Malware Analysis Report

2024-10-23 17:14

Sample ID 231231-m2p62abad3
Target 335f90c29d9255fa1239707c5beb9600
SHA256 5a1a8ce59103a53a79bab7db80b55ade80805711dad05d3e974d8f252bf53e2b
Tags
cryptbot discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a1a8ce59103a53a79bab7db80b55ade80805711dad05d3e974d8f252bf53e2b

Threat Level: Known bad

The file 335f90c29d9255fa1239707c5beb9600 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery persistence spyware stealer

CryptBot payload

CryptBot

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Runs ping.exe

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 10:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 10:57

Reported

2024-01-10 09:47

Platform

win7-20231215-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\dllhost.exe
PID 2496 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\dllhost.exe
PID 2496 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\dllhost.exe
PID 2496 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\dllhost.exe
PID 2496 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2780 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 2780 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 2780 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 2780 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 2780 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2784 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 2784 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 2784 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 2784 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe

"C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Immobilita.jpeg

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^mumoPPZWGBimmUlaTguxGjzvRKrMQXdfkNTRNxDOmizugKidJWVUULLjMedyLjuIlRhMwaFmKaVnTjoiCMeTevxAwGtKrnejqKVvvxfd$" Deposto.jpeg

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

Ottobre.exe.com U

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com U

Network

Country Destination Domain Proto
US 8.8.8.8:53 ObMLxgUcjfInosLKibMCGj.ObMLxgUcjfInosLKibMCGj udp
US 8.8.8.8:53 ewazqx71.top udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Immobilita.jpeg

MD5 3611fe089bdb6afb3fe4d4ec09e47d22
SHA1 724b400e99ca66d5f18e98d227913cd793151bda
SHA256 a26dd7ee53256d1a72ed01f1f109ef192e142a05b3d26e7ce9afe025d2fd4a56
SHA512 8335d51cf9ddc87f837ace6e204d5d64ef51004d02b764fba1d06fb4cd238c33ae8bd8bbf7b9463c9f49bbcabca9c8c8e196ddf105501778f1e3a7320eecc2bf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respirato.jpeg

MD5 9d4c1ce3dde66558c9ce5023839040b0
SHA1 97f0f1bad1e0a562a24d325b90f9b7e50ea04822
SHA256 288326dbe1707422ae6164402f9c118c35d9f1ea39ba42b7881a0032cbe514ed
SHA512 50c8d573177c1f6902e407833e9d9f32bc46228dc209008f0acb40d6a3a7fee0e4530a8cbec9e53ca7cbca114e3a5ae2505146b1f87bbf804f3f429e8627a05b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deposto.jpeg

MD5 9c785807d7df67e25292763e4cb1f4f7
SHA1 befa1c8bba817d1b56d6383cdbc4177cd9c3e550
SHA256 12c551302118d893bff89bcb45e915ada5d4a5f2467cacde9e5f163d2dcd1d79
SHA512 8f1849c72120de2d8235c6d3d4f389055a262069e9e4692b8de83b2229e66b3e7233cd0817bf79b122027e44fd9f5ed86def8076cee45ec9f191c3e54806f1cb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

MD5 240a0895de29e5cddcab5307c548ea31
SHA1 4658d15fd986b01894ed5768f0d6593433ca18c2
SHA256 6af382092a3fc0bc5b1887e3967868160fcfc7c7825dab0b55ca8705cb5193f7
SHA512 a67539ce0996f24e9872a8bbf3da4508dee0f0bab93a3aaa468d50d66b64fa5a899a1a6bae01eb823cd1269a485332f0418ce6115c9659ca1853152ef580d318

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mani.jpeg

MD5 ce77273cb63c3f4999b6c7966071de93
SHA1 22c58f53c6c60b889f8f770cb7b86b4a7953671e
SHA256 4dff952a57883347535439e6830cc8fbc4579e61f502ed72aaa512acb3edb84f
SHA512 5e585bf47168c0c4f2b1818428c60f7e3df88f8500afcf5afad0378a4a32bd6091565a4410de842c34af7e448e3fb4c9e59ddbdc0dcf0ceb5d3e4c04898d2773

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

MD5 bf9fec647d0748586dc52008b3f78c33
SHA1 d20976cf9d5000106f2010c32a925fa59930a9b5
SHA256 908a2b93831f8c76e3d1ce3fe1d8a549e849450d28c88ddfcfc8099735ca269b
SHA512 d9b009a8ff1a69dd9b34593cab880d2b8a4f838f2a5d95fce3e5351422086d662e55f2065bb3a54afd53505503bf856d558135483440976589aa694c5841ef3d

memory/2992-24-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2992-25-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2992-26-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2992-27-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2992-28-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2992-29-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2992-30-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2992-31-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2992-32-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/2992-251-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2992-253-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 10:57

Reported

2024-01-10 09:48

Platform

win10v2004-20231215-en

Max time kernel

168s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\dllhost.exe
PID 3264 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\cmd.exe
PID 3264 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\cmd.exe
PID 3264 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1116 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1116 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1116 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 1116 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 1116 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 1116 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1116 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1116 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3248 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 3248 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
PID 3248 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe

"C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Immobilita.jpeg

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^mumoPPZWGBimmUlaTguxGjzvRKrMQXdfkNTRNxDOmizugKidJWVUULLjMedyLjuIlRhMwaFmKaVnTjoiCMeTevxAwGtKrnejqKVvvxfd$" Deposto.jpeg

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

Ottobre.exe.com U

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com U

Network

Country Destination Domain Proto
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ObMLxgUcjfInosLKibMCGj.ObMLxgUcjfInosLKibMCGj udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Immobilita.jpeg

MD5 3611fe089bdb6afb3fe4d4ec09e47d22
SHA1 724b400e99ca66d5f18e98d227913cd793151bda
SHA256 a26dd7ee53256d1a72ed01f1f109ef192e142a05b3d26e7ce9afe025d2fd4a56
SHA512 8335d51cf9ddc87f837ace6e204d5d64ef51004d02b764fba1d06fb4cd238c33ae8bd8bbf7b9463c9f49bbcabca9c8c8e196ddf105501778f1e3a7320eecc2bf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deposto.jpeg

MD5 9c785807d7df67e25292763e4cb1f4f7
SHA1 befa1c8bba817d1b56d6383cdbc4177cd9c3e550
SHA256 12c551302118d893bff89bcb45e915ada5d4a5f2467cacde9e5f163d2dcd1d79
SHA512 8f1849c72120de2d8235c6d3d4f389055a262069e9e4692b8de83b2229e66b3e7233cd0817bf79b122027e44fd9f5ed86def8076cee45ec9f191c3e54806f1cb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respirato.jpeg

MD5 9d4c1ce3dde66558c9ce5023839040b0
SHA1 97f0f1bad1e0a562a24d325b90f9b7e50ea04822
SHA256 288326dbe1707422ae6164402f9c118c35d9f1ea39ba42b7881a0032cbe514ed
SHA512 50c8d573177c1f6902e407833e9d9f32bc46228dc209008f0acb40d6a3a7fee0e4530a8cbec9e53ca7cbca114e3a5ae2505146b1f87bbf804f3f429e8627a05b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mani.jpeg

MD5 ce77273cb63c3f4999b6c7966071de93
SHA1 22c58f53c6c60b889f8f770cb7b86b4a7953671e
SHA256 4dff952a57883347535439e6830cc8fbc4579e61f502ed72aaa512acb3edb84f
SHA512 5e585bf47168c0c4f2b1818428c60f7e3df88f8500afcf5afad0378a4a32bd6091565a4410de842c34af7e448e3fb4c9e59ddbdc0dcf0ceb5d3e4c04898d2773

memory/2656-21-0x00000000045C0000-0x00000000045C1000-memory.dmp

memory/2656-22-0x00000000047D0000-0x0000000004873000-memory.dmp

memory/2656-23-0x00000000047D0000-0x0000000004873000-memory.dmp

memory/2656-24-0x00000000047D0000-0x0000000004873000-memory.dmp

memory/2656-26-0x00000000047D0000-0x0000000004873000-memory.dmp

memory/2656-27-0x00000000047D0000-0x0000000004873000-memory.dmp

memory/2656-28-0x00000000047D0000-0x0000000004873000-memory.dmp

memory/2656-29-0x00000000047D0000-0x0000000004873000-memory.dmp

memory/2656-30-0x00000000047D0000-0x0000000004873000-memory.dmp