Malware Analysis Report

2024-12-07 15:15

Sample ID 241113-z3ccsazbrj
Target 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7
SHA256 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7
Tags
discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7

Threat Level: Likely malicious

The file 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7 was found to be: Likely malicious.

Malicious Activity Summary

discovery execution

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 21:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 21:14

Reported

2024-11-13 21:16

Platform

win7-20240903-en

Max time kernel

125s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GAStart.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GAStart.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GAStart.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GABack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\URL Protocol C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command\ = "\"C:\\WinGuido\\GuidoAusili\\GuidoAusili.exe\" \"%1\"" C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\ = "URL:GuidoAusili Protocol" C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GABack.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2096 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2096 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2096 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 1844 wrote to memory of 2776 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 1844 wrote to memory of 2776 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 1844 wrote to memory of 2776 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 1844 wrote to memory of 2776 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 2776 wrote to memory of 1912 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2776 wrote to memory of 1912 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2776 wrote to memory of 1912 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2776 wrote to memory of 1912 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 1912 wrote to memory of 2008 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 1912 wrote to memory of 2008 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 1912 wrote to memory of 2008 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 1912 wrote to memory of 2008 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 2008 wrote to memory of 1964 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\taskkill.exe
PID 2008 wrote to memory of 1964 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\taskkill.exe
PID 2008 wrote to memory of 1964 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\taskkill.exe
PID 2008 wrote to memory of 1964 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\taskkill.exe
PID 2008 wrote to memory of 2648 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2008 wrote to memory of 2648 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2008 wrote to memory of 2648 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2008 wrote to memory of 2648 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 2008 wrote to memory of 1856 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1856 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1856 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1856 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2972 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2972 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2972 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2972 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2864 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GABack.exe
PID 2008 wrote to memory of 2864 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GABack.exe
PID 2008 wrote to memory of 2864 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GABack.exe
PID 2008 wrote to memory of 2864 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GABack.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe

"C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe"

C:\WinGuido\GuidoAusili\GAStart.exe

"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT1

C:\WinGuido\GuidoAusili\GuidoAusili.exe

"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT1 GASTARTCOUNT1

C:\WinGuido\GuidoAusili\GAStart.exe

"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT2

C:\WinGuido\GuidoAusili\GuidoAusili.exe

"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT2 GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT2

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM explorer.exe

C:\WinGuido\GuidoAusili\GAStart.exe

"C:\WinGuido\GuidoAusili\GAStart.exe" CHECK GASTARTCOUNT3

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\GuidoAusili"""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\"""

C:\WinGuido\GuidoAusili\GABack.exe

"C:\WinGuido\GuidoAusili\GABack.exe"

Network

Country Destination Domain Proto
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
US 8.8.8.8:53 www.winguido.it udp
IT 31.11.35.141:80 www.winguido.it tcp
IT 31.11.35.141:80 www.winguido.it tcp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp

Files

memory/2096-0-0x000000007477E000-0x000000007477F000-memory.dmp

memory/2096-1-0x0000000000870000-0x0000000000886000-memory.dmp

memory/2096-3-0x0000000074770000-0x0000000074E5E000-memory.dmp

C:\WinGuido\GuidoAusili\GAStart.exe

MD5 177b1771a219d51bae8f6af2302ec2f0
SHA1 94a63a825ffde6f0162c5bf284fa7e87c118dbac
SHA256 8809840e6781e023dd8f7b725236780cf824690ca89301e4ef8b2d17e1297031
SHA512 c49b0b643e684bb0bad07ae8b395f6beaa1b0bcedcff16eeccccafe934da922cd710ae7bb45cafaea1a1ff891de57983cd6e52395b20b120527d97296d539a9b

memory/1844-16-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/2096-17-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/1844-18-0x0000000000010000-0x000000000001E000-memory.dmp

memory/1844-19-0x0000000074770000-0x0000000074E5E000-memory.dmp

\WinGuido\GuidoAusili\GuidoAusili.exe

MD5 65649c35f341359276e5a284146a4d4e
SHA1 4392be1b7fb3cf6ea46e12f025cc0af00b12e49d
SHA256 c1534cc27b181b0c684daaa68ee12d418af940d5aa3b1b181d734e4e64a7358d
SHA512 ce24442fff5f962e1745043b87a89f6869ee8584f641aec2b62e989460668ed9017a8054ade36df6f83f2ec9d39fa10ac7fce4dbde551c086fff7676775e00aa

memory/2776-34-0x0000000000060000-0x0000000000076000-memory.dmp

memory/1844-36-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/1912-57-0x00000000009A0000-0x00000000009AE000-memory.dmp

C:\WinGuido\GuidoAusili\New\GuidoAusili.vshost.exe.config

MD5 1ed5cc20071980ddc2f081af4d3be0a5
SHA1 548d12c8abf3a0b696487087fc2b370f52de455d
SHA256 18eac85da718d515287d97da93589d03acd793843b6256d27701992c66c8cc13
SHA512 57178babb9a98139e2954fcc9db0cf5b8b8871bb00747a9f3c827c0ed9293abe1c09a359575a3f28e2c2f8d092c808434640f01402bcca489d3916cb1b291495

C:\WinGuido\GuidoAusili\New\GuidoAusili.vshost.exe

MD5 dbd8bc6438e1011ca1b796c7a9c78d78
SHA1 9184d63d8335efecf3ea02845fd1f027e7edaa0a
SHA256 280fdcaf69c8f7145446c8bc342fa4a0c7ff0abfed111c5f72b520f479fde785
SHA512 1536aa27db27c9ad52c4f5fcd5acd584a520afeb2bb30aaeca03682b3737fa7820fe0eb1d7a2e0951202e5383287edf8539b0939d2587a741729ab19c8f281f3

C:\WinGuido\GuidoAusili\New\GuidoAusili.exe.config

MD5 5abf0e7c37e411a9dab0813df83b4158
SHA1 60ed29c7a91d54c4edbdfb4b957e91661abd9cd5
SHA256 d4385462ab483a473d84c563762ebd688b6fb53f10e9ad3f62d3c6199b3ea455
SHA512 cc8e28c13bdb7e56371963937c48b593cfaefcbf1a0c8b3f7ddc2696013312afbf34909fe6c1b88702c44f42cd9dd361f226c15e0c6b69cb2be743c08399f618

C:\WinGuido\GuidoAusili\GAPrincipale.dll

MD5 e6e4f87c1828e67d5c5bcf778f1ad70e
SHA1 004ce674fb7ba50d2a3fa8fd600ffa7020150879
SHA256 37da3f7d024777426bbc5ccd882cadd0050c6296f513023b9f3c91a946d0c1b3
SHA512 e6eb06efcafd78d0ce9743a3ff001e9c0ed9b5057ffd313a38828315b94e8d440441ddb6d32fc55988e33f0f76480ec72d26f6fc66307a115ad0ac0c8164ffb5

C:\WinGuido\GuidoAusili\GAOCX.dll

MD5 590afabdd9574b338516934d48ed9668
SHA1 05ea3c1c1131f7a898e7c6345c9dee3dfd37d8b4
SHA256 c1879a9d03a82e61e7741fcd737312b19d266fec9d7257b086ee5de499bbb726
SHA512 0d55966f07c90e445c18d43dcaf7736e9e84e3f566313b321689ff65f8288591552c176f857c7dae2b1fc2b5ad9e92aafc3c9c55194a520c63f903eef8c7e2cb

C:\WinGuido\GuidoAusili\GuidoAusili.Log

MD5 7e33d6ac39f2d6f868c95413ec83d5f2
SHA1 cfe393d6ce16e73c3f2b43d36c295b0885863b77
SHA256 a712a3877e28a1d56f3a1b8d23213882e77d99a4cdf4f70b8b419e6422a53ecd
SHA512 cb33b02ab5e598679ce7889fb57260fe5d4df7004b97161330fb66c3b6593cfb6b164776d1a5330ecbc3cb0f95e52c99922189ed59ba659fe7252c23186f5b07

memory/2008-69-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

memory/2648-74-0x0000000000B00000-0x0000000000B0E000-memory.dmp

memory/2008-77-0x0000000006350000-0x0000000006566000-memory.dmp

\WinGuido\GuidoAusili\wg~eci.dll

MD5 0fbd8fdcc7bc662e4a9c8d57a9910170
SHA1 0a9ce715771a5b67ab4e2a70409195fd0f9dcd1d
SHA256 d6cd7483f0613d84466ee23aece16d872a065dc1ae61471f788fb7eaab97972d
SHA512 da3a5bdf1f7b96e1cd327acde2ac9deb43ad2cd904776e91c8e9d65460ebbce8d00a022f8e64ffcaa3ba0df82302fe1cfd6d92cefec04c3f8721b428d0631f77

memory/2008-111-0x00000000053F0000-0x0000000005403000-memory.dmp

\WinGuido\GuidoAusili\lilli.dll

MD5 1734919e44bc6924d99b3dc03d6afbcb
SHA1 77147382584151a0676b67ca47f4b27c022d2080
SHA256 9ced3f4811e31d71f12ebc72f94f046ef1f6fe9a15785ecc1b6635355cdec637
SHA512 ad7675206b7c00ab0ecd55d70b2039d7c22da4738fc111988ed8ec0546881bcc47066a400dc627846795d00bc394b2f1e59ad6c09ca6727b6102d4c4e65fc5e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6X0ZELMMYCOQZA6RMQZ0.temp

MD5 c96728978e74dd101c5c098390210368
SHA1 55579f5f867ee20661e68541bd104ee19d61b7ff
SHA256 2912b29976e224d8ebefb016e8c4b5a76842de9d1b3a0acdefadeab0635f0020
SHA512 f0e0e026384aee7a7471ece3e238d9d7b0e5154a1c7f043de9af25d735acb7799e89323dd4c8117fc1c2930f5b9199c5abfab082eaba3dceab97f872fdd0e875

C:\WinGuido\GuidoAusili\GABack.exe

MD5 a2e0cc453f3f9b0eda6fec6051121995
SHA1 c9cfe8f2dc243df4dbd8aefe7d325af28fd03dd6
SHA256 d40f06f1dd15ee7f18e8af277d09326c36667b03916f2548e899a8b57e6bbffe
SHA512 1464410bee02d4798d4167ebc57fd1a98baaeb3cbff8a50babd348fa128c9315d5798e740ec61b83a1db49b0642c134a55dd86a81553a892b079b8dec2fd0e2c

memory/2008-132-0x00000000053F0000-0x0000000005403000-memory.dmp

memory/2864-131-0x0000000001320000-0x000000000132C000-memory.dmp

memory/2008-137-0x00000000059A0000-0x00000000059C0000-memory.dmp

memory/2008-145-0x0000000008C60000-0x0000000008CC2000-memory.dmp

C:\WinGuido\GuidoAusili\ALVAW32.DLL

MD5 d3049bfab186cd87c5e25c041a2e39e5
SHA1 eb136d8fb0488878d6646eea3d65ce62cd5eb668
SHA256 8bdbea0849298df7842c1a5cd92b500d10e94306322ea52eaa1f98ed40516638
SHA512 05378a294e5a29def2b0f11983d9a0b30de58fd4897065de654528ffd59822e5c279bd0557e478bb404a19c41a4fc9443b557030231a8b5934af77a180ab229b

memory/2008-153-0x0000000005A40000-0x0000000005A61000-memory.dmp

\WinGuido\GuidoAusili\SeikaDevice.dll

MD5 563247eb3b6d2000b27cfaefe76d7393
SHA1 74460b9ccde7358dd50e6738009ebc67ad4dcc54
SHA256 8b8fbc194d4fad9454fd1c67dc9ce1374eb1027d4e22456577baa1e0f489d068
SHA512 da5ffc901dc4f267cdf53f912db5aab0707c56fc1e6eb86f73ecc94b99babfbc9fddff97827b9c0b860d7d40a320374b764aade4b794fd01b7d891ff5b66b85e

memory/2008-172-0x0000000005C60000-0x0000000005C75000-memory.dmp

C:\WinGuido\GuidoAusili\SLABHIDtoUART.dll

MD5 acf8a82427e1a19c15c0cc8ecf02d22c
SHA1 e1c5dcf600940dc5f418865b55a42a6b3c33d91c
SHA256 2226d189eed45887409670dbcfbfe5dc7f64b380f67e566123133166a4ac9754
SHA512 35df4a06036db2e4f49366852d193d31ee7d90ddd79c8c5f6723577674e7edb1f8046b15235d126f51baa33135f7fc4c6c76745a1ce70a848b41c275dc9f67f7

C:\WinGuido\GuidoAusili\SLABHIDDevice.dll

MD5 bf7c061d396c1399ec1446540d5221cc
SHA1 d5f356cd39d09ab737ab255f82e0e0c24ba891a0
SHA256 eb245fff873becd30b79260cac031d1c58bf93c6e7aa5a76d6bfac6cd1bcb411
SHA512 acdb828afabc41d54e5fed2737381b1ffd365783c293ba2a9cd0c3f8c41a6b537fee3e1d02c06a0513475570a313ce923bfb76e0b6f5fd46ecdea44a991e66e6

memory/2008-176-0x0000000005EA0000-0x0000000005EBC000-memory.dmp

C:\WinGuido\GuidoAusili\Dati\0\Stringhe\Stringhe.ldb

MD5 421b955e72f1209acce8ba371a1f4387
SHA1 e08a2c5935224dc011cb281b863021f08e5af499
SHA256 9335d0dade8f0f25d187edcd69bd5224641b4366b89346e2ec93b8761eb4d5df
SHA512 e236431b93eabbba33e9862352ee713c4082e62fae6042e8e4ca0c703679b96bed5feb8c92ca09fc4d383f09043bca2c8af82d46dc1d5ee5ee9de654dc21fc2e

memory/2008-189-0x0000000005A00000-0x0000000005A36000-memory.dmp

C:\WinGuido\GuidoAusili\Suoni\GAAttesa.wav

MD5 b92eff9243f63eec5fb5675b30a0f324
SHA1 6b2a4b228c161bb92785e0e5a47f5bc9db2af44e
SHA256 356f6361960ad64834f87341aa3d14cde392e5ca6548ef906ecea01591d71cac
SHA512 aa66c5e9686dc146499fcb8277ca86c8058fd9f2c03ca2700aef8a12d960cd3dca92a8e0c1b0165e3e508c7fc7848900b40ecbb11a9a495909ba88b0e0179097

C:\WinGuido\GuidoAusili\GAAgenda.dll

MD5 acdba8c5d8662aba0145c46f6f5c839a
SHA1 857668c82e9235f081b777964068053562c15399
SHA256 644b40f1191fc88889ddafe2b286e0f74c647b94d1e98d1799de81c6eebb9ece
SHA512 899d9bba82d412a12906d9e518192159039e31be887301ad678ad21ce35ddbc2b027dd24db79abb9c64c3d839c9ffd9828ea675208ec6ed7135ddbb974b9d152

C:\WinGuido\GuidoAusili\GAChat.dll

MD5 8ba5872919caa6c2812e7881f1d18414
SHA1 acc4c455452d67170d6b89e572cfdb1e098b9a85
SHA256 eb745145c55cb5d3b6d1ba17a2dbfd9ceeda3125c211dbd90773277e1f24bf49
SHA512 6b571fce97e2fd26ab7cf223ebe8d56f557863c45228f4e26002c7e8ee77eabae3a2debd138673e5307391333e65180d748bff20939ec8271c2c8924cf78d50c

memory/2008-214-0x00000000053F0000-0x0000000005403000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 21:14

Reported

2024-11-13 21:16

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\WinGuido\GuidoAusili\GAStart.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\WinGuido\GuidoAusili\GAStart.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GAStart.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GAStart.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GAStart.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\WinGuido\GuidoAusili\GABack.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CLASSGUID C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CLASS C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CLASS C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CLASS C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CLASSGUID C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CLASSGUID C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CLASSGUID C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CLASS C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command\ = "\"C:\\WinGuido\\GuidoAusili\\GuidoAusili.exe\" \"%1\"" C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\ = "URL:GuidoAusili Protocol" C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\URL Protocol C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GABack.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GABack.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GAStart.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\WinGuido\GuidoAusili\GABack.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4528 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 4528 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 4528 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 4944 wrote to memory of 3240 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 4944 wrote to memory of 3240 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 4944 wrote to memory of 3240 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 3240 wrote to memory of 1456 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 3240 wrote to memory of 1456 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 3240 wrote to memory of 1456 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 1456 wrote to memory of 4828 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 1456 wrote to memory of 4828 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 1456 wrote to memory of 4828 N/A C:\WinGuido\GuidoAusili\GAStart.exe C:\WinGuido\GuidoAusili\GuidoAusili.exe
PID 4828 wrote to memory of 4352 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\taskkill.exe
PID 4828 wrote to memory of 4352 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\taskkill.exe
PID 4828 wrote to memory of 4352 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\taskkill.exe
PID 4828 wrote to memory of 3844 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 4828 wrote to memory of 3844 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 4828 wrote to memory of 3844 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GAStart.exe
PID 4828 wrote to memory of 1168 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 1168 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 1168 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 4736 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 4736 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 4736 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 1456 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GABack.exe
PID 4828 wrote to memory of 1456 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GABack.exe
PID 4828 wrote to memory of 1456 N/A C:\WinGuido\GuidoAusili\GuidoAusili.exe C:\WinGuido\GuidoAusili\GABack.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe

"C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe"

C:\WinGuido\GuidoAusili\GAStart.exe

"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT1

C:\WinGuido\GuidoAusili\GuidoAusili.exe

"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT1 GASTARTCOUNT1

C:\WinGuido\GuidoAusili\GAStart.exe

"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT2

C:\WinGuido\GuidoAusili\GuidoAusili.exe

"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT2 GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT2

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM explorer.exe

C:\WinGuido\GuidoAusili\GAStart.exe

"C:\WinGuido\GuidoAusili\GAStart.exe" CHECK GASTARTCOUNT3

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8 0x150

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\GuidoAusili"""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\"""

C:\WinGuido\GuidoAusili\GABack.exe

"C:\WinGuido\GuidoAusili\GABack.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 248.167.213.188.in-addr.arpa udp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 www.winguido.it udp
IT 31.11.35.141:80 www.winguido.it tcp
IT 31.11.35.141:80 www.winguido.it tcp
US 8.8.8.8:53 141.35.11.31.in-addr.arpa udp
IT 188.213.167.248:80 188.213.167.248 tcp
IT 188.213.167.248:80 188.213.167.248 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp

Files

memory/4528-0-0x00000000750CE000-0x00000000750CF000-memory.dmp

memory/4528-1-0x0000000000240000-0x0000000000256000-memory.dmp

memory/4528-2-0x00000000050D0000-0x0000000005674000-memory.dmp

memory/4528-3-0x0000000004B20000-0x0000000004BBC000-memory.dmp

memory/4528-5-0x0000000004D00000-0x0000000004D92000-memory.dmp

memory/4528-6-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4528-7-0x0000000006590000-0x000000000659A000-memory.dmp

C:\WinGuido\GuidoAusili\GAStart.exe

MD5 177b1771a219d51bae8f6af2302ec2f0
SHA1 94a63a825ffde6f0162c5bf284fa7e87c118dbac
SHA256 8809840e6781e023dd8f7b725236780cf824690ca89301e4ef8b2d17e1297031
SHA512 c49b0b643e684bb0bad07ae8b395f6beaa1b0bcedcff16eeccccafe934da922cd710ae7bb45cafaea1a1ff891de57983cd6e52395b20b120527d97296d539a9b

memory/4944-23-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4528-22-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4944-24-0x00000000002D0000-0x00000000002DE000-memory.dmp

memory/4944-25-0x00000000750C0000-0x0000000075870000-memory.dmp

C:\WinGuido\GuidoAusili\GuidoAusili.exe

MD5 65649c35f341359276e5a284146a4d4e
SHA1 4392be1b7fb3cf6ea46e12f025cc0af00b12e49d
SHA256 c1534cc27b181b0c684daaa68ee12d418af940d5aa3b1b181d734e4e64a7358d
SHA512 ce24442fff5f962e1745043b87a89f6869ee8584f641aec2b62e989460668ed9017a8054ade36df6f83f2ec9d39fa10ac7fce4dbde551c086fff7676775e00aa

memory/3240-45-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4944-43-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/3240-42-0x00000000003E0000-0x00000000003F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GAStart.exe.log

MD5 3bd24c67b3fd63ec5c6660c1f81089ba
SHA1 01a2ef2c0f615802a971546767c066b4bebb07e6
SHA256 86fe0bb2d64aecddb95d30c2fc51432123a56e3f159b5450d05e141ab8c14c01
SHA512 2c4be4202092df963dab3de3f963c0c4bf1894ea561c61d33027a274ffc1dff3bebfe3fe0d59cc8a4bbdb1f489f99664172f21ad9d97a91acc6ab00b0ad91325

memory/3240-67-0x00000000750C0000-0x0000000075870000-memory.dmp

C:\WinGuido\GuidoAusili\New\GuidoAusili.vshost.exe.config

MD5 1ed5cc20071980ddc2f081af4d3be0a5
SHA1 548d12c8abf3a0b696487087fc2b370f52de455d
SHA256 18eac85da718d515287d97da93589d03acd793843b6256d27701992c66c8cc13
SHA512 57178babb9a98139e2954fcc9db0cf5b8b8871bb00747a9f3c827c0ed9293abe1c09a359575a3f28e2c2f8d092c808434640f01402bcca489d3916cb1b291495

C:\WinGuido\GuidoAusili\New\GuidoAusili.vshost.exe

MD5 dbd8bc6438e1011ca1b796c7a9c78d78
SHA1 9184d63d8335efecf3ea02845fd1f027e7edaa0a
SHA256 280fdcaf69c8f7145446c8bc342fa4a0c7ff0abfed111c5f72b520f479fde785
SHA512 1536aa27db27c9ad52c4f5fcd5acd584a520afeb2bb30aaeca03682b3737fa7820fe0eb1d7a2e0951202e5383287edf8539b0939d2587a741729ab19c8f281f3

C:\WinGuido\GuidoAusili\New\GuidoAusili.exe.config

MD5 5abf0e7c37e411a9dab0813df83b4158
SHA1 60ed29c7a91d54c4edbdfb4b957e91661abd9cd5
SHA256 d4385462ab483a473d84c563762ebd688b6fb53f10e9ad3f62d3c6199b3ea455
SHA512 cc8e28c13bdb7e56371963937c48b593cfaefcbf1a0c8b3f7ddc2696013312afbf34909fe6c1b88702c44f42cd9dd361f226c15e0c6b69cb2be743c08399f618

C:\WinGuido\GuidoAusili\GAPrincipale.dll

MD5 e6e4f87c1828e67d5c5bcf778f1ad70e
SHA1 004ce674fb7ba50d2a3fa8fd600ffa7020150879
SHA256 37da3f7d024777426bbc5ccd882cadd0050c6296f513023b9f3c91a946d0c1b3
SHA512 e6eb06efcafd78d0ce9743a3ff001e9c0ed9b5057ffd313a38828315b94e8d440441ddb6d32fc55988e33f0f76480ec72d26f6fc66307a115ad0ac0c8164ffb5

C:\WinGuido\GuidoAusili\GAOCX.dll

MD5 590afabdd9574b338516934d48ed9668
SHA1 05ea3c1c1131f7a898e7c6345c9dee3dfd37d8b4
SHA256 c1879a9d03a82e61e7741fcd737312b19d266fec9d7257b086ee5de499bbb726
SHA512 0d55966f07c90e445c18d43dcaf7736e9e84e3f566313b321689ff65f8288591552c176f857c7dae2b1fc2b5ad9e92aafc3c9c55194a520c63f903eef8c7e2cb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GuidoAusili.exe.log

MD5 3ecbe9f7edb535445e6660f6829305b4
SHA1 fb338eb12b6957a6293bd95bdf2825d8ff9acac9
SHA256 a544980d23f5b61bfdf809668cc605fc81be8e0cbfc0ec1c602fe548c2df73c5
SHA512 f1461c5d2863e614db2254379670e122c7d923bf54622b11bd61d7fc919cfa7136c29621bacebe2f316b9955bfa4ee271d3d099d653f05802649ebb16a1f7b6e

C:\WinGuido\GuidoAusili\GuidoAusili.Log

MD5 68fe99ba82113d56be2d7771ddf122de
SHA1 28744137b5aaba539bf1722051b496ba1a2bcad1
SHA256 d31982219c247eaf362e75b4b35bed6149648d4ff96cfc5a6d2069069e1541c7
SHA512 b24542c437c41fcbcbb66a49db33fc38d989b6445c208456628c00c45c9dc92611e2c5b0647fe6c9f12cf8ce3668619392e606ea36a6dd614de4d74efd6e6e47

memory/4828-83-0x0000000006E70000-0x0000000007086000-memory.dmp

memory/4828-84-0x00000000075C0000-0x0000000007AEC000-memory.dmp

memory/4828-86-0x0000000008110000-0x0000000008728000-memory.dmp

memory/4828-88-0x00000000074F0000-0x000000000752C000-memory.dmp

memory/4828-89-0x0000000007540000-0x0000000007552000-memory.dmp

memory/4828-90-0x0000000007560000-0x00000000075AC000-memory.dmp

memory/4828-91-0x0000000009020000-0x0000000009374000-memory.dmp

memory/4828-94-0x0000000009CE0000-0x0000000009D30000-memory.dmp

memory/4828-93-0x0000000009910000-0x0000000009938000-memory.dmp

memory/4828-92-0x00000000099D0000-0x0000000009ADA000-memory.dmp

C:\WinGuido\GuidoAusili\wg~eci.dll

MD5 0fbd8fdcc7bc662e4a9c8d57a9910170
SHA1 0a9ce715771a5b67ab4e2a70409195fd0f9dcd1d
SHA256 d6cd7483f0613d84466ee23aece16d872a065dc1ae61471f788fb7eaab97972d
SHA512 da3a5bdf1f7b96e1cd327acde2ac9deb43ad2cd904776e91c8e9d65460ebbce8d00a022f8e64ffcaa3ba0df82302fe1cfd6d92cefec04c3f8721b428d0631f77

memory/4828-107-0x000000000A380000-0x000000000A3E6000-memory.dmp

memory/4828-110-0x000000000A770000-0x000000000A792000-memory.dmp

memory/4828-121-0x000000000B090000-0x000000000B0A8000-memory.dmp

C:\Users\Admin\AppData\Local\speech\Microsoft\Speech\Files\UserLexicons\SP_2E6507A487AB43D2B3AA646F069653CD.dat

MD5 04139835f281a15b81b1bc9a5c2170a2
SHA1 ae89a9765ff3a0f6e163d974da691fdb1fba1945
SHA256 637650251f7e2f02b6674ce28354a27780bef7f95d31c687af257ec1429cc64f
SHA512 11a7dc68a911e86012dc30541f4a23e8bc0b6c470af34be59d67541488cd685f60c008af27f2fbbd3e05f56537c81f11c1e4977061d83b596fa61b2876ac46e3

memory/1168-124-0x0000000004FF0000-0x0000000005026000-memory.dmp

memory/1168-125-0x00000000056E0000-0x0000000005D08000-memory.dmp

C:\WinGuido\GuidoAusili\lilli.dll

MD5 1734919e44bc6924d99b3dc03d6afbcb
SHA1 77147382584151a0676b67ca47f4b27c022d2080
SHA256 9ced3f4811e31d71f12ebc72f94f046ef1f6fe9a15785ecc1b6635355cdec637
SHA512 ad7675206b7c00ab0ecd55d70b2039d7c22da4738fc111988ed8ec0546881bcc47066a400dc627846795d00bc394b2f1e59ad6c09ca6727b6102d4c4e65fc5e9

memory/1168-131-0x0000000005EB0000-0x0000000005F16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epcv3qiz.qt2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\WinGuido\GuidoAusili\GAAgenda.dll

MD5 acdba8c5d8662aba0145c46f6f5c839a
SHA1 857668c82e9235f081b777964068053562c15399
SHA256 644b40f1191fc88889ddafe2b286e0f74c647b94d1e98d1799de81c6eebb9ece
SHA512 899d9bba82d412a12906d9e518192159039e31be887301ad678ad21ce35ddbc2b027dd24db79abb9c64c3d839c9ffd9828ea675208ec6ed7135ddbb974b9d152

C:\WinGuido\GuidoAusili\GABack.exe

MD5 a2e0cc453f3f9b0eda6fec6051121995
SHA1 c9cfe8f2dc243df4dbd8aefe7d325af28fd03dd6
SHA256 d40f06f1dd15ee7f18e8af277d09326c36667b03916f2548e899a8b57e6bbffe
SHA512 1464410bee02d4798d4167ebc57fd1a98baaeb3cbff8a50babd348fa128c9315d5798e740ec61b83a1db49b0642c134a55dd86a81553a892b079b8dec2fd0e2c

memory/1456-172-0x0000000000580000-0x000000000058C000-memory.dmp

memory/4828-175-0x000000000FBE0000-0x000000000FC01000-memory.dmp

memory/4828-174-0x000000000FC20000-0x000000000FC5C000-memory.dmp

memory/4828-179-0x000000000FF70000-0x000000000FFD2000-memory.dmp

C:\WinGuido\GuidoAusili\ALVAW32.DLL

MD5 d3049bfab186cd87c5e25c041a2e39e5
SHA1 eb136d8fb0488878d6646eea3d65ce62cd5eb668
SHA256 8bdbea0849298df7842c1a5cd92b500d10e94306322ea52eaa1f98ed40516638
SHA512 05378a294e5a29def2b0f11983d9a0b30de58fd4897065de654528ffd59822e5c279bd0557e478bb404a19c41a4fc9443b557030231a8b5934af77a180ab229b

memory/1168-189-0x00000000065F0000-0x000000000660E000-memory.dmp

memory/4828-186-0x0000000008950000-0x0000000008971000-memory.dmp

memory/4828-194-0x0000000000400000-0x0000000000413000-memory.dmp

C:\WinGuido\GuidoAusili\SLABHIDDevice.dll

MD5 bf7c061d396c1399ec1446540d5221cc
SHA1 d5f356cd39d09ab737ab255f82e0e0c24ba891a0
SHA256 eb245fff873becd30b79260cac031d1c58bf93c6e7aa5a76d6bfac6cd1bcb411
SHA512 acdb828afabc41d54e5fed2737381b1ffd365783c293ba2a9cd0c3f8c41a6b537fee3e1d02c06a0513475570a313ce923bfb76e0b6f5fd46ecdea44a991e66e6

memory/1168-225-0x0000000070610000-0x000000007065C000-memory.dmp

memory/1168-235-0x0000000006B10000-0x0000000006B2E000-memory.dmp

memory/4828-221-0x000000000FF20000-0x000000000FF3C000-memory.dmp

memory/1168-236-0x0000000006B80000-0x0000000006C23000-memory.dmp

memory/1168-224-0x0000000006B30000-0x0000000006B62000-memory.dmp

C:\WinGuido\GuidoAusili\SLABHIDtoUART.dll

MD5 acf8a82427e1a19c15c0cc8ecf02d22c
SHA1 e1c5dcf600940dc5f418865b55a42a6b3c33d91c
SHA256 2226d189eed45887409670dbcfbfe5dc7f64b380f67e566123133166a4ac9754
SHA512 35df4a06036db2e4f49366852d193d31ee7d90ddd79c8c5f6723577674e7edb1f8046b15235d126f51baa33135f7fc4c6c76745a1ce70a848b41c275dc9f67f7

C:\WinGuido\GuidoAusili\SeikaDevice.dll

MD5 563247eb3b6d2000b27cfaefe76d7393
SHA1 74460b9ccde7358dd50e6738009ebc67ad4dcc54
SHA256 8b8fbc194d4fad9454fd1c67dc9ce1374eb1027d4e22456577baa1e0f489d068
SHA512 da5ffc901dc4f267cdf53f912db5aab0707c56fc1e6eb86f73ecc94b99babfbc9fddff97827b9c0b860d7d40a320374b764aade4b794fd01b7d891ff5b66b85e

memory/4828-215-0x000000000FEF0000-0x000000000FF05000-memory.dmp

memory/4736-237-0x0000000070610000-0x000000007065C000-memory.dmp

memory/1168-247-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/1168-248-0x0000000007880000-0x000000000789A000-memory.dmp

memory/1168-249-0x00000000078F0000-0x00000000078FA000-memory.dmp

memory/1168-250-0x0000000007B00000-0x0000000007B96000-memory.dmp

C:\WinGuido\GuidoAusili\Suoni\GAAttesa.wav

MD5 b92eff9243f63eec5fb5675b30a0f324
SHA1 6b2a4b228c161bb92785e0e5a47f5bc9db2af44e
SHA256 356f6361960ad64834f87341aa3d14cde392e5ca6548ef906ecea01591d71cac
SHA512 aa66c5e9686dc146499fcb8277ca86c8058fd9f2c03ca2700aef8a12d960cd3dca92a8e0c1b0165e3e508c7fc7848900b40ecbb11a9a495909ba88b0e0179097

memory/1168-251-0x0000000007A80000-0x0000000007A91000-memory.dmp

memory/4736-263-0x0000000006FE0000-0x0000000006FEE000-memory.dmp

memory/4736-264-0x0000000006FF0000-0x0000000007004000-memory.dmp

memory/4736-265-0x00000000070F0000-0x000000000710A000-memory.dmp

memory/4736-266-0x00000000070D0000-0x00000000070D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70210e9bc08f6cb2a192ba8b6a232c0d
SHA1 fcb984dc65dbd12601e13a1269ec78e9fca5dc7c
SHA256 372baa4e8f861f72412e9316a7da4a6ddb29a3903d57cb2a4ae0baaa9f846c2e
SHA512 179f9b7985d16bac312b2e6b785e92e602280303c682becf7efd9edf357e383a8f8b53a248b937fb39ca9c91509a012ca2fe72aa296ba589af471118849d84a4

C:\WinGuido\GuidoAusili\Dati\0\Stringhe\Stringhe.ldb

MD5 e8a60e3ade1f90f23925f900eb179da2
SHA1 5ccc36c7cf3ff8256e09afe9d056b523916c47c8
SHA256 d830321397349076f39584138b5995e2768ac0842bf561650c089e3adf02badd
SHA512 81e79d1669db9cc1ac9fd5a8edeac573e14f4f095fc1f897da8c9a04e97efbc4234715f1f66dc4ba400c153fc950408eabeec176014f1f52f030fe76f7493643

memory/4828-279-0x0000000008B90000-0x0000000008BC6000-memory.dmp

C:\WinGuido\GuidoAusili\GAChat.dll

MD5 8ba5872919caa6c2812e7881f1d18414
SHA1 acc4c455452d67170d6b89e572cfdb1e098b9a85
SHA256 eb745145c55cb5d3b6d1ba17a2dbfd9ceeda3125c211dbd90773277e1f24bf49
SHA512 6b571fce97e2fd26ab7cf223ebe8d56f557863c45228f4e26002c7e8ee77eabae3a2debd138673e5307391333e65180d748bff20939ec8271c2c8924cf78d50c

memory/4828-291-0x0000000000400000-0x0000000000413000-memory.dmp