Malware Analysis Report

2024-07-28 06:55

Sample ID 240614-gb3fsa1bpm
Target a82e6e214154536d029149aabae69c78_JaffaCakes118
SHA256 bb374565e85714d84da222a9f0a64d93b5e74d936c75e820d0a6c9e3c82b4bb7
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb374565e85714d84da222a9f0a64d93b5e74d936c75e820d0a6c9e3c82b4bb7

Threat Level: Known bad

The file a82e6e214154536d029149aabae69c78_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:38

Reported

2024-06-14 05:41

Platform

win7-20240611-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe C:\Windows\services.exe
PID 352 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe C:\Windows\services.exe
PID 352 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe C:\Windows\services.exe
PID 352 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 16.150.146.241:1034 tcp
US 15.197.215.231:1034 tcp
N/A 192.168.1.11:1034 tcp
IN 4.240.78.175:1034 tcp
BR 15.228.173.221:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.9.5:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
IN 4.240.78.15:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 129.42.208.182:1034 tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
IE 159.134.164.128:1034 tcp

Files

memory/352-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1264-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/352-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/352-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1264-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/352-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/352-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-46-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 02fa6b51f3b2f9b2a35bb3e56d91e8cf
SHA1 f4b0df3a3d8e3328a192d60a6dea333dd4c511bc
SHA256 4169c8fb1655be95d0fc2318888b98b1634a5733648b9b33a01c2f6def1c6b3b
SHA512 4c6be621cf21bd982a2af3619fee36673c2748a447bd7b8d3f2278f276f205ae5b1103104db61913bce11a702a0828ca1bc0420ceffb00245deccb95d1b74735

C:\Users\Admin\AppData\Local\Temp\tmpA25A.tmp

MD5 047cd175c7d748d71f45d293b607d8f5
SHA1 08491d8b0dea6472bfad7dbb45a4d1552e6278af
SHA256 1430a2fe1faa841b9999ce63f9b51d1ccd31204fcf577f5d60a506db1efd69a7
SHA512 ec8ffec7069c7b5d9d3923b7b2fe0a425cc3ba5a789f5561df5664e5cefb4828ccbec94b3a77fd911da83514c3edaac25dbed4e0b793beb1148452d7841ab7a8

memory/1264-69-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-73-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-74-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1264-78-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:38

Reported

2024-06-14 05:41

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe C:\Windows\services.exe
PID 4896 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe C:\Windows\services.exe
PID 4896 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 16.150.146.241:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 15.197.215.231:1034 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
N/A 192.168.1.11:1034 tcp
IN 4.240.78.175:1034 tcp
BR 15.228.173.221:1034 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IN 4.240.78.15:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 cs.stanford.edu udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.0:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
SG 74.125.200.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 23.63.101.153:80 r11.o.lencr.org tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 153.101.63.23.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 129.42.208.182:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.227.224:25 burtleburtle.net tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
IE 159.134.164.128:1034 tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp

Files

memory/4896-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2664-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2664-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-44-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 aac1ac7d48d54cb25259f064fa58a086
SHA1 e89e56cf20d0cff2a2fb8cbf04866d317b08007e
SHA256 1edb4084c84ed0a387d10c677ec4aaee09b10ee9e82c4b9a3792de147433582f
SHA512 2dd6de3e54bcb96cc3ad8f39d6523dda2d56441591be48658e322af4f1f58ef1a2361c50531a13b82e3881beff66321604327bf47dfa5db60153761c1686a00d

C:\Users\Admin\AppData\Local\Temp\tmp64.tmp

MD5 a9026fa2d0f2e184a7d654d21e8fe7aa
SHA1 48a973377e57c20787944c9c7fcf0f330b92fb75
SHA256 b2a6bcd68f92f0f7061f0b69c06b7e080b9510e743ebcd6b59006467a4c5b4fc
SHA512 3c34b1f299d77b0b50eebe8a2a3cd2c025a199cc8f70f90ea36624aa8d4c12c85d377b76ab080ea90470eb088938dc50554add3e52c0f39c24003edb4306afea

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[2].htm

MD5 77414aecfeb870e74cdfcf064402eea6
SHA1 a7e2e01c2d9095d18690dbd88104ce080c6792d8
SHA256 4ee2c5e1b61ad9a088bfe4068af04a2944678f0d52d2445a41c8b3f34972d0c4
SHA512 b5f7100e7ad36afbbac7aa7ed1138d6e7822a5968872167bdf861d76b3a6ea905dd4c594f73f3e95f840606cea2a4ab7aa3390913c4014a98ed103a9fcc5d4fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search[1].htm

MD5 199013728228f2a3f453a1343a8b05e5
SHA1 22face282fc1490de668860913c02ec26545476d
SHA256 59d8d594f985ac82dea568c7193b76faa2fa762f0635c02b85c1840fe9e42ee5
SHA512 447a39aaecca9f0d627a6ca3c77fb4cd2768ddccfa2903fd233cafe7abab67db5b91dc5ecfd3472fa3b456afa8948b21474e6e47a1fd8c03f557fa27948bf337

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\search[2].htm

MD5 3bc89b49ea29fa1b300778cfe29645ef
SHA1 f5b7ab56a13d9787c6788c27f76310c87b922b92
SHA256 1736b2d05756e813a5aa8d49fba33338cb42cb4c20ddedcc0f3c2e5319acc14e
SHA512 108c4fd2b23f3677f2a6618999007f91424ccf49bfc6edcb8b8dc32c3dac96f63aca3c27f149e18ece19634cbced83645f40db24dfe2cf3ad04a383e153c8876

memory/2664-158-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\QSU2IYHZ.htm

MD5 181b66865a3361f61971ab5f37ed63b6
SHA1 aca1c6ca00fe9da671e16ce0f9d017cde5df120c
SHA256 49bc50c30e7487a6adf46f1cd148451ddd406623bb8c87150d32b8f7a3feba70
SHA512 ce6567085358c26e972f1cc57cb32293742ea63724c1d21b822d20b47f83de24b0dba876db76f48f3528354e21370ff94f705630204804663255b7c18aaae914

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\results[1].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\FUKAQ2PX.htm

MD5 cc35b4374c511ebcd612b256c0fb1173
SHA1 9b61f3dc483eef83805a2fb9dc762c3797a2a43c
SHA256 763af7663aa21969412212d32a6736e64009ece0213a4f2b3b8710e0c16d9080
SHA512 d4df6da3be30f6da1561f7167273d4da5d9abf233c3bf1f7cb80da95bd13b8fd6a1dff8ae6c8fd2c6cbe9b67f721c95c63d7beed5f5b7fe1506b97de617aba5b

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 a4f416adb70efb9186915588222eb9e3
SHA1 50b1655ce6cc76c6091edae51886c7bad5f70089
SHA256 93395751ecbe4b820be81436eaa8761a7d07558768ec6e4453cbb2864b80cd1b
SHA512 bf215517e17881b0099480452c6d19dbd04ad3421f1584b9da06d7699d4f599204bc2d381bf3835964bc7c88a56732b34d76904ed9421043ed2649e90497da87

memory/2664-306-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-309-0x0000000000400000-0x0000000000408000-memory.dmp