2MB

                          MD5

                          b6c83df257a00210c12b42d28a5df730

                          SHA1

                          67a993a3c4547e8442f767575dafdbfe018ec0e4

                          SHA256

                          8fdd38ee81442567732265fa944a19a51a26ec1254e8d2a54e41d254a52a35d6

                          SHA512

                          1c0bdbae29e9761260b3f9284d41be1b63c921399e7e1822c5c725d9811bea555b64fd311ab8e86634b36fdfa381e686fe087b480de9cf958a4f944556f5f60c

                        • C:\Users\Admin\AppData\Local\Temp\0f877131-0027-4967-a8cf-2ffa3e904e5e.vbs

                          Filesize

                          724B

                          MD5

                          a8bc338bc86b292749cadc8b10d79d38

                          SHA1

                          da91c6b7fa4c6ad89eb2164a959c64e56d928a51

                          SHA256

                          8c4a43ede643ea4264b444827188862feff6c37c9b2278c5b7b3506e557c38e1

                          SHA512

                          8b44fc5fe565b629d727265400167d471b2413f45207431bc2e378f88b0cfc551b0291d4b18f5948e4c9bbb2feb70f933376ca9c7fc7354f0812b63fb50f116b

                        • C:\Users\Admin\AppData\Local\Temp\0f91d1f7-c2ed-485e-b20d-a034420d14fb.vbs

                          Filesize

                          500B

                          MD5

                          5943e0752bc50c519b3b688358524b72

                          SHA1

                          70dd2ebc0df1d96f8ff0250eab820f86b0ec2ed6

                          SHA256

                          29ef4a72fb827b67a165c0d7830a708d3ff8a573967707845be7abc9f92ca89f

                          SHA512

                          8e1b089ffb1dd357cc2a3abd1402b77e869b64a022724d05bcf03c95591a096466613cc14304aaa54554a762f50acb0f79cc0b9a15d860a52958604fccdc8c84

                        • C:\Users\Admin\AppData\Local\Temp\31f6a87d-1896-4471-93fa-f47f584bed63.vbs

                          Filesize

                          724B

                          MD5

                          19549353c9a833b678423ee7de9cad78

                          SHA1

                          75b7032352435c26c7c79e749265e84f9d784a89

                          SHA256

                          16b10abc03fe7ed46efd26fbe1c6dd967bd4fa763126d1855db6395d7b34b0f8

                          SHA512

                          107eea5964c94bcb819e3a971d946a66890fbd219b8d9ee0ecaea2fbfe240da2fce142fef678907b705ccd19ec6e90e7002a2953758a83d18916a3d57654f376

                        • C:\Users\Admin\AppData\Local\Temp\5aa08017-455a-48f9-b645-2870aa3e95e9.vbs

                          Filesize

                          724B

                          MD5

                          64a44442f0f8a083a0d7e3ea794822da

                          SHA1

                          ae9e769d8002262b256281f9b6c716f7a2c5729b

                          SHA256

                          7170e0136ed1aa35d22ffe77c35660296aaa2512b4fc1351e54b7cf5672f36c9

                          SHA512

                          58c45fab83457bac52f5ad9d560272cb38cd373359774281ca20d152e195b1daf91a92a2a0bc868771113ae69054b7fca62bfd47465fd20d71e9ffe872c6e868

                        • C:\Users\Admin\AppData\Local\Temp\79fbe3e9-56e5-45ac-b2e3-6bca4d45cff6.vbs

                          Filesize

                          724B

                          MD5

                          298d08eea689b2a37ef703be94ee1d02

                          SHA1

                          e515245dad0a2ad545b7ddc6d1bc9ecc64aeed8d

                          SHA256

                          5b45a00ba13b28fc9567bc196a8d488e9c70daf65ebc430611f8cd9b029723f5

                          SHA512

                          6163574d605620dab82ca60de332c68f8753bd342bd7e0c14d7616011642ae7b2b347f8a8146497bc038f707bf14f6e4b9e7a77c68f28ae6e692ff2f7bbbe130

                        • C:\Users\Admin\AppData\Local\Temp\OVarqRTQ45.bat

                          Filesize

                          213B

                          MD5

                          ac39b30155fb4d45eef50be7767db55b

                          SHA1

                          ccae52105587fd046c301996feed2bbb3a845514

                          SHA256

                          f0e9a174abffaf359b15bfcbf3366cb975f8acb810b3048bb81d141956a3bafe

                          SHA512

                          2bacf846c7c49df72d511e3a403cbb2c046886be3e1b37f10a26dbbe2123be782fd9df7b5cf8ea128778c5d308f2352f12c4aca5be5cb6c91efc9d4f2f205fbc

                        • C:\Users\Admin\AppData\Local\Temp\e84f8ea0-bcfc-420a-8ed1-d2bcd045a5b9.vbs

                          Filesize

                          724B

                          MD5

                          4f4f0158c5abfc99f5362d9976feeeb5

                          SHA1

                          27e6b267e6e8402b3d5e3d4e883c5c691e6de765

                          SHA256

                          8924b1df4d8f1bd0f49b55840a505a4a5c0cff95e1d733e0aa86d2a5a3cab9ed

                          SHA512

                          ecf370ddd1e7ffede84ce5a38b084c1526c745d3eaa314c9e1df889b869ab90f3cfda62edd16e729e3cb14e3b17bdc392b15a9b44bfb6252580b6a8ca1d875d1

                        • C:\Users\Admin\AppData\Local\Temp\f4b0421b-1aa8-4c6c-8adc-57522200d294.vbs

                          Filesize

                          724B

                          MD5

                          b5291912c0fc36a867cc1d7d47ca0dff

                          SHA1

                          45fa4547b6e5f5b96cdfb46be0d135016d5c94a7

                          SHA256

                          400c361aec0b81dc2f844d0171f596d6f21bf008776055eaaec24d0ac278902e

                          SHA512

                          c5064816c424db5e9e13e0dc98461ee13c1c61530bc5c28b9a5abc9aa14458181ac0d3d50f1f6e4b498cf2325cd6304c2560f1f23372777e675d6920d7c85a18

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                          Filesize

                          7KB

                          MD5

                          ab216a272380859af03c080eebca5599

                          SHA1

                          650d55ddb2a50b58ec030483b75211b1305f8210

                          SHA256

                          affd99b1069177f1b4021f40e2b6de39e7ef1ecda16f397ff4e5a04c36c817fd

                          SHA512

                          632636b5ca538b4155d4eb40d60c9ae48d3ce98f8c4462e85a20059ebbb4d303ca3836a56af0da0ea39ab5882265d250a6b0cfd31665e3ae857e122945a5ca67

                        • memory/1012-244-0x00000000012F0000-0x000000000162C000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1012-245-0x0000000000BC0000-0x0000000000C16000-memory.dmp

                          Filesize

                          344KB

                        • memory/1600-191-0x0000000001F80000-0x0000000001F88000-memory.dmp

                          Filesize

                          32KB

                        • memory/1700-13-0x0000000000C80000-0x0000000000CD6000-memory.dmp

                          Filesize

                          344KB

                        • memory/1700-14-0x0000000000D50000-0x0000000000D5C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1700-16-0x0000000000E70000-0x0000000000E7C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1700-17-0x0000000000E80000-0x0000000000E88000-memory.dmp

                          Filesize

                          32KB

                        • memory/1700-18-0x0000000000E90000-0x0000000000EA2000-memory.dmp

                          Filesize

                          72KB

                        • memory/1700-19-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

                          Filesize

                          48KB

                        • memory/1700-20-0x0000000000F50000-0x0000000000F5C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1700-21-0x0000000000F60000-0x0000000000F6C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1700-22-0x0000000000F70000-0x0000000000F7C000-memory.dmp

                          Filesize

                          48KB

                        • memory/1700-23-0x0000000000F90000-0x0000000000F98000-memory.dmp

                          Filesize

                          32KB

                        • memory/1700-25-0x0000000000F80000-0x0000000000F8E000-memory.dmp

                          Filesize

                          56KB

                        • memory/1700-24-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

                          Filesize

                          40KB

                        • memory/1700-26-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

                          Filesize

                          32KB

                        • memory/1700-27-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

                          Filesize

                          56KB

                        • memory/1700-28-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

                          Filesize

                          48KB

                        • memory/1700-29-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

                          Filesize

                          32KB

                        • memory/1700-30-0x00000000011D0000-0x00000000011DA000-memory.dmp

                          Filesize

                          40KB

                        • memory/1700-31-0x00000000011E0000-0x00000000011EC000-memory.dmp

                          Filesize

                          48KB

                        • memory/1700-34-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/1700-15-0x0000000000E60000-0x0000000000E68000-memory.dmp

                          Filesize

                          32KB

                        • memory/1700-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

                          Filesize

                          4KB

                        • memory/1700-179-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/1700-12-0x0000000000C70000-0x0000000000C7A000-memory.dmp

                          Filesize

                          40KB

                        • memory/1700-11-0x0000000000C60000-0x0000000000C70000-memory.dmp

                          Filesize

                          64KB

                        • memory/1700-1-0x0000000001220000-0x000000000155C000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/1700-9-0x0000000000C40000-0x0000000000C56000-memory.dmp

                          Filesize

                          88KB

                        • memory/1700-10-0x00000000006F0000-0x00000000006F8000-memory.dmp

                          Filesize

                          32KB

                        • memory/1700-8-0x00000000006E0000-0x00000000006F0000-memory.dmp

                          Filesize

                          64KB

                        • memory/1700-7-0x0000000000690000-0x0000000000698000-memory.dmp

                          Filesize

                          32KB

                        • memory/1700-6-0x0000000000670000-0x000000000068C000-memory.dmp

                          Filesize

                          112KB

                        • memory/1700-5-0x0000000000660000-0x0000000000668000-memory.dmp

                          Filesize

                          32KB

                        • memory/1700-4-0x00000000004D0000-0x00000000004DE000-memory.dmp

                          Filesize

                          56KB

                        • memory/1700-3-0x0000000000440000-0x000000000044E000-memory.dmp

                          Filesize

                          56KB

                        • memory/1700-2-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

                          Filesize

                          9.9MB

                        • memory/2124-190-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/2564-302-0x0000000000350000-0x000000000068C000-memory.dmp

                          Filesize

                          3.2MB

                        • memory/2792-290-0x0000000002340000-0x0000000002352000-memory.dmp

                          Filesize

                          72KB

                        • memory/2792-289-0x0000000000390000-0x00000000006CC000-memory.dmp

                          Filesize

                          3.2MB