Analysis Overview
SHA256
3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7
Threat Level: Likely malicious
The file 3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7 was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 21:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 21:14
Reported
2024-11-13 21:16
Platform
win7-20240903-en
Max time kernel
125s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GABack.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GABack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\URL Protocol | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command\ = "\"C:\\WinGuido\\GuidoAusili\\GuidoAusili.exe\" \"%1\"" | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\ = "URL:GuidoAusili Protocol" | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GABack.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe
"C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe"
C:\WinGuido\GuidoAusili\GAStart.exe
"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT1
C:\WinGuido\GuidoAusili\GuidoAusili.exe
"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT1 GASTARTCOUNT1
C:\WinGuido\GuidoAusili\GAStart.exe
"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT2
C:\WinGuido\GuidoAusili\GuidoAusili.exe
"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT2 GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT2
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
C:\WinGuido\GuidoAusili\GAStart.exe
"C:\WinGuido\GuidoAusili\GAStart.exe" CHECK GASTARTCOUNT3
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\GuidoAusili"""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\"""
C:\WinGuido\GuidoAusili\GABack.exe
"C:\WinGuido\GuidoAusili\GABack.exe"
Network
| Country | Destination | Domain | Proto |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| US | 8.8.8.8:53 | www.winguido.it | udp |
| IT | 31.11.35.141:80 | www.winguido.it | tcp |
| IT | 31.11.35.141:80 | www.winguido.it | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
Files
memory/2096-0-0x000000007477E000-0x000000007477F000-memory.dmp
memory/2096-1-0x0000000000870000-0x0000000000886000-memory.dmp
memory/2096-3-0x0000000074770000-0x0000000074E5E000-memory.dmp
C:\WinGuido\GuidoAusili\GAStart.exe
| MD5 | 177b1771a219d51bae8f6af2302ec2f0 |
| SHA1 | 94a63a825ffde6f0162c5bf284fa7e87c118dbac |
| SHA256 | 8809840e6781e023dd8f7b725236780cf824690ca89301e4ef8b2d17e1297031 |
| SHA512 | c49b0b643e684bb0bad07ae8b395f6beaa1b0bcedcff16eeccccafe934da922cd710ae7bb45cafaea1a1ff891de57983cd6e52395b20b120527d97296d539a9b |
memory/1844-16-0x0000000074770000-0x0000000074E5E000-memory.dmp
memory/2096-17-0x0000000074770000-0x0000000074E5E000-memory.dmp
memory/1844-18-0x0000000000010000-0x000000000001E000-memory.dmp
memory/1844-19-0x0000000074770000-0x0000000074E5E000-memory.dmp
\WinGuido\GuidoAusili\GuidoAusili.exe
| MD5 | 65649c35f341359276e5a284146a4d4e |
| SHA1 | 4392be1b7fb3cf6ea46e12f025cc0af00b12e49d |
| SHA256 | c1534cc27b181b0c684daaa68ee12d418af940d5aa3b1b181d734e4e64a7358d |
| SHA512 | ce24442fff5f962e1745043b87a89f6869ee8584f641aec2b62e989460668ed9017a8054ade36df6f83f2ec9d39fa10ac7fce4dbde551c086fff7676775e00aa |
memory/2776-34-0x0000000000060000-0x0000000000076000-memory.dmp
memory/1844-36-0x0000000074770000-0x0000000074E5E000-memory.dmp
memory/1912-57-0x00000000009A0000-0x00000000009AE000-memory.dmp
C:\WinGuido\GuidoAusili\New\GuidoAusili.vshost.exe.config
| MD5 | 1ed5cc20071980ddc2f081af4d3be0a5 |
| SHA1 | 548d12c8abf3a0b696487087fc2b370f52de455d |
| SHA256 | 18eac85da718d515287d97da93589d03acd793843b6256d27701992c66c8cc13 |
| SHA512 | 57178babb9a98139e2954fcc9db0cf5b8b8871bb00747a9f3c827c0ed9293abe1c09a359575a3f28e2c2f8d092c808434640f01402bcca489d3916cb1b291495 |
C:\WinGuido\GuidoAusili\New\GuidoAusili.vshost.exe
| MD5 | dbd8bc6438e1011ca1b796c7a9c78d78 |
| SHA1 | 9184d63d8335efecf3ea02845fd1f027e7edaa0a |
| SHA256 | 280fdcaf69c8f7145446c8bc342fa4a0c7ff0abfed111c5f72b520f479fde785 |
| SHA512 | 1536aa27db27c9ad52c4f5fcd5acd584a520afeb2bb30aaeca03682b3737fa7820fe0eb1d7a2e0951202e5383287edf8539b0939d2587a741729ab19c8f281f3 |
C:\WinGuido\GuidoAusili\New\GuidoAusili.exe.config
| MD5 | 5abf0e7c37e411a9dab0813df83b4158 |
| SHA1 | 60ed29c7a91d54c4edbdfb4b957e91661abd9cd5 |
| SHA256 | d4385462ab483a473d84c563762ebd688b6fb53f10e9ad3f62d3c6199b3ea455 |
| SHA512 | cc8e28c13bdb7e56371963937c48b593cfaefcbf1a0c8b3f7ddc2696013312afbf34909fe6c1b88702c44f42cd9dd361f226c15e0c6b69cb2be743c08399f618 |
C:\WinGuido\GuidoAusili\GAPrincipale.dll
| MD5 | e6e4f87c1828e67d5c5bcf778f1ad70e |
| SHA1 | 004ce674fb7ba50d2a3fa8fd600ffa7020150879 |
| SHA256 | 37da3f7d024777426bbc5ccd882cadd0050c6296f513023b9f3c91a946d0c1b3 |
| SHA512 | e6eb06efcafd78d0ce9743a3ff001e9c0ed9b5057ffd313a38828315b94e8d440441ddb6d32fc55988e33f0f76480ec72d26f6fc66307a115ad0ac0c8164ffb5 |
C:\WinGuido\GuidoAusili\GAOCX.dll
| MD5 | 590afabdd9574b338516934d48ed9668 |
| SHA1 | 05ea3c1c1131f7a898e7c6345c9dee3dfd37d8b4 |
| SHA256 | c1879a9d03a82e61e7741fcd737312b19d266fec9d7257b086ee5de499bbb726 |
| SHA512 | 0d55966f07c90e445c18d43dcaf7736e9e84e3f566313b321689ff65f8288591552c176f857c7dae2b1fc2b5ad9e92aafc3c9c55194a520c63f903eef8c7e2cb |
C:\WinGuido\GuidoAusili\GuidoAusili.Log
| MD5 | 7e33d6ac39f2d6f868c95413ec83d5f2 |
| SHA1 | cfe393d6ce16e73c3f2b43d36c295b0885863b77 |
| SHA256 | a712a3877e28a1d56f3a1b8d23213882e77d99a4cdf4f70b8b419e6422a53ecd |
| SHA512 | cb33b02ab5e598679ce7889fb57260fe5d4df7004b97161330fb66c3b6593cfb6b164776d1a5330ecbc3cb0f95e52c99922189ed59ba659fe7252c23186f5b07 |
memory/2008-69-0x0000000000AA0000-0x0000000000AB6000-memory.dmp
memory/2648-74-0x0000000000B00000-0x0000000000B0E000-memory.dmp
memory/2008-77-0x0000000006350000-0x0000000006566000-memory.dmp
\WinGuido\GuidoAusili\wg~eci.dll
| MD5 | 0fbd8fdcc7bc662e4a9c8d57a9910170 |
| SHA1 | 0a9ce715771a5b67ab4e2a70409195fd0f9dcd1d |
| SHA256 | d6cd7483f0613d84466ee23aece16d872a065dc1ae61471f788fb7eaab97972d |
| SHA512 | da3a5bdf1f7b96e1cd327acde2ac9deb43ad2cd904776e91c8e9d65460ebbce8d00a022f8e64ffcaa3ba0df82302fe1cfd6d92cefec04c3f8721b428d0631f77 |
memory/2008-111-0x00000000053F0000-0x0000000005403000-memory.dmp
\WinGuido\GuidoAusili\lilli.dll
| MD5 | 1734919e44bc6924d99b3dc03d6afbcb |
| SHA1 | 77147382584151a0676b67ca47f4b27c022d2080 |
| SHA256 | 9ced3f4811e31d71f12ebc72f94f046ef1f6fe9a15785ecc1b6635355cdec637 |
| SHA512 | ad7675206b7c00ab0ecd55d70b2039d7c22da4738fc111988ed8ec0546881bcc47066a400dc627846795d00bc394b2f1e59ad6c09ca6727b6102d4c4e65fc5e9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6X0ZELMMYCOQZA6RMQZ0.temp
| MD5 | c96728978e74dd101c5c098390210368 |
| SHA1 | 55579f5f867ee20661e68541bd104ee19d61b7ff |
| SHA256 | 2912b29976e224d8ebefb016e8c4b5a76842de9d1b3a0acdefadeab0635f0020 |
| SHA512 | f0e0e026384aee7a7471ece3e238d9d7b0e5154a1c7f043de9af25d735acb7799e89323dd4c8117fc1c2930f5b9199c5abfab082eaba3dceab97f872fdd0e875 |
C:\WinGuido\GuidoAusili\GABack.exe
| MD5 | a2e0cc453f3f9b0eda6fec6051121995 |
| SHA1 | c9cfe8f2dc243df4dbd8aefe7d325af28fd03dd6 |
| SHA256 | d40f06f1dd15ee7f18e8af277d09326c36667b03916f2548e899a8b57e6bbffe |
| SHA512 | 1464410bee02d4798d4167ebc57fd1a98baaeb3cbff8a50babd348fa128c9315d5798e740ec61b83a1db49b0642c134a55dd86a81553a892b079b8dec2fd0e2c |
memory/2008-132-0x00000000053F0000-0x0000000005403000-memory.dmp
memory/2864-131-0x0000000001320000-0x000000000132C000-memory.dmp
memory/2008-137-0x00000000059A0000-0x00000000059C0000-memory.dmp
memory/2008-145-0x0000000008C60000-0x0000000008CC2000-memory.dmp
C:\WinGuido\GuidoAusili\ALVAW32.DLL
| MD5 | d3049bfab186cd87c5e25c041a2e39e5 |
| SHA1 | eb136d8fb0488878d6646eea3d65ce62cd5eb668 |
| SHA256 | 8bdbea0849298df7842c1a5cd92b500d10e94306322ea52eaa1f98ed40516638 |
| SHA512 | 05378a294e5a29def2b0f11983d9a0b30de58fd4897065de654528ffd59822e5c279bd0557e478bb404a19c41a4fc9443b557030231a8b5934af77a180ab229b |
memory/2008-153-0x0000000005A40000-0x0000000005A61000-memory.dmp
\WinGuido\GuidoAusili\SeikaDevice.dll
| MD5 | 563247eb3b6d2000b27cfaefe76d7393 |
| SHA1 | 74460b9ccde7358dd50e6738009ebc67ad4dcc54 |
| SHA256 | 8b8fbc194d4fad9454fd1c67dc9ce1374eb1027d4e22456577baa1e0f489d068 |
| SHA512 | da5ffc901dc4f267cdf53f912db5aab0707c56fc1e6eb86f73ecc94b99babfbc9fddff97827b9c0b860d7d40a320374b764aade4b794fd01b7d891ff5b66b85e |
memory/2008-172-0x0000000005C60000-0x0000000005C75000-memory.dmp
C:\WinGuido\GuidoAusili\SLABHIDtoUART.dll
| MD5 | acf8a82427e1a19c15c0cc8ecf02d22c |
| SHA1 | e1c5dcf600940dc5f418865b55a42a6b3c33d91c |
| SHA256 | 2226d189eed45887409670dbcfbfe5dc7f64b380f67e566123133166a4ac9754 |
| SHA512 | 35df4a06036db2e4f49366852d193d31ee7d90ddd79c8c5f6723577674e7edb1f8046b15235d126f51baa33135f7fc4c6c76745a1ce70a848b41c275dc9f67f7 |
C:\WinGuido\GuidoAusili\SLABHIDDevice.dll
| MD5 | bf7c061d396c1399ec1446540d5221cc |
| SHA1 | d5f356cd39d09ab737ab255f82e0e0c24ba891a0 |
| SHA256 | eb245fff873becd30b79260cac031d1c58bf93c6e7aa5a76d6bfac6cd1bcb411 |
| SHA512 | acdb828afabc41d54e5fed2737381b1ffd365783c293ba2a9cd0c3f8c41a6b537fee3e1d02c06a0513475570a313ce923bfb76e0b6f5fd46ecdea44a991e66e6 |
memory/2008-176-0x0000000005EA0000-0x0000000005EBC000-memory.dmp
C:\WinGuido\GuidoAusili\Dati\0\Stringhe\Stringhe.ldb
| MD5 | 421b955e72f1209acce8ba371a1f4387 |
| SHA1 | e08a2c5935224dc011cb281b863021f08e5af499 |
| SHA256 | 9335d0dade8f0f25d187edcd69bd5224641b4366b89346e2ec93b8761eb4d5df |
| SHA512 | e236431b93eabbba33e9862352ee713c4082e62fae6042e8e4ca0c703679b96bed5feb8c92ca09fc4d383f09043bca2c8af82d46dc1d5ee5ee9de654dc21fc2e |
memory/2008-189-0x0000000005A00000-0x0000000005A36000-memory.dmp
C:\WinGuido\GuidoAusili\Suoni\GAAttesa.wav
| MD5 | b92eff9243f63eec5fb5675b30a0f324 |
| SHA1 | 6b2a4b228c161bb92785e0e5a47f5bc9db2af44e |
| SHA256 | 356f6361960ad64834f87341aa3d14cde392e5ca6548ef906ecea01591d71cac |
| SHA512 | aa66c5e9686dc146499fcb8277ca86c8058fd9f2c03ca2700aef8a12d960cd3dca92a8e0c1b0165e3e508c7fc7848900b40ecbb11a9a495909ba88b0e0179097 |
C:\WinGuido\GuidoAusili\GAAgenda.dll
| MD5 | acdba8c5d8662aba0145c46f6f5c839a |
| SHA1 | 857668c82e9235f081b777964068053562c15399 |
| SHA256 | 644b40f1191fc88889ddafe2b286e0f74c647b94d1e98d1799de81c6eebb9ece |
| SHA512 | 899d9bba82d412a12906d9e518192159039e31be887301ad678ad21ce35ddbc2b027dd24db79abb9c64c3d839c9ffd9828ea675208ec6ed7135ddbb974b9d152 |
C:\WinGuido\GuidoAusili\GAChat.dll
| MD5 | 8ba5872919caa6c2812e7881f1d18414 |
| SHA1 | acc4c455452d67170d6b89e572cfdb1e098b9a85 |
| SHA256 | eb745145c55cb5d3b6d1ba17a2dbfd9ceeda3125c211dbd90773277e1f24bf49 |
| SHA512 | 6b571fce97e2fd26ab7cf223ebe8d56f557863c45228f4e26002c7e8ee77eabae3a2debd138673e5307391333e65180d748bff20939ec8271c2c8924cf78d50c |
memory/2008-214-0x00000000053F0000-0x0000000005403000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 21:14
Reported
2024-11-13 21:16
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GABack.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\WinGuido\GuidoAusili\GABack.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CLASSGUID | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CLASS | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CLASS | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CLASS | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CLASSGUID | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CLASSGUID | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CLASSGUID | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CLASS | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell\open\command\ = "\"C:\\WinGuido\\GuidoAusili\\GuidoAusili.exe\" \"%1\"" | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\ = "URL:GuidoAusili Protocol" | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\URL Protocol | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\guidoausili\shell | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GAStart.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinGuido\GuidoAusili\GABack.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WinGuido\GuidoAusili\GuidoAusili.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe
"C:\Users\Admin\AppData\Local\Temp\3987f0815c1db6dbcb4b03a9bcdb2350a25178f7e7942dcc4a0fc6f0da1dacc7.exe"
C:\WinGuido\GuidoAusili\GAStart.exe
"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT1
C:\WinGuido\GuidoAusili\GuidoAusili.exe
"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT1 GASTARTCOUNT1
C:\WinGuido\GuidoAusili\GAStart.exe
"C:\WinGuido\GuidoAusili\GAStart.exe" GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT2
C:\WinGuido\GuidoAusili\GuidoAusili.exe
"C:\WinGuido\GuidoAusili\GuidoAusili.exe" DASTART GASTARTCOUNT2 GASTARTCOUNT1 GASTARTCOUNT1 GASTARTCOUNT2
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
C:\WinGuido\GuidoAusili\GAStart.exe
"C:\WinGuido\GuidoAusili\GAStart.exe" CHECK GASTARTCOUNT3
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x150
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\GuidoAusili"""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath ""C:\WinGuido\"""
C:\WinGuido\GuidoAusili\GABack.exe
"C:\WinGuido\GuidoAusili\GABack.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.167.213.188.in-addr.arpa | udp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.winguido.it | udp |
| IT | 31.11.35.141:80 | www.winguido.it | tcp |
| IT | 31.11.35.141:80 | www.winguido.it | tcp |
| US | 8.8.8.8:53 | 141.35.11.31.in-addr.arpa | udp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| IT | 188.213.167.248:80 | 188.213.167.248 | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
Files
memory/4528-0-0x00000000750CE000-0x00000000750CF000-memory.dmp
memory/4528-1-0x0000000000240000-0x0000000000256000-memory.dmp
memory/4528-2-0x00000000050D0000-0x0000000005674000-memory.dmp
memory/4528-3-0x0000000004B20000-0x0000000004BBC000-memory.dmp
memory/4528-5-0x0000000004D00000-0x0000000004D92000-memory.dmp
memory/4528-6-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4528-7-0x0000000006590000-0x000000000659A000-memory.dmp
C:\WinGuido\GuidoAusili\GAStart.exe
| MD5 | 177b1771a219d51bae8f6af2302ec2f0 |
| SHA1 | 94a63a825ffde6f0162c5bf284fa7e87c118dbac |
| SHA256 | 8809840e6781e023dd8f7b725236780cf824690ca89301e4ef8b2d17e1297031 |
| SHA512 | c49b0b643e684bb0bad07ae8b395f6beaa1b0bcedcff16eeccccafe934da922cd710ae7bb45cafaea1a1ff891de57983cd6e52395b20b120527d97296d539a9b |
memory/4944-23-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4528-22-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4944-24-0x00000000002D0000-0x00000000002DE000-memory.dmp
memory/4944-25-0x00000000750C0000-0x0000000075870000-memory.dmp
C:\WinGuido\GuidoAusili\GuidoAusili.exe
| MD5 | 65649c35f341359276e5a284146a4d4e |
| SHA1 | 4392be1b7fb3cf6ea46e12f025cc0af00b12e49d |
| SHA256 | c1534cc27b181b0c684daaa68ee12d418af940d5aa3b1b181d734e4e64a7358d |
| SHA512 | ce24442fff5f962e1745043b87a89f6869ee8584f641aec2b62e989460668ed9017a8054ade36df6f83f2ec9d39fa10ac7fce4dbde551c086fff7676775e00aa |
memory/3240-45-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4944-43-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/3240-42-0x00000000003E0000-0x00000000003F6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GAStart.exe.log
| MD5 | 3bd24c67b3fd63ec5c6660c1f81089ba |
| SHA1 | 01a2ef2c0f615802a971546767c066b4bebb07e6 |
| SHA256 | 86fe0bb2d64aecddb95d30c2fc51432123a56e3f159b5450d05e141ab8c14c01 |
| SHA512 | 2c4be4202092df963dab3de3f963c0c4bf1894ea561c61d33027a274ffc1dff3bebfe3fe0d59cc8a4bbdb1f489f99664172f21ad9d97a91acc6ab00b0ad91325 |
memory/3240-67-0x00000000750C0000-0x0000000075870000-memory.dmp
C:\WinGuido\GuidoAusili\New\GuidoAusili.vshost.exe.config
| MD5 | 1ed5cc20071980ddc2f081af4d3be0a5 |
| SHA1 | 548d12c8abf3a0b696487087fc2b370f52de455d |
| SHA256 | 18eac85da718d515287d97da93589d03acd793843b6256d27701992c66c8cc13 |
| SHA512 | 57178babb9a98139e2954fcc9db0cf5b8b8871bb00747a9f3c827c0ed9293abe1c09a359575a3f28e2c2f8d092c808434640f01402bcca489d3916cb1b291495 |
C:\WinGuido\GuidoAusili\New\GuidoAusili.vshost.exe
| MD5 | dbd8bc6438e1011ca1b796c7a9c78d78 |
| SHA1 | 9184d63d8335efecf3ea02845fd1f027e7edaa0a |
| SHA256 | 280fdcaf69c8f7145446c8bc342fa4a0c7ff0abfed111c5f72b520f479fde785 |
| SHA512 | 1536aa27db27c9ad52c4f5fcd5acd584a520afeb2bb30aaeca03682b3737fa7820fe0eb1d7a2e0951202e5383287edf8539b0939d2587a741729ab19c8f281f3 |
C:\WinGuido\GuidoAusili\New\GuidoAusili.exe.config
| MD5 | 5abf0e7c37e411a9dab0813df83b4158 |
| SHA1 | 60ed29c7a91d54c4edbdfb4b957e91661abd9cd5 |
| SHA256 | d4385462ab483a473d84c563762ebd688b6fb53f10e9ad3f62d3c6199b3ea455 |
| SHA512 | cc8e28c13bdb7e56371963937c48b593cfaefcbf1a0c8b3f7ddc2696013312afbf34909fe6c1b88702c44f42cd9dd361f226c15e0c6b69cb2be743c08399f618 |
C:\WinGuido\GuidoAusili\GAPrincipale.dll
| MD5 | e6e4f87c1828e67d5c5bcf778f1ad70e |
| SHA1 | 004ce674fb7ba50d2a3fa8fd600ffa7020150879 |
| SHA256 | 37da3f7d024777426bbc5ccd882cadd0050c6296f513023b9f3c91a946d0c1b3 |
| SHA512 | e6eb06efcafd78d0ce9743a3ff001e9c0ed9b5057ffd313a38828315b94e8d440441ddb6d32fc55988e33f0f76480ec72d26f6fc66307a115ad0ac0c8164ffb5 |
C:\WinGuido\GuidoAusili\GAOCX.dll
| MD5 | 590afabdd9574b338516934d48ed9668 |
| SHA1 | 05ea3c1c1131f7a898e7c6345c9dee3dfd37d8b4 |
| SHA256 | c1879a9d03a82e61e7741fcd737312b19d266fec9d7257b086ee5de499bbb726 |
| SHA512 | 0d55966f07c90e445c18d43dcaf7736e9e84e3f566313b321689ff65f8288591552c176f857c7dae2b1fc2b5ad9e92aafc3c9c55194a520c63f903eef8c7e2cb |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GuidoAusili.exe.log
| MD5 | 3ecbe9f7edb535445e6660f6829305b4 |
| SHA1 | fb338eb12b6957a6293bd95bdf2825d8ff9acac9 |
| SHA256 | a544980d23f5b61bfdf809668cc605fc81be8e0cbfc0ec1c602fe548c2df73c5 |
| SHA512 | f1461c5d2863e614db2254379670e122c7d923bf54622b11bd61d7fc919cfa7136c29621bacebe2f316b9955bfa4ee271d3d099d653f05802649ebb16a1f7b6e |
C:\WinGuido\GuidoAusili\GuidoAusili.Log
| MD5 | 68fe99ba82113d56be2d7771ddf122de |
| SHA1 | 28744137b5aaba539bf1722051b496ba1a2bcad1 |
| SHA256 | d31982219c247eaf362e75b4b35bed6149648d4ff96cfc5a6d2069069e1541c7 |
| SHA512 | b24542c437c41fcbcbb66a49db33fc38d989b6445c208456628c00c45c9dc92611e2c5b0647fe6c9f12cf8ce3668619392e606ea36a6dd614de4d74efd6e6e47 |
memory/4828-83-0x0000000006E70000-0x0000000007086000-memory.dmp
memory/4828-84-0x00000000075C0000-0x0000000007AEC000-memory.dmp
memory/4828-86-0x0000000008110000-0x0000000008728000-memory.dmp
memory/4828-88-0x00000000074F0000-0x000000000752C000-memory.dmp
memory/4828-89-0x0000000007540000-0x0000000007552000-memory.dmp
memory/4828-90-0x0000000007560000-0x00000000075AC000-memory.dmp
memory/4828-91-0x0000000009020000-0x0000000009374000-memory.dmp
memory/4828-94-0x0000000009CE0000-0x0000000009D30000-memory.dmp
memory/4828-93-0x0000000009910000-0x0000000009938000-memory.dmp
memory/4828-92-0x00000000099D0000-0x0000000009ADA000-memory.dmp
C:\WinGuido\GuidoAusili\wg~eci.dll
| MD5 | 0fbd8fdcc7bc662e4a9c8d57a9910170 |
| SHA1 | 0a9ce715771a5b67ab4e2a70409195fd0f9dcd1d |
| SHA256 | d6cd7483f0613d84466ee23aece16d872a065dc1ae61471f788fb7eaab97972d |
| SHA512 | da3a5bdf1f7b96e1cd327acde2ac9deb43ad2cd904776e91c8e9d65460ebbce8d00a022f8e64ffcaa3ba0df82302fe1cfd6d92cefec04c3f8721b428d0631f77 |
memory/4828-107-0x000000000A380000-0x000000000A3E6000-memory.dmp
memory/4828-110-0x000000000A770000-0x000000000A792000-memory.dmp
memory/4828-121-0x000000000B090000-0x000000000B0A8000-memory.dmp
C:\Users\Admin\AppData\Local\speech\Microsoft\Speech\Files\UserLexicons\SP_2E6507A487AB43D2B3AA646F069653CD.dat
| MD5 | 04139835f281a15b81b1bc9a5c2170a2 |
| SHA1 | ae89a9765ff3a0f6e163d974da691fdb1fba1945 |
| SHA256 | 637650251f7e2f02b6674ce28354a27780bef7f95d31c687af257ec1429cc64f |
| SHA512 | 11a7dc68a911e86012dc30541f4a23e8bc0b6c470af34be59d67541488cd685f60c008af27f2fbbd3e05f56537c81f11c1e4977061d83b596fa61b2876ac46e3 |
memory/1168-124-0x0000000004FF0000-0x0000000005026000-memory.dmp
memory/1168-125-0x00000000056E0000-0x0000000005D08000-memory.dmp
C:\WinGuido\GuidoAusili\lilli.dll
| MD5 | 1734919e44bc6924d99b3dc03d6afbcb |
| SHA1 | 77147382584151a0676b67ca47f4b27c022d2080 |
| SHA256 | 9ced3f4811e31d71f12ebc72f94f046ef1f6fe9a15785ecc1b6635355cdec637 |
| SHA512 | ad7675206b7c00ab0ecd55d70b2039d7c22da4738fc111988ed8ec0546881bcc47066a400dc627846795d00bc394b2f1e59ad6c09ca6727b6102d4c4e65fc5e9 |
memory/1168-131-0x0000000005EB0000-0x0000000005F16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_epcv3qiz.qt2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\WinGuido\GuidoAusili\GAAgenda.dll
| MD5 | acdba8c5d8662aba0145c46f6f5c839a |
| SHA1 | 857668c82e9235f081b777964068053562c15399 |
| SHA256 | 644b40f1191fc88889ddafe2b286e0f74c647b94d1e98d1799de81c6eebb9ece |
| SHA512 | 899d9bba82d412a12906d9e518192159039e31be887301ad678ad21ce35ddbc2b027dd24db79abb9c64c3d839c9ffd9828ea675208ec6ed7135ddbb974b9d152 |
C:\WinGuido\GuidoAusili\GABack.exe
| MD5 | a2e0cc453f3f9b0eda6fec6051121995 |
| SHA1 | c9cfe8f2dc243df4dbd8aefe7d325af28fd03dd6 |
| SHA256 | d40f06f1dd15ee7f18e8af277d09326c36667b03916f2548e899a8b57e6bbffe |
| SHA512 | 1464410bee02d4798d4167ebc57fd1a98baaeb3cbff8a50babd348fa128c9315d5798e740ec61b83a1db49b0642c134a55dd86a81553a892b079b8dec2fd0e2c |
memory/1456-172-0x0000000000580000-0x000000000058C000-memory.dmp
memory/4828-175-0x000000000FBE0000-0x000000000FC01000-memory.dmp
memory/4828-174-0x000000000FC20000-0x000000000FC5C000-memory.dmp
memory/4828-179-0x000000000FF70000-0x000000000FFD2000-memory.dmp
C:\WinGuido\GuidoAusili\ALVAW32.DLL
| MD5 | d3049bfab186cd87c5e25c041a2e39e5 |
| SHA1 | eb136d8fb0488878d6646eea3d65ce62cd5eb668 |
| SHA256 | 8bdbea0849298df7842c1a5cd92b500d10e94306322ea52eaa1f98ed40516638 |
| SHA512 | 05378a294e5a29def2b0f11983d9a0b30de58fd4897065de654528ffd59822e5c279bd0557e478bb404a19c41a4fc9443b557030231a8b5934af77a180ab229b |
memory/1168-189-0x00000000065F0000-0x000000000660E000-memory.dmp
memory/4828-186-0x0000000008950000-0x0000000008971000-memory.dmp
memory/4828-194-0x0000000000400000-0x0000000000413000-memory.dmp
C:\WinGuido\GuidoAusili\SLABHIDDevice.dll
| MD5 | bf7c061d396c1399ec1446540d5221cc |
| SHA1 | d5f356cd39d09ab737ab255f82e0e0c24ba891a0 |
| SHA256 | eb245fff873becd30b79260cac031d1c58bf93c6e7aa5a76d6bfac6cd1bcb411 |
| SHA512 | acdb828afabc41d54e5fed2737381b1ffd365783c293ba2a9cd0c3f8c41a6b537fee3e1d02c06a0513475570a313ce923bfb76e0b6f5fd46ecdea44a991e66e6 |
memory/1168-225-0x0000000070610000-0x000000007065C000-memory.dmp
memory/1168-235-0x0000000006B10000-0x0000000006B2E000-memory.dmp
memory/4828-221-0x000000000FF20000-0x000000000FF3C000-memory.dmp
memory/1168-236-0x0000000006B80000-0x0000000006C23000-memory.dmp
memory/1168-224-0x0000000006B30000-0x0000000006B62000-memory.dmp
C:\WinGuido\GuidoAusili\SLABHIDtoUART.dll
| MD5 | acf8a82427e1a19c15c0cc8ecf02d22c |
| SHA1 | e1c5dcf600940dc5f418865b55a42a6b3c33d91c |
| SHA256 | 2226d189eed45887409670dbcfbfe5dc7f64b380f67e566123133166a4ac9754 |
| SHA512 | 35df4a06036db2e4f49366852d193d31ee7d90ddd79c8c5f6723577674e7edb1f8046b15235d126f51baa33135f7fc4c6c76745a1ce70a848b41c275dc9f67f7 |
C:\WinGuido\GuidoAusili\SeikaDevice.dll
| MD5 | 563247eb3b6d2000b27cfaefe76d7393 |
| SHA1 | 74460b9ccde7358dd50e6738009ebc67ad4dcc54 |
| SHA256 | 8b8fbc194d4fad9454fd1c67dc9ce1374eb1027d4e22456577baa1e0f489d068 |
| SHA512 | da5ffc901dc4f267cdf53f912db5aab0707c56fc1e6eb86f73ecc94b99babfbc9fddff97827b9c0b860d7d40a320374b764aade4b794fd01b7d891ff5b66b85e |
memory/4828-215-0x000000000FEF0000-0x000000000FF05000-memory.dmp
memory/4736-237-0x0000000070610000-0x000000007065C000-memory.dmp
memory/1168-247-0x0000000007ED0000-0x000000000854A000-memory.dmp
memory/1168-248-0x0000000007880000-0x000000000789A000-memory.dmp
memory/1168-249-0x00000000078F0000-0x00000000078FA000-memory.dmp
memory/1168-250-0x0000000007B00000-0x0000000007B96000-memory.dmp
C:\WinGuido\GuidoAusili\Suoni\GAAttesa.wav
| MD5 | b92eff9243f63eec5fb5675b30a0f324 |
| SHA1 | 6b2a4b228c161bb92785e0e5a47f5bc9db2af44e |
| SHA256 | 356f6361960ad64834f87341aa3d14cde392e5ca6548ef906ecea01591d71cac |
| SHA512 | aa66c5e9686dc146499fcb8277ca86c8058fd9f2c03ca2700aef8a12d960cd3dca92a8e0c1b0165e3e508c7fc7848900b40ecbb11a9a495909ba88b0e0179097 |
memory/1168-251-0x0000000007A80000-0x0000000007A91000-memory.dmp
memory/4736-263-0x0000000006FE0000-0x0000000006FEE000-memory.dmp
memory/4736-264-0x0000000006FF0000-0x0000000007004000-memory.dmp
memory/4736-265-0x00000000070F0000-0x000000000710A000-memory.dmp
memory/4736-266-0x00000000070D0000-0x00000000070D8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70210e9bc08f6cb2a192ba8b6a232c0d |
| SHA1 | fcb984dc65dbd12601e13a1269ec78e9fca5dc7c |
| SHA256 | 372baa4e8f861f72412e9316a7da4a6ddb29a3903d57cb2a4ae0baaa9f846c2e |
| SHA512 | 179f9b7985d16bac312b2e6b785e92e602280303c682becf7efd9edf357e383a8f8b53a248b937fb39ca9c91509a012ca2fe72aa296ba589af471118849d84a4 |
C:\WinGuido\GuidoAusili\Dati\0\Stringhe\Stringhe.ldb
| MD5 | e8a60e3ade1f90f23925f900eb179da2 |
| SHA1 | 5ccc36c7cf3ff8256e09afe9d056b523916c47c8 |
| SHA256 | d830321397349076f39584138b5995e2768ac0842bf561650c089e3adf02badd |
| SHA512 | 81e79d1669db9cc1ac9fd5a8edeac573e14f4f095fc1f897da8c9a04e97efbc4234715f1f66dc4ba400c153fc950408eabeec176014f1f52f030fe76f7493643 |
memory/4828-279-0x0000000008B90000-0x0000000008BC6000-memory.dmp
C:\WinGuido\GuidoAusili\GAChat.dll
| MD5 | 8ba5872919caa6c2812e7881f1d18414 |
| SHA1 | acc4c455452d67170d6b89e572cfdb1e098b9a85 |
| SHA256 | eb745145c55cb5d3b6d1ba17a2dbfd9ceeda3125c211dbd90773277e1f24bf49 |
| SHA512 | 6b571fce97e2fd26ab7cf223ebe8d56f557863c45228f4e26002c7e8ee77eabae3a2debd138673e5307391333e65180d748bff20939ec8271c2c8924cf78d50c |
memory/4828-291-0x0000000000400000-0x0000000000413000-memory.dmp