Malware Analysis Report

2025-04-13 11:32

Sample ID 220614-1xq5esfacp
Target 2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e
SHA256 2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e

Threat Level: Known bad

The file 2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot Payload

CryptBot

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Runs ping.exe

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-14 22:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-14 22:02

Reported

2022-06-14 23:18

Platform

win7-20220414-en

Max time kernel

54s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1768 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1720 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 1720 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 1720 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 1720 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 1720 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1720 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1720 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1720 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1788 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 1788 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 1788 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 1788 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe

"C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Lui.xltx

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^DLJyiWOjFRXkEfehEjtbrnPYMsFWnKxNWzEcSkYjeoxprDGXReUaPfptWLzQdSNVbpgkKGxzhRxVtGUpLIyvPwYGpmmiSoWlx$" Estate.xltx

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

Oggi.exe.com t

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com t

Network

Country Destination Domain Proto
NL 23.208.77.128:443 tcp
US 8.8.8.8:53 ptHNsyckIwkihAyVlBFUqVdvUO.ptHNsyckIwkihAyVlBFUqVdvUO udp

Files

memory/1768-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

memory/1772-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lui.xltx

MD5 6c789bc49e35af75b40caf1bd6da59cb
SHA1 fd1504f2f8676250072bb59c1513ed3ad25ce348
SHA256 d9969d44961356fae2d7b6c6a4758b7c4dbea557886e00a42e57c68cdc168b79
SHA512 07748b08ab50f98584e4223486c71cdf41b1f945cbe0ed1b2c0c45f4eaa649ffa5fc58f2c5b4024bced44d81f23a3c7f5b8256c9389f4b9d57b5699ecd949001

memory/1720-57-0x0000000000000000-mapping.dmp

memory/2012-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Estate.xltx

MD5 f90146ea7b535f5818cfbe015d0b0dbd
SHA1 c9e85c4a87e8d8dff2cfff62c1936a920232d6e0
SHA256 16e970c4f84b633bc0df5fc6d2dffecb0781a514fe52a45b25e479073efb5ad6
SHA512 3f16c5e7136c65ef90c87788653fb9c177b49b22363f2ae24aa3105718c3a67d247b16de507dbf9bcd7e17f7079ad6c7678a19e40b6cc208725cb2451e6f8914

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.xltx

MD5 b01e4db185b6b980945c1ea329ab6e49
SHA1 112fe8a2f68bf0d9076e2b648bbb1ba5e7f8f476
SHA256 db1d912a64e47e2928ebe436286e136c6d7b1b2eb6bfc0c8058e33c57386d592
SHA512 ced411bcdcdb8345fb4a796cba181750181a438e42214be4aee0890af8706f0da05781c4d75f772d7bd4d95fe94b0cd2caaeaadd88a5460c0a5c1ce6d71f5893

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1788-62-0x0000000000000000-mapping.dmp

memory/1484-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\t

MD5 b01e4db185b6b980945c1ea329ab6e49
SHA1 112fe8a2f68bf0d9076e2b648bbb1ba5e7f8f476
SHA256 db1d912a64e47e2928ebe436286e136c6d7b1b2eb6bfc0c8058e33c57386d592
SHA512 ced411bcdcdb8345fb4a796cba181750181a438e42214be4aee0890af8706f0da05781c4d75f772d7bd4d95fe94b0cd2caaeaadd88a5460c0a5c1ce6d71f5893

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1936-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avra.xltx

MD5 3fbfca6a122bc342d3ddcee17303db89
SHA1 7ada094aba1b5861b25d937285814e84b220564f
SHA256 d286dc81f29d1f9473a6da25597fb3bed4ac923360e7b1fbfe22752b39d22cbe
SHA512 62f75af73a289975abfc2d8a314e616742db69229f705a96e6e62a0c81853f0aec79c358047bb86d6ff56242c3adfcd03bc99d12913e68e1f005a3488695cd0b

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-14 22:02

Reported

2022-06-14 23:18

Platform

win10v2004-20220414-en

Max time kernel

117s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3832 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3832 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3832 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 3832 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 3832 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 3832 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3832 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3832 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4032 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 4032 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 4032 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com
PID 3912 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3376 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3376 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe

"C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Lui.xltx

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^DLJyiWOjFRXkEfehEjtbrnPYMsFWnKxNWzEcSkYjeoxprDGXReUaPfptWLzQdSNVbpgkKGxzhRxVtGUpLIyvPwYGpmmiSoWlx$" Estate.xltx

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

Oggi.exe.com t

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com t

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 ptHNsyckIwkihAyVlBFUqVdvUO.ptHNsyckIwkihAyVlBFUqVdvUO udp
NL 8.238.23.254:80 tcp
US 20.189.173.6:443 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
US 8.8.8.8:53 geobau75.top udp
US 8.8.8.8:53 moryce07.top udp
US 8.8.8.8:53 rogkjs10.top udp

Files

memory/4480-130-0x0000000000000000-mapping.dmp

memory/3832-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lui.xltx

MD5 6c789bc49e35af75b40caf1bd6da59cb
SHA1 fd1504f2f8676250072bb59c1513ed3ad25ce348
SHA256 d9969d44961356fae2d7b6c6a4758b7c4dbea557886e00a42e57c68cdc168b79
SHA512 07748b08ab50f98584e4223486c71cdf41b1f945cbe0ed1b2c0c45f4eaa649ffa5fc58f2c5b4024bced44d81f23a3c7f5b8256c9389f4b9d57b5699ecd949001

memory/4572-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Estate.xltx

MD5 f90146ea7b535f5818cfbe015d0b0dbd
SHA1 c9e85c4a87e8d8dff2cfff62c1936a920232d6e0
SHA256 16e970c4f84b633bc0df5fc6d2dffecb0781a514fe52a45b25e479073efb5ad6
SHA512 3f16c5e7136c65ef90c87788653fb9c177b49b22363f2ae24aa3105718c3a67d247b16de507dbf9bcd7e17f7079ad6c7678a19e40b6cc208725cb2451e6f8914

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promessa.xltx

MD5 b01e4db185b6b980945c1ea329ab6e49
SHA1 112fe8a2f68bf0d9076e2b648bbb1ba5e7f8f476
SHA256 db1d912a64e47e2928ebe436286e136c6d7b1b2eb6bfc0c8058e33c57386d592
SHA512 ced411bcdcdb8345fb4a796cba181750181a438e42214be4aee0890af8706f0da05781c4d75f772d7bd4d95fe94b0cd2caaeaadd88a5460c0a5c1ce6d71f5893

memory/4032-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4552-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\t

MD5 b01e4db185b6b980945c1ea329ab6e49
SHA1 112fe8a2f68bf0d9076e2b648bbb1ba5e7f8f476
SHA256 db1d912a64e47e2928ebe436286e136c6d7b1b2eb6bfc0c8058e33c57386d592
SHA512 ced411bcdcdb8345fb4a796cba181750181a438e42214be4aee0890af8706f0da05781c4d75f772d7bd4d95fe94b0cd2caaeaadd88a5460c0a5c1ce6d71f5893

memory/3912-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avra.xltx

MD5 3fbfca6a122bc342d3ddcee17303db89
SHA1 7ada094aba1b5861b25d937285814e84b220564f
SHA256 d286dc81f29d1f9473a6da25597fb3bed4ac923360e7b1fbfe22752b39d22cbe
SHA512 62f75af73a289975abfc2d8a314e616742db69229f705a96e6e62a0c81853f0aec79c358047bb86d6ff56242c3adfcd03bc99d12913e68e1f005a3488695cd0b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3912-147-0x0000000000630000-0x0000000000A63000-memory.dmp

memory/3912-148-0x0000000000630000-0x0000000000A63000-memory.dmp

memory/3376-149-0x0000000000000000-mapping.dmp

memory/3912-150-0x0000000000630000-0x0000000000715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\DFYIIO~1.ZIP

MD5 0928e1e40f0d3247a8f4249ee9600a87
SHA1 b46cbceef92898b4129416d7013a0da20139e7d3
SHA256 8341f7d3943b4ddf615afa7f36adef2f80fc40ea980c18f02f1487ca6f55349a
SHA512 beceb6b15eb4942bd5a54015ba9a3dc092a21bf651a0276c8d3ecbd9296527972583d67f040540a5b32e4b4ac163296992a6985c1c61583f48a768b93cce2d2f

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\BZQjE.tmp

MD5 055c8c5c47424f3c2e7a6fc2ee904032
SHA1 5952781d22cff35d94861fac25d89a39af6d0a87
SHA256 531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512 c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\cUGggps.tmp

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\files_\SYSTEM~1.TXT

MD5 858ebb1562d6ad6acd030f0c5f25c491
SHA1 b21d498fb938721199765ad2ee692518284e8187
SHA256 2b1a47f986676458a350a31c21f66d5468967bea97b8d16ddf8ab3a058ace01c
SHA512 f2a072f5e70245df5e628d3ce4ba92d9a9498555d45cca783d9e5c6047b20b04ff89baa02dc9adada11bd156c0905825b7ab74a7ccf327f1b08c3e921c1977a4

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\files_\SCREEN~1.JPG

MD5 db78776d595cb03c3a39cf554eb81053
SHA1 163fa20c9c98ed0ff349f523db97f517dea00efe
SHA256 dbcfc3836b2bf203f667353ac7012414f39c98fbdaa325951b150130c2b98dc2
SHA512 de2a33c051940bf43dcf83d8f08fd1336a63c913b68478f50ca707612351409d548ff07d31d50d2057f44b633cea4c77fa0e2fbc964e38e999a88b1287666e4d

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\gpWOo.tmp

MD5 055c8c5c47424f3c2e7a6fc2ee904032
SHA1 5952781d22cff35d94861fac25d89a39af6d0a87
SHA256 531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512 c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\SWXQVV~1.ZIP

MD5 1b4ac758a37cd9701e0dc6babecf42bd
SHA1 dc4d067a0ac92271d900cb2dc0b52200e94f7486
SHA256 fdbfb86b151718f764bce4e9a6b9e2cb230e1fcac7d842772feb6a6ecefc7991
SHA512 eff197b7b43bca20263f4aa558e928bd424f98a3c28a87e568c1fd8cc22aca8cdf5c06218c167f42de3a63536dd16fe4bfdea867e43807411346caf98a2166f4

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\_Files\_SCREE~1.JPE

MD5 db78776d595cb03c3a39cf554eb81053
SHA1 163fa20c9c98ed0ff349f523db97f517dea00efe
SHA256 dbcfc3836b2bf203f667353ac7012414f39c98fbdaa325951b150130c2b98dc2
SHA512 de2a33c051940bf43dcf83d8f08fd1336a63c913b68478f50ca707612351409d548ff07d31d50d2057f44b633cea4c77fa0e2fbc964e38e999a88b1287666e4d

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\_Files\_INFOR~1.TXT

MD5 8e236ad39926201a69d5d7c3c49bbfa7
SHA1 bc0ba62bcd0004d7b7fe7b3dea4d4326ed617445
SHA256 2ea066aaab633d3643d3233cc254c8f25f01f6f1c429f2e84af9d35b63ca41b9
SHA512 0fc0b8c2cef60b57938ce703496df56d3c8b3db0541f3cc6c2b83d0f9a2c7a5be75e0d1f4fde5555bb7131c02532603e13968f698653ce137654d8f4efa5ce8d

memory/3840-163-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\RrnHf.tmp

MD5 8ee018331e95a610680a789192a9d362
SHA1 e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA256 94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA512 4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\NeDBL.tmp

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb\ILEnfcPe.tmp

MD5 8ee018331e95a610680a789192a9d362
SHA1 e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA256 94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA512 4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4