Malware Analysis Report

2025-01-19 00:30

Sample ID 240507-j16wlsag99
Target 1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118
SHA256 135fbddd7675f3affc55e4261798f700c9775d668bf8016ef4177d4d768641b5
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

135fbddd7675f3affc55e4261798f700c9775d668bf8016ef4177d4d768641b5

Threat Level: Known bad

The file 1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 08:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 08:09

Reported

2024-05-07 08:11

Platform

win7-20240215-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 172.19.4.20:1034 tcp
N/A 192.168.1.25:1034 tcp
IN 115.242.106.67:1034 tcp
US 16.49.13.204:1034 tcp
N/A 192.168.1.9:1034 tcp
IN 115.248.246.211:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.11.3:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
IN 4.240.75.254:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
IE 159.134.164.195:1034 tcp

Files

memory/2200-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2200-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2200-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-11-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2016-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2200-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-49-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-53-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 603ca71b3d4cf6dfa24dfd35cf960962
SHA1 6e1cc3e8d89652fa61c03aacad4ef36becaac67f
SHA256 bedf99782e120a0ad1e619c84c413b464f35d046a193e15e16a5bb63ebcef426
SHA512 f69c42da8a075405fb68e83c634747ed61020393b9c404b7cf4d026ec81f76308a224419f7fafc922545a8a8f9fb943eabed05d02f6ab122070db6a36c561e9b

C:\Users\Admin\AppData\Local\Temp\tmpF3D3.tmp

MD5 423787b1c060c53b13a7f05bf755fbf2
SHA1 cea9e4bc9779eaa56f55db8fda80191c38afbac1
SHA256 f1cb44f6a0fe7705bbff60bb21a673333cdf686ab699976d3917ea7f91d46c2e
SHA512 713bfc43b8a0ea1c7b14087d2e5a42ad0d3ac547f114e0e0aa9a18ffac88e058a863c16b4893c3881400955665348c10dd3ec3b43bc617e2e135a6b8b57c3b5b

memory/2016-71-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2016-74-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 08:09

Reported

2024-05-07 08:11

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1ffcb501c032d58702e7f5cf964913ac_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 172.19.4.20:1034 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 192.168.1.25:1034 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
IN 115.242.106.67:1034 tcp
US 16.49.13.204:1034 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
N/A 192.168.1.9:1034 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
IN 115.248.246.211:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 74.125.193.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.10.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 30.81.21.2.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 snai1mai1.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 snai1mai1.com udp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.178.4:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
IN 4.240.75.254:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.178.4:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
IE 159.134.164.195:1034 tcp
US 171.64.64.64:25 tcp

Files

memory/2440-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2744-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2744-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-44-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 679d964a0e634a2c2183964400e8f717
SHA1 0afa9970448acbc99b5fb53f5d10b1b66d972f60
SHA256 afe6579a9d042a3a2e1cd4e7766e60138609dd5d31d7694213e69ad0f3594205
SHA512 75b5b5aaee1a7bb9fe3bcb670140d79f9f3c7118246483fba8198c6635818e63a47f9a1e320488fe96f07cd0f10a664bac047ee38f3c0d2261188e5820b23968

C:\Users\Admin\AppData\Local\Temp\tmp7B9.tmp

MD5 cdf9e5206a2efa3ba90d7765c07ba192
SHA1 a22afc57f95392e27482edfe1709c1a74e96ca95
SHA256 34b11f84603b7232301e26a94333dacc5773ca414fcd47ee3d7d0fa745fc3ae1
SHA512 9f47d1ac0ec6a50c05a94d8982b42d8d9a30a9017ce40776a9a1360ff4ca3d5ea38518adf4ea5396aca05e281cc03fbc18e089bc3e33d2b79c8f0ba1f5b232ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\search[4].htm

MD5 8ac2985620720c55214622eef241e74a
SHA1 2a7629d70966694a81c25870b2e9a6d3325edc00
SHA256 9d2cf46322f49b16a02a9b74063c9b3380af46414f77a37509646bed57bbd109
SHA512 6f1dd013eabe6d1d0dea3b60a31b5dd16541eec46b286c6cfe75e669f7941bd27bc21e053f9887bd86da859296b7e32cf328b482dc5da4f510abd870c7646c83

memory/2744-159-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQX1KJ9K\S4MDM1JT.htm

MD5 adfd31ffbc5a24ac59258f712e55a55d
SHA1 ac20290ecb50fe9ae9dd78df0a2a12d6d049d86c
SHA256 4d0d6ec764e7f771b9f9e4a022f4cc909fd2657bae4a2c61bc1619e6198ed961
SHA512 6015329fc750cd83bc704448c7e541ff8ce94954588fa3729b923c9b291bfa943ebc28df04222e71ec3f8f87848e807168cd8cc900877fff874af11918896569

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5ACXXH1H\search[4].htm

MD5 46dadc9ccd611d6f22a4d2d494a7c1c1
SHA1 133b85c482b37b91e1a1326d30be1493274bd9a0
SHA256 5157886dda5078eed5d3385e6d0e4a3b4fb4394c2202321567980c23ceda5def
SHA512 e95a0ded9cb1042239f86c4c8b77260ec6a9d9cb9f13766104afbf1f6eb473958d5210ff340f2623cf46210feb2fe79e471d31e783697a3808b610ed56a8ac36

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\search[5].htm

MD5 d5dcdb151fe6a6ba6948e14e8a1e6842
SHA1 6cda4d632fb5c1eb81c0ec451e08cc98739dc1b3
SHA256 38689cc1cfcdf4d08eb904dd6869a5d8b74052c628c1c580b34c5cdbd2a28517
SHA512 94d66bea39a1b1d9b87a073027861fb79f9318b156db14d65f67ee765c4efede1521115e972acd70945d122a25be865201f1b31fad5f68997ccbc92097027af7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQX1KJ9K\search[2].htm

MD5 f4f9b931f284defab71f9930924df26e
SHA1 aae666df58a14f665aec0e9bc1e1c4302ddf895b
SHA256 369080b6d703d5c136fd9d92ab6b6ba198d61c36a60977246187717c69566cba
SHA512 d36f3ba4b1e4d88953f4d75e0f0df633e9a035dbd1fdd7301c0e0e3dbc790fffc4ccc3d1c05c969dc227ae0798cb1340831f1d4bfa8d7e9298c98297ccfac259

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 ee7c4bb2d40a95e2f5fa550173dec509
SHA1 90378453393f879749ce42a1f0f84ff62cf09cc9
SHA256 6d31e48369282f6857cdbf5a531692cf788e38624d697bddc463188dfa4e78a2
SHA512 2bccb84243e57bb3cb731deb9156d07df340d510de54e78accda39d3031ef405f7da62e57dba634f6e4ab2b8efbd354a20c1ea2888da33f59b064c854e212851

memory/2744-294-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-297-0x0000000000400000-0x0000000000408000-memory.dmp