Analysis Overview
SHA256
fc46887dce507c14a49bcecd46df32e3f5946fdf3acef1ef2670c474db6ec43d
Threat Level: Known bad
The file 19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-06 00:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-06 00:16
Reported
2024-05-06 00:19
Platform
win7-20240221-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 1196 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 1196 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 1196 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 16.37.50.108:1034 | tcp | |
| US | 32.97.110.142:1034 | tcp | |
| US | 15.197.214.225:1034 | tcp | |
| N/A | 192.168.2.114:1034 | tcp | |
| IN | 4.240.75.108:1034 | tcp | |
| IN | 4.240.75.91:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.10.5:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 15.198.4.192:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 75.2.70.75:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| IN | 4.240.78.53:1034 | tcp |
Files
memory/1196-0-0x0000000000500000-0x000000000050D000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2224-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1196-10-0x00000000001C0000-0x00000000001C8000-memory.dmp
memory/1196-9-0x00000000001C0000-0x00000000001C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2224-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1196-23-0x00000000001C0000-0x00000000001C8000-memory.dmp
memory/1196-22-0x00000000001C0000-0x00000000001C8000-memory.dmp
memory/2224-27-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-28-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-32-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-36-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-37-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nhElkwbtb.log
| MD5 | cb3baecd57a17f9399ce7d84cdd7dc56 |
| SHA1 | 686d8d3dd90364213a8a69f5c5e50acb337345e0 |
| SHA256 | aeee89668e539733a9012be3d4975d4652f833a2082ce773b25433524b0ee58e |
| SHA512 | 27fdeec42b254862e9e254a04632670b666ad2acff1b2416836d2fa1654ce80560fe7dc43f7d577b7554ffbf30e635d560a08954dd458e0670fec92234748969 |
memory/2224-41-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-45-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-46-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-50-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-54-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 30355167165cd0b9f1d366ca3b818766 |
| SHA1 | c49f922f22699997f5d6a1791c35659d0ee9e268 |
| SHA256 | 8d80f3f8e9cbfd1dc5baadb8b5942364856fad2bca9afb41fd43194f1b26dbc6 |
| SHA512 | 659ac9e370d1191d8c73110fe80cf19d8eae3305c9bc6ae224285f801135926cf79087a86f7d4b375c4fa163ff015e9bac5820a507f19a964204209930391be3 |
C:\Users\Admin\AppData\Local\Temp\tmp80F.tmp
| MD5 | d60120f0b5aa9fe746e9725a1836babe |
| SHA1 | 97888e9352af33879cf09e4d584f579e6d812add |
| SHA256 | dc0272639889da0520a6d3029ef3a9026e891c10377d9f7e1399dc5d0052ede6 |
| SHA512 | 554132f1e9b285e3917a21de86db0156d30d40566e7f1ec08489009b15d9c44d7cdb4bddad700318a062c5549fd0a49fd55344037f4e17c347dbd1b60bd367c3 |
memory/2224-75-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2224-78-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-06 00:16
Reported
2024-05-06 00:19
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3064 wrote to memory of 5048 | N/A | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 3064 wrote to memory of 5048 | N/A | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 3064 wrote to memory of 5048 | N/A | C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19dbf960387b6d8ffbc478c8af29cbbf_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 16.37.50.108:1034 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 32.97.110.142:1034 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 15.197.214.225:1034 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| N/A | 192.168.2.114:1034 | tcp | |
| US | 8.8.8.8:53 | 88.121.18.2.in-addr.arpa | udp |
| IN | 4.240.75.108:1034 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| IN | 4.240.75.91:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | acm.org | udp |
| IE | 209.85.202.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 199.89.1.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 65.254.254.51:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.9.0:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| IE | 209.85.202.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 15.198.4.192:1034 | tcp | |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| NL | 142.250.27.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.78.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | alt3.aspmx.l.google.com | udp |
| NL | 142.251.9.27:25 | alt3.aspmx.l.google.com | tcp |
| IN | 4.240.78.53:1034 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 142.250.153.27:25 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
memory/3064-0-0x0000000000500000-0x000000000050D000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/5048-6-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/5048-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-30-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-31-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jeqauh8.log
| MD5 | d348ca61f671e640529b802823dbdf4a |
| SHA1 | ee2c70aeeb4718bb8dd92d76b058f60a74198373 |
| SHA256 | 8e2c6cc539c5c970339d928bbde2e0e5ecdc58a72994030b48ace9eaff908c81 |
| SHA512 | 18e26bd0728ddf8d8c46f69490617a486fac4a5c5d81c0efd8b4bab80e5bb78e50bfb358fbd30e26b7073a6e609e4ad29979e35626ca2a0532bf69e44fbfec72 |
memory/5048-35-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-39-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-40-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 420e8f2c9a9d9a27f4b4dd2343170b31 |
| SHA1 | 8bdf490949461cd6be186d1f6ec6720cd5a8381a |
| SHA256 | 8a8cca426ee206afae0ddfa1faa6365e30be72011006ab09e7f628aa70719cfe |
| SHA512 | df6547ffe41ee4edbc5a9af8631384845ee68f371ca944b710e0503e6d768ecc8c625dddc4c41e96b9f374adc595b304a07d737cc3dbc76d44058dbaf5b76aa6 |
C:\Users\Admin\AppData\Local\Temp\tmpDB59.tmp
| MD5 | 0b241728c6f710d2e28dcc5b1697e750 |
| SHA1 | 4fd02edac4068b77b2813ac5ccc6c29bd46f0df9 |
| SHA256 | b6c3391bc338ecec448c4146a8d78d2d0ba4d67ad8c2cec27b279f35a15d2a30 |
| SHA512 | a93c301e67c66368c4183bcc77ce3ac3c78f575254ff1704aefd7189984f6974c7613ced37d6f02457acbbc47f27b82fc854c7e8f0b59eeb0ef8e00cb8cb0181 |
memory/5048-145-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ2TD4H5\7OR3SRS1.htm
| MD5 | e4b18c4e1dd88c3f829544f790e3b3dc |
| SHA1 | 12bf9f6946fd0a2adb0aeebb66f49c0eb62ff5a4 |
| SHA256 | 008fe7fce567d25b6f16ff0a8f461c885f4a3e07219612bea8ca51e2100ad6a5 |
| SHA512 | 86ed01f797424eabc3f0a1bd9b9b94abdbc588a94b3db26cece6e7c5216dd6459c1e9f1a1403f3f679bfdb879cd5300506560e061462f1244e5687e42d4db5ae |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BB8X2UQ6\results[2].htm
| MD5 | 211da0345fa466aa8dbde830c83c19f8 |
| SHA1 | 779ece4d54a099274b2814a9780000ba49af1b81 |
| SHA256 | aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5 |
| SHA512 | 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ2TD4H5\search[2].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
memory/5048-196-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-197-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5048-201-0x0000000000400000-0x0000000000408000-memory.dmp