Malware Analysis Report

2024-07-28 07:56

Sample ID 240609-ebhp9sdb7s
Target 8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103
SHA256 8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103

Threat Level: Known bad

The file 8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103 was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-09 03:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 03:45

Reported

2024-06-09 03:52

Platform

win7-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe C:\Windows\services.exe
PID 2008 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe C:\Windows\services.exe
PID 2008 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe C:\Windows\services.exe
PID 2008 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe

"C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.65.120.153:1034 tcp
N/A 192.168.2.111:1034 tcp
N/A 172.16.1.3:1034 tcp
N/A 192.168.2.14:1034 tcp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.8.46:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
N/A 10.126.94.178:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 10.53.7.27:1034 tcp

Files

memory/2008-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2008-4-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2196-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2008-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2196-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2196-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-23-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2196-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2196-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2196-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2196-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2196-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2196-43-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yam3vgopNg.log

MD5 f101d98fb1f88423af651b3b9da5a7b8
SHA1 e75427cb1ae091ab339d26f162f845665c4e759d
SHA256 aaf144274b73ba5c2363f5af1e30f58df6cf7479c1df37568a98d84607f014f9
SHA512 a133d15fb9e546c21b56dbde27254854694d27142f94ce79ca473d825aa5959febf8bc66dbf2397839a6a99371ea94ceda16a92c76da9ca68a0cbffd002f3372

memory/2008-47-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2196-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2196-53-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 1f3b69824300a1d4179e61a0acca9ebc
SHA1 a226a31f200babd227bb6e41fc1d799c31fc4362
SHA256 7799defd57783c4d953212ffcbc537a532076ee53926d0400e33d91d37812295
SHA512 2b5aef15009e23f79ac829d3fcfbbafce53c2b223788fbfd7eacec4c7d2c09bd2473ed82b7d812e26d5aa55b416bddffd819b605998cc967f55d71606711c94e

C:\Users\Admin\AppData\Local\Temp\tmp24D1.tmp

MD5 66ab0e3a8f02f52a09428fe8c759e59d
SHA1 cee68a512ce29b9aba678a6d8d6d4edde0815a40
SHA256 082b42ddb180bd9b4b5a5cc9e85846da704c8f7c1708eb52d8abc276f8af1359
SHA512 70554e8307cb3f9e1606fc968d3ca080216e7b633881a04f4009ce4f31e7a134c0164b0525ff5500f3c9e40ddbd53fcbeba5de5ff7b0d9dec0961496cf5eceb6

memory/2008-71-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2196-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-75-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2196-76-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-80-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2196-81-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2196-83-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-87-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2196-88-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-92-0x0000000000500000-0x0000000000510200-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 03:45

Reported

2024-06-09 03:52

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe C:\Windows\services.exe
PID 2620 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe C:\Windows\services.exe
PID 2620 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe

"C:\Users\Admin\AppData\Local\Temp\8572c8cfb8a2e74ba3769289b27fe6316bf02b1fe2bd9cb718dbdca1be700103.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
N/A 10.65.120.153:1034 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
N/A 192.168.2.111:1034 tcp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 192.168.56.176:1034 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
N/A 192.168.2.14:1034 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 cs.stanford.edu udp
NL 142.250.27.26:25 aspmx.l.google.com tcp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 52.101.42.18:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 www.google.com udp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:443 www.google.com tcp
FR 216.58.215.36:443 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 gzip.org udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 36.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 163.20.217.172.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 8.8.8.8:53 alumni.stanford.edu udp
US 8.8.8.8:53 ALT1.ASPMX.L.google.com udp
IE 212.82.100.137:80 www.altavista.com tcp
NL 142.251.9.27:25 ALT1.ASPMX.L.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:443 www.google.com tcp
FR 216.58.215.36:443 www.google.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 186.107.17.2.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
N/A 192.168.2.17:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
NL 142.251.9.27:25 ALT1.ASPMX.L.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.251.9.27:25 aspmx2.googlemail.com tcp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp.acm.org udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
NL 52.101.73.9:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
NL 142.250.27.26:25 aspmx.l.google.com tcp
N/A 10.126.94.178:1034 tcp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

memory/2620-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3876-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2620-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3876-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3876-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3876-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3876-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3876-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3876-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3876-38-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ngnckogk.log

MD5 23ef6e07e11f7199fb789e120c8ac553
SHA1 4b3d3bf1d77d3f15ac08b1bfe0488af7c3dbd405
SHA256 ec08b7c035ac51129bbed1f167c22d9a09a6ec0663534212c9eb22cde88740c3
SHA512 b139c9439d9f238a2b32e86ebf0f323faa0ac329c0610952cc6fc4f12893587840ea2e218548b285efcea6b38beb63793a5039ab82603d5fcaf5ffc89314d6b3

memory/2620-42-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3876-43-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 ea6066bd976da07cecb2c420ec7fb555
SHA1 787b518837f2af1c3b933eef31c9a7c1b7808373
SHA256 147eedc19248a3ee63830b513d8af8390d7bbeec9f5f8647dd3186ab59ad4bcc
SHA512 5da4688f6728a1590b18d784b4f2de49da019f3859bee535598b1965288bd9cc6b2d943396b80fdfa2a2b115bfc0daf21b1c6f45cd11d19dba1880e64bfd6594

C:\Users\Admin\AppData\Local\Temp\tmp5482.tmp

MD5 26dfd706d4c43e6696ebad2acf546341
SHA1 3f8d8f3336074999857c479bcb74b9f49c222609
SHA256 d280c690c9188db6671a54f7eb24d86b8dda98820bb0411bc2f4360ae0025548
SHA512 04a1d52d97c90093a8d9b8b053866477781470e9f17f1e599906590da78cc04d8e206ef39f308d512f2cd8dfa7da6bdb3e58af3074bccda1d20d17507fddac35

memory/2620-92-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3876-179-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2620-180-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3876-181-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2620-185-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3876-186-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3876-188-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2620-192-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 04e9d1fe20a55a83367942b3882a07ea
SHA1 495e9e94571a9b41d21309a502651c55e91d68e7
SHA256 76f64a3f012aad8336aa572753f5b5ade38680a278737be9387c3c19e0db4346
SHA512 fe45bc0476f8faefaa9a13db4e7774b0addafd729e855bd4279d38708c90864930772a3ccdd3dd6bae5277fa70ce53bfe0b5fe88a376f09f8038b667f135c727

memory/3876-207-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2620-210-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3876-211-0x0000000000400000-0x0000000000408000-memory.dmp