Malware Analysis Report

2024-09-09 11:01

Sample ID 240618-gymnvavdnj
Target bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118
SHA256 991c0ac120fd780a8acacfca0ce77c161fc8509fddbe6f9cc74cbf1a8ccfd372
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

991c0ac120fd780a8acacfca0ce77c161fc8509fddbe6f9cc74cbf1a8ccfd372

Threat Level: Known bad

The file bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 06:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 06:12

Reported

2024-06-18 06:15

Platform

win7-20240220-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 169.254.109.155:1034 tcp
IN 4.240.78.237:1034 tcp
IN 4.240.78.175:1034 tcp
IN 4.240.75.94:1034 tcp
N/A 192.168.0.32:1034 tcp
US 15.136.121.176:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.41.4:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 24.196.145.49:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 208.189.196.18:1034 tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp

Files

memory/2468-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/836-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-10-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2468-9-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/836-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-22-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2468-23-0x0000000000220000-0x0000000000228000-memory.dmp

memory/836-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-46-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 cc5b7ab757276e93780180778761bafd
SHA1 414e9dcda0658191693b62176fd1a113c650438e
SHA256 008cee54ac90fdc28eff0591bd4b06403ca78e004fff34bfa3536cc9f2351ab8
SHA512 11732d3388e278de35cd3d17520faaaa5f0876fbb55a472857c08d8df8a73e8b3999f23047e229327f54141f894a5c38eac977367849d831246cf042387e9247

C:\Users\Admin\AppData\Local\Temp\tmpB1D2.tmp

MD5 0d64cfaa651245887e9446e2f5629acb
SHA1 307c8195d9bd2614853aa1131490092d7a0a5250
SHA256 14ae9e5abb5acb15f5526412d3d865bc4a29a8f9df3daf1c58dac695f8d9c4e1
SHA512 eb71f344e02ebec0efa593514275d71d4a08b73be263c823a86b9fc4e84993b80020afd0732718bba1bb1a647d43791ea2ca88ad6a4c9cb65a1d1ff62ac05523

memory/836-61-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-64-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-65-0x0000000000400000-0x0000000000408000-memory.dmp

memory/836-69-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 06:12

Reported

2024-06-18 06:15

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bb10d2680402f7c8bde578b901ca58ca_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 169.254.109.155:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
IN 4.240.78.237:1034 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
IN 4.240.78.175:1034 tcp
IN 4.240.75.94:1034 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
N/A 192.168.0.32:1034 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 acm.org udp
FI 142.250.150.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.10.8:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 www.google.com udp
BE 2.17.107.153:80 r11.o.lencr.org tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 hachyderm.io udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 209.202.254.10:80 search.lycos.com tcp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
GB 142.250.187.238:443 consent.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 153.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 15.136.121.176:1034 tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
TW 142.250.157.26:25 alt4.aspmx.l.google.com tcp
US 24.196.145.49:1034 tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
SG 74.125.200.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
HK 52.101.132.29:25 outlook-com.olc.protection.outlook.com tcp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
SG 74.125.200.26:25 alt3.aspmx.l.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 208.189.196.18:1034 tcp

Files

memory/4488-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/5012-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5012-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-39-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 f960463cefde2766067ae49b2ecd7ea0
SHA1 f4f6bac1e46b794ebcec48f4d20398c29bb112c2
SHA256 10874caf9159e2565fa7d5d73386fc6cb7e27ab4310e08aa441572aa37d4c26b
SHA512 c23fe547c0b11865551e08d4ed67c07cfcd06d479453d62f7baeb7274b0b964d77f02e957bbaf7005c1cc5a1eb3d42e818ebd976e964bcce7f4f6c3ab8d737be

memory/5012-49-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC531.tmp

MD5 7fe52bbce6ff74f999653749cc3e4536
SHA1 850baeebb7dd69b3360e65e5eb8ec2f4262c6d6a
SHA256 70a815e41209eee950f22eef6ed4974f96cf4d9f563ccc9ba06c3bd7aee6d8f6
SHA512 46a576f29b2dee48fd84c6679af08ff84aff7bc55eb1aeed0944826bf2afc61fed22df65437a99998a9a1bf62b7dd2f551430db9b872d807c0af6cf2e009fd38

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\A927FWYH.htm

MD5 a0a80f56efc07952148e3cdcd95ba760
SHA1 d2e91adb69da154ce27c0bc273f65d28083c20ef
SHA256 1cfd740662b45a2202cadcf92010f2cd48d980943b2e85557709427bcba8e558
SHA512 8a8df02a08f942caa89a5a0628720150dfe8af48532c0eec62f151ae864f74966d568d61e7a659407b1c8aa6c528f7344b34e2263547e846379bb34fe322b9a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\search[7].htm

MD5 cd62d05ca04ffcff59fcf4af369ef469
SHA1 9e5938d6f0f257adf09da9200de4aed1694abe80
SHA256 a6880bedc146498d64723ccfaae7f1b8b34b2a130863c204de166cef83971142
SHA512 8fa4a5e119463d7d9bb533ca900e3d9de9a83eee3c98ea719ed37737ba5e70c034b7120acc40948fbf5c1b903e228f2aec1ba7185a17b73ec37bf8e119b79995

memory/5012-336-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\search[10].htm

MD5 09f277f58c73b95b88e0c964e5d99c82
SHA1 841eb66b710aab080f7c3b2077c88050b35838a8
SHA256 6583fc4ef7ab6a1dbd6b38bcc16a67126f33187b14e45a41bfc9c2283f936e36
SHA512 33d251f879f30b9e31958c1e817d4eaa4aef34362e583f365bad9daef3d0eaa9f265767f2aa2bd2ec89614b46a614441aea740ea8ae110fd26bbd3a32f96011b

memory/5012-368-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-369-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5012-373-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 8b4e52a6df3bebf882ba4bd9c25204ca
SHA1 ea90bae99f003865fbaaf69c210ebce235bcaac4
SHA256 2221af24d5fe88a675773c9edcd580072898d6251d5ee5fa495d121619b0a102
SHA512 3f4bf158dcb2fb9e4dce6e4fb3bdecd5a670d81d08047e1dfe302ab1b4d1c1d745d24faf17a1ecf3453eab5c434a91b70ff8c51def5e9c9cd004e4065bdbcc1e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search[10].htm

MD5 236e7427ffe374ceb0406f7522edcf8f
SHA1 e848b9f3a2232b562f1322948d43f2872a1cee2d
SHA256 ee5855851cf6ecde95a01dbf0a3ca27242e6cafb893728796dde66e281cb1987
SHA512 ffd5cc00957e7a83e2d4228397c3f9c4dd69ce7597563e3e3069495f471f8944a563c7dc91720920fb5e81ddcca3160f968bfcc901d78c9085f717e4e556f344