Malware Analysis Report

2025-01-19 00:29

Sample ID 240506-112ekagc29
Target 1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118
SHA256 a51667fcf9ac9bc47c41f9c99a314a2c666a6006f30188baec64de6e5d33809f
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a51667fcf9ac9bc47c41f9c99a314a2c666a6006f30188baec64de6e5d33809f

Threat Level: Known bad

The file 1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 22:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 22:07

Reported

2024-05-06 22:10

Platform

win7-20240221-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 24.8.94.121:1034 tcp
US 198.7.243.100:1034 tcp
US 16.91.198.235:1034 tcp
N/A 10.0.0.152:1034 tcp
N/A 192.168.1.113:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 52.101.41.6:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
US 16.91.198.235:1034 tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 16.115.193.27:1034 tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
IN 4.240.78.157:1034 tcp

Files

memory/2100-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2904-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2904-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-45-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 a9118ec68fce0b680d7ac021c74ca3d4
SHA1 02c39110351a8087e64642fdef6a2f14f359cdfa
SHA256 b5382b8087d547458c43adeb10c78a0ad2b2d07a9b175f0fcebdd68c8b10da99
SHA512 43c9072a1a78449be28a5a5859de955962f4b39a6f0372e1a09426459751df5424a097200331aefc1d517e05c6c8e5856c386af5ee9888cd19fd880f3c2628ad

C:\Users\Admin\AppData\Local\Temp\tmp7F8C.tmp

MD5 001d66b7ec8e63e4f26d3949463cd774
SHA1 ec4de272b8960eeed395f5ddfa4fd057e8f9386b
SHA256 23928392c27d770ece57eee1506b490baeb26a45455f8d4112f298444192628b
SHA512 b513a298fd61df06816578c71a131b38c3fafc27d0d59886c92be4a06543732d0e959aeb26b8079f63fd4f5118d298e357916eb43ff9b2724bf3cb2296fa25fd

memory/2904-60-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-68-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-72-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 22:07

Reported

2024-05-06 22:10

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 24.8.94.121:1034 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.202:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 202.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 198.7.243.100:1034 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.121.18.2.in-addr.arpa udp
US 16.91.198.235:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 209.85.203.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.42.9:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.178.4:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 hachyderm.io udp
IE 209.85.203.27:25 aspmx.l.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.178.4:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.178.4:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
N/A 10.0.0.152:1034 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
NL 142.251.9.26:25 alt3.aspmx.l.google.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 192.168.1.113:1034 tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.250.153.27:25 alt2.aspmx.l.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 8.8.8.8:53 outlook.com udp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.11.4:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
FI 142.250.150.26:25 alt4.aspmx.l.google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 16.91.198.235:1034 tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
US 8.8.8.8:53 smtp.gzip.org udp
US 8.8.8.8:53 outlook.com udp
US 52.96.223.2:25 outlook.com tcp
IE 209.85.203.27:25 aspmx.l.google.com tcp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 16.115.193.27:1034 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.250.153.27:25 aspmx3.googlemail.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.cs.stanford.edu udp
US 8.8.8.8:53 mail.cs.stanford.edu udp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 8.8.8.8:53 smtp.burtleburtle.net udp
US 65.254.250.102:25 smtp.burtleburtle.net tcp
US 8.8.8.8:53 mx.outlook.com udp
US 8.8.8.8:53 mail.outlook.com udp
US 8.8.8.8:53 smtp.outlook.com udp
GB 40.99.202.114:25 smtp.outlook.com tcp
NL 142.251.9.26:25 alt3.aspmx.l.google.com tcp
NL 142.250.153.27:25 aspmx3.googlemail.com tcp
IN 4.240.78.157:1034 tcp

Files

memory/3408-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3920-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3920-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-22-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 da30aa29ca9226eed7e4846460a1f394
SHA1 9b24ee7ad32920f1f341a0b0d368ac21f9d41b7a
SHA256 db4c25c083944c77c6b75c3bee97b039b1cf234c577ec8bdaad14f2711d14e33
SHA512 b71611beff1392c2752107f20f9ec53879bb5dd5ff6a67447469eb14c5624d9a958ee071efd4892761c185c4d72156ae76840c342aefdd2b482c312199976e11

C:\Users\Admin\AppData\Local\Temp\tmp2865.tmp

MD5 448d8063c6c9c3ce2fb1da97286d7185
SHA1 8707e670c18ea682912ae915cc90b65658b1c2c1
SHA256 6c8545ef2fc11cc9373cdf282286fc12f660c79c40a1fc60bd3e598788d43b9c
SHA512 8917fc9f23a6c1765534dbb55f3722cd3eab7df4c9539fa1c7a71cbadaa6c6a9c9848ec88bee0e1fb50a105fd42c615f2ab562b4546aa79b26db0afc7fa0cf8f

memory/3920-101-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W1O6EZKR\LM5KGWSE.htm

MD5 63fdb7ce175a3e1d6aa6bd5b7ef0dfa8
SHA1 d5ceb894dc65e787a94b20106fe1a858fcdf351b
SHA256 39c1d0ec945d0e42b93e70ff973eed565a7245ffcad8896faf13415adf4404bd
SHA512 aad3f59908ec0ff50f98f4aa70f137d368a18a1d6bfc939c0867497e69faac70d8fa94fa121f2c9012c721a2f2aa21fe2d6dd538276b38bae6e54624db19323b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3X7K2ORY\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W1O6EZKR\search[6].htm

MD5 685aaf80d05ee873ab020d9097934ca8
SHA1 377437c235f4982f1ab0f69333d2a27deddeb9a3
SHA256 f459b67232d594cea33125f6738056225cdc3bbf1fe036cb82c5265f8cc2c915
SHA512 4c340655cd722bc90fc0154869ea5e98130a4a1bf867a1abdf65b90f3ce1cad3af97552a992613fd1e5f6c2a79cc2ce65bb763536c75d511ed456b155a4dd959

memory/3920-219-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-220-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-224-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-228-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e9b83582d4ba0d9d5c9f5a3194c3df7e
SHA1 0e8fa6e7269f6d761a504b023ba9f1a8ca954e1f
SHA256 a80192f79cc528d3f337cd9e23f924e2e27d1b8ecbb2b573a6fa99a6914fb432
SHA512 91bf8d9bde4ab46ad06577aa5a38d44ecfa614f707d68161df407cc5a8738342de10ed124f7aac6d559c057d6315fe11ab852e12ee9235f12ffc36b934b59742

memory/3920-246-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-249-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 c6fc5db5a55e60fcb177fb45716aa765
SHA1 295c6f4267a6619f45d9db3215869fe1d0d94e42
SHA256 8ff450da55c448f7efa84ba132050051a0fafc0e20a961e10df6c651499439f9
SHA512 8aaac3c7554992ea0f3e206ff1c5bc9b37fe9b10304d7220e96f0155e118ab58516e19bd935e5ee09e828c417fc102b396f9377012e375c4423fe4f08fbd7368

memory/3920-261-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-262-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-266-0x0000000000400000-0x0000000000408000-memory.dmp