Malware Analysis Report

2024-10-23 17:14

Sample ID 240110-rer5bsgggn
Target 50c296575066f87cac60995fc36f2283
SHA256 e29a9d4153912e41bbd5afc00aa90e7612107708fe59ac05c1d9e8b184a254c5
Tags
cryptbot discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e29a9d4153912e41bbd5afc00aa90e7612107708fe59ac05c1d9e8b184a254c5

Threat Level: Known bad

The file 50c296575066f87cac60995fc36f2283 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery persistence spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-10 14:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-10 14:06

Reported

2024-01-10 14:10

Platform

win7-20231215-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2700 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2700 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2700 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2700 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2700 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2700 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2700 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2700 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2944 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2944 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2944 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2944 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe

"C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c tiXdycNz

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Strette.xlsx

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^laMWhvksTZufNgRLOGoYXOkgswRMErhJdMoiGZuHMPnSqspgtJOeDtecibFkFmNPLvZwyJyOABkidagZRCHUglujJMqpxUejwIiDaopcEZCeSUyOpGzeSTBAdMsaIWxFnYuIkKGJzkdgIrzPHjqOA$" Divina.xlsx

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com

Paragone.exe.com X

C:\Windows\SysWOW64\choice.exe

choice /C YN /D Y /t 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com X

Network

Country Destination Domain Proto
US 8.8.8.8:53 ZKJGCjSjzCLvWGtmEXB.ZKJGCjSjzCLvWGtmEXB udp
US 8.8.8.8:53 ewavmp35.top udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Strette.xlsx

MD5 928787182b7f173bcb88f66b3ab6f345
SHA1 cd69133e9346473ae8a3ccbb49fa9543d6c3eda4
SHA256 aeca99c120cabc3470eb1b1636afbcfea6dd4cb6ca2233daf2480d0f599a155f
SHA512 6c05eb5ca70c386e9022e45814f978e2883576a25603f7ca290781b13a2f395e3dd0c3bb8360b250350eaa2bf2686dbb9e42b782bd29c7a3d667a3d15cc5b237

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Divina.xlsx

MD5 7e838a077a5ed054205287d0d5ca9ace
SHA1 b9ca91486439662c84282168bcbda4618aed4c6f
SHA256 573a8b873599956be67fb1c31a4dde816cdaf655a670c0c023eb11c46bacceb8
SHA512 da81e23e7b185f84312e8282748eec3452b586b0e8cd36d9eae9589eb26addfa867f057be5ba991c93050921240fbf368157e303b9738605c75b1c034079b0b2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vissuto.xlsx

MD5 e1506e5dcdc0f4550746cc66fa1b0fd6
SHA1 9b2f34ba860da15aedbfa048d5532e536e484b53
SHA256 91bf426997f7c07d0c6a62714d29481443e1e7a3719ee3ccfb362782a960b721
SHA512 ccf1c4fd30eb80a7e8186f7533d32540600344f63a709dc8e1cf5ed88bddd13139d85b9a3bcc3114d772bf24a88664e436af1f1556ea64a7ce87e1e9de522dfd

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Confronto.xlsx

MD5 654b8464e8ffbaa8b9a995bd9b07a795
SHA1 5b23bc6200d0539b022326fb5c5235ce5ef6f315
SHA256 297d9cc7db8c6b0ab3b610058e4120cbfa72644da03bc64bd0f25a53f28f90e7
SHA512 897d9d1c2c78d1b219038f2cba37431bb27e3631a1ea883c3fa10118e5431cceed32a35cb88b32f127b33eacd032eb95c04dd24271c8b2f4ae29d34917df4b83

memory/2632-24-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2632-25-0x0000000003930000-0x00000000039D3000-memory.dmp

memory/2632-26-0x0000000003930000-0x00000000039D3000-memory.dmp

memory/2632-27-0x0000000003930000-0x00000000039D3000-memory.dmp

memory/2632-28-0x0000000003930000-0x00000000039D3000-memory.dmp

memory/2632-29-0x0000000003930000-0x00000000039D3000-memory.dmp

memory/2632-30-0x0000000003930000-0x00000000039D3000-memory.dmp

memory/2632-31-0x0000000003930000-0x00000000039D3000-memory.dmp

memory/2632-32-0x00000000002C0000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TuIOF4VtheSq\_Files\_Information.txt

MD5 a19344d35e6ece6c3f4830321e68b5d8
SHA1 95012a86592eb7d1a7fe8b7cada6ccbd90a62056
SHA256 f68533a59bf5b8d5206162ce4cdbe18b6ee1329009676c57862babbb1bfdba79
SHA512 982c1ef4227249837cd3c5b4b693b4f956871acf611451e5d31ef240e2ef7116876f2e3c63fb5c01b3a5855dd108fb84ee37274e03845058b28a3acdd45f1078

C:\Users\Admin\AppData\Local\Temp\TuIOF4VtheSq\_Files\_Information.txt

MD5 9b5b4e21e2a046a102978b634fcc32fb
SHA1 a161dfed9533727342ac6a1e052a38b98ad6f320
SHA256 4a2a38ab41f5c9250afe11e2dd5d926a2305c56470a1c14c6918efc24a4d717d
SHA512 6b01143a1aaf0cbd3288010a735f1d5d40bfbcb85db263fc27bae9811848c30687caf220953020c268f9c2254d7661373e61930aa18940e3e6efb5805d94a10a

C:\Users\Admin\AppData\Local\Temp\TuIOF4VtheSq\files_\system_info.txt

MD5 aee53725f461db953a137675c26cd5a4
SHA1 ac2d0c6790e5205fda1c3f3e77836e090906ca94
SHA256 cbfb45d7d428afc0b1bc61a34d46c263dda07639b00f87cf44e3207f5be409da
SHA512 11bb0c4c13deeef12e96b657fdd84d8ff941dd940b80e6196201d68f0378f407a3888f054f690049cf591a51c9226f54fd1cf37f3857bde6a2ce1fa70fe19b0e

C:\Users\Admin\AppData\Local\Temp\TuIOF4VtheSq\files_\system_info.txt

MD5 e11d3a9611a882d37f766aa75c13c34f
SHA1 6668709198d2862a3eecbd1453f59dad5b721f73
SHA256 d841d5dac74753177ab66b76eef4b16fa4858705dac7b61c02a1730e3fcdd0b1
SHA512 4654992e7e85df6079ebd57e6f0f006660f19f4a6b7d433f4012be64b95cc99a01e143ae0ead66555b6951b2c93d32cb62cc13cb7c86b589d796bfa1d9b60092

C:\Users\Admin\AppData\Local\Temp\TuIOF4VtheSq\files_\system_info.txt

MD5 b49ee2abae972ed6b3a8da8dcb876fd4
SHA1 253148da8852f210933eb501b2e486a0bf7ca1c2
SHA256 f0ed8a41f9fd639fec763f2552f101733b389fd486e77b72f85984c2b5ae1424
SHA512 be2a17c83138646f436fb6d2fb4f4c47e8a6ab963db58a750116df803f2137074f1c73a14f01af23adeed542b5943d4e8dabfdc133ee55ff0b1287f7e3e5bc91

C:\Users\Admin\AppData\Local\Temp\TuIOF4VtheSq\_Files\_Files\InitializeConvertTo.txt

MD5 2b39e954b2c28ab3d5c45966b3044c26
SHA1 72a51b8a7164a2ea739f7bf8615e2cd44bfa2ef2
SHA256 564e834763d60164deac8fce4c543a67d6d5e30dd497e02483718cd018df9ada
SHA512 93be2e9497ccd9c1822f8670f5e30d0612a39a55e104864a944f270f8817bd1f88c4291561a6595866f574488ade5d110b896a7f8af70e07d52f2d6b2bd99dbc

C:\Users\Admin\AppData\Local\Temp\TuIOF4VtheSq\_Files\_Screen_Desktop.jpeg

MD5 47ad9498944445e669e87a051b2dcc64
SHA1 92f052ade793980a51af0f2e8d20899fc4f5e696
SHA256 83b07e3c052f7e93c0c834e84c739c3c153fd5fadb1a72be60ececf95b33ba91
SHA512 05a62213d7c543ffad501981f385d9cd04fa2b8d8549b7c895fa18a009fb5fb404386a3a13652ce3146e0bfc065f4c2f3cff267d4a7154e182aa3400016ad5a1

memory/2632-256-0x0000000003930000-0x00000000039D3000-memory.dmp

memory/2632-257-0x00000000002C0000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TuIOF4VtheSq\gFjnbOEeXoLJ.zip

MD5 1052a347be85d91af0845067bdb0a507
SHA1 8ecf6739eb1d0b768ca66555df577d6c38be2326
SHA256 3e119cb26b1f8770dcf4212d694d2b6f28d0a762339a580a4b6a2358dc711024
SHA512 8b982aad88fb3d7a0304c5481709495423a48aa063cc7a995630e9c830b4c98a681b0482a394ccad032ec9b75a67d756505d39df45a2927f559abf10a8603bd1

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-10 14:06

Reported

2024-01-10 14:09

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2536 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2536 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2536 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2536 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2536 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2536 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2460 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2460 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com
PID 2460 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe

"C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c tiXdycNz

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Strette.xlsx

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^laMWhvksTZufNgRLOGoYXOkgswRMErhJdMoiGZuHMPnSqspgtJOeDtecibFkFmNPLvZwyJyOABkidagZRCHUglujJMqpxUejwIiDaopcEZCeSUyOpGzeSTBAdMsaIWxFnYuIkKGJzkdgIrzPHjqOA$" Divina.xlsx

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com

Paragone.exe.com X

C:\Windows\SysWOW64\choice.exe

choice /C YN /D Y /t 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com X

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 ZKJGCjSjzCLvWGtmEXB.ZKJGCjSjzCLvWGtmEXB udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 ewavmp35.top udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
GB 96.17.178.181:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Strette.xlsx

MD5 928787182b7f173bcb88f66b3ab6f345
SHA1 cd69133e9346473ae8a3ccbb49fa9543d6c3eda4
SHA256 aeca99c120cabc3470eb1b1636afbcfea6dd4cb6ca2233daf2480d0f599a155f
SHA512 6c05eb5ca70c386e9022e45814f978e2883576a25603f7ca290781b13a2f395e3dd0c3bb8360b250350eaa2bf2686dbb9e42b782bd29c7a3d667a3d15cc5b237

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Divina.xlsx

MD5 212697b8c163be4b00f170a62b7cec8d
SHA1 5987cd1c5cd04104d37eeb9aa87ce445a5621e72
SHA256 0f7b957d1145cc2281a372fb47bda1ecae77caa67353cb2791768a62b9bd69e5
SHA512 31327d7cdae9677f7865d14bb70c70b404cde64398f241a092ff52756628a04531c8d80f654f519c57f616c155b275fe745a31694627533ff80a50b867af6fc1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vissuto.xlsx

MD5 e1506e5dcdc0f4550746cc66fa1b0fd6
SHA1 9b2f34ba860da15aedbfa048d5532e536e484b53
SHA256 91bf426997f7c07d0c6a62714d29481443e1e7a3719ee3ccfb362782a960b721
SHA512 ccf1c4fd30eb80a7e8186f7533d32540600344f63a709dc8e1cf5ed88bddd13139d85b9a3bcc3114d772bf24a88664e436af1f1556ea64a7ce87e1e9de522dfd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Confronto.xlsx

MD5 654b8464e8ffbaa8b9a995bd9b07a795
SHA1 5b23bc6200d0539b022326fb5c5235ce5ef6f315
SHA256 297d9cc7db8c6b0ab3b610058e4120cbfa72644da03bc64bd0f25a53f28f90e7
SHA512 897d9d1c2c78d1b219038f2cba37431bb27e3631a1ea883c3fa10118e5431cceed32a35cb88b32f127b33eacd032eb95c04dd24271c8b2f4ae29d34917df4b83

memory/4828-22-0x0000000001860000-0x0000000001861000-memory.dmp

memory/4828-23-0x0000000000830000-0x00000000008D3000-memory.dmp

memory/4828-24-0x0000000000830000-0x00000000008D3000-memory.dmp

memory/4828-25-0x0000000000830000-0x00000000008D3000-memory.dmp

memory/4828-26-0x0000000000830000-0x00000000008D3000-memory.dmp

memory/4828-27-0x0000000000830000-0x00000000008D3000-memory.dmp

memory/4828-28-0x0000000000830000-0x00000000008D3000-memory.dmp

memory/4828-29-0x0000000000830000-0x00000000008D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sZcK7ifh\_Files\_Information.txt

MD5 39856867cbf0c798c47e59838b42d8a6
SHA1 bc7b5286f56c7817b82ab8ee1ab2a30872cced09
SHA256 04232f672c4fdca1062f5507c7285763ca54cdc78490381787de18284324090b
SHA512 39143b0935d0dd9b54e93c17dec67611e56bbdbe290395c9da3e87a81d5de03735c2626cc00d8c3d16c0f1bf63ee460b1ebc793e353c0957b6efb9e55a01381e

C:\Users\Admin\AppData\Local\Temp\sZcK7ifh\_Files\_Information.txt

MD5 6332e337122c93222e5eca1c76fe4e84
SHA1 36d4e928db0103b7e129e48ed30a217be87e89d1
SHA256 3d4ab903e90b6655fa030c40018c2a6ab22e5f8658e609d7f9a88752e835e339
SHA512 48d3e6eef16c0daea505768fabecf60a725cdc6b60d5854fccabaa058e8a6f6caa9f72bfae379d9d8b75367e0b8783217dd7e708f4cc8207f4efdec72a01332d

C:\Users\Admin\AppData\Local\Temp\sZcK7ifh\_Files\_Information.txt

MD5 1c366f9ec66920f9b7df055242ae75e4
SHA1 201e73a56a59baae25849a75a0cd0f5821a7b34a
SHA256 7bbe3d5e4afd28113522ffbdfb45bdba0da030278f94fb893268658f31185ac2
SHA512 480dc66adab094873f3713483c618dd5732b661564c9664ae5c70d9b26961e721642e13b63aab9b81d63279a9ed4a7ad4958581b883246a2219b42d9f3ad6712

C:\Users\Admin\AppData\Local\Temp\sZcK7ifh\_Files\_Screen_Desktop.jpeg

MD5 7fea681288e440b1564752a1a413d606
SHA1 b2c5db4c533b7e9c15affcf587f2a47f9ecf11bf
SHA256 4de1552fd656fe9177581cd4c04895b64649b84a23533ce32d21e6d2f60e3879
SHA512 adbf968c8f08b550ead2b5f69eb2c2b9252887e88793b1d085c0f173e77350dd02ced83cf94a9b21751a76bb345608168603c65410421978cd915d0c34c6dc64

C:\Users\Admin\AppData\Local\Temp\sZcK7ifh\files_\system_info.txt

MD5 9d0ec99a42f39784acdb8c77d9a2d8c1
SHA1 c1a9fb1758e736095ac5a615c11fa038396afbf8
SHA256 458cb2336f481225219adc7e7a4360ba019918970a1bf5d239b73e124b960ae9
SHA512 da61a6e690271abf1f83fafe9d9cf791a44d7b32af9f1751d1946c98901aaaf30df7176629aa344f01dab56a39e3566cd179c23fd3ba77968888b23ff2d2e7d0

C:\Users\Admin\AppData\Local\Temp\sZcK7ifh\fa3sqrq8Zztbt.zip

MD5 30f2a9aad51101f5877c805a28e0c969
SHA1 124906f84fcb3e226d020b4cb6539d7c6766b539
SHA256 a637765726fd6a4be9364d4a0c493352dc48949c0ff3d16c9a2f9e434fca6816
SHA512 3691a4ebe3b2a0f914df7d6fe7e52bb94033165b80fa220ed4c4f9be9a2a4c4a3e50e670e1d1f5658bed6d418723a61bf8c1af582c74995d8e62b8448fcfca1b

memory/4828-236-0x0000000000830000-0x00000000008D3000-memory.dmp