Malware Analysis Report

2024-09-09 11:22

Sample ID 240620-s263fayhmj
Target 075d4363d086106e25e858ee868dabc0_JaffaCakes118
SHA256 eec0ce6205e7c5649791f474146212ac716b4dc7bd422be980117e963ad95779
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eec0ce6205e7c5649791f474146212ac716b4dc7bd422be980117e963ad95779

Threat Level: Known bad

The file 075d4363d086106e25e858ee868dabc0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 15:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 15:38

Reported

2024-06-20 15:40

Platform

win7-20240419-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.13:1034 tcp
US 155.208.210.76:1034 tcp
IE 159.134.164.135:1034 tcp
US 208.189.196.18:1034 tcp
US 16.91.196.218:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.9.12:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.1.23:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.1.34:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
CA 16.55.145.11:1034 tcp

Files

memory/1860-0-0x0000000000500000-0x0000000000510000-memory.dmp

memory/1860-4-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2100-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1860-9-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1860-17-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2100-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1860-46-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2100-47-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1860-51-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2100-52-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 149651a0bfbb95274ab4b2a83e9b8592
SHA1 f4dc741a6cf874ef273d407450da657c2035c0e5
SHA256 589f5d7f367c6d4e6e502eda5e9d89eb6d91c263c5b99467286d6399619972b9
SHA512 af23d2b7e899692cc41833bf087cf947dbb3006a47fa0644b8c4cd3cea64f5f8beb16470baeafe3f4729e10ab84884817c62d9e09306695c2abe769ba5ff6b4d

C:\Users\Admin\AppData\Local\Temp\tmp7409.tmp

MD5 4b49905d57a35a6ca78c072cffd18ed5
SHA1 ef31609c8cc07605d11a093df4dcd38f6755eec9
SHA256 4334f4f8ee5be8234d8f2d5249815284a945985ecc4db951ec0fd65ff2cba9ab
SHA512 301c81b6c5d3f0128c43ac6080882dfb36c3df24c067e9bcee6bd14df5217d04e573a2d201be433110ac23869854b78c5d86f8be18764bc2f2b8f9c8226d1f6c

memory/1860-73-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2100-74-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1860-77-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2100-78-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1860-82-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2100-83-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2100-85-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1860-89-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2100-90-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 15:38

Reported

2024-06-20 15:40

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8

Network

Country Destination Domain Proto
N/A 192.168.1.13:1034 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 155.208.210.76:1034 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IE 159.134.164.135:1034 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 208.189.196.18:1034 tcp
US 16.91.196.218:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
NL 142.251.9.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 52.101.8.32:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 23.63.101.171:80 r11.o.lencr.org tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 52.101.8.32:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.1.23:1034 tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 209.85.203.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
N/A 192.168.1.34:1034 tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
IE 52.101.68.28:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 coloradotech.edu udp
US 8.8.8.8:53 mx2.hc3950-10.iphmx.com udp
US 216.71.149.25:25 mx2.hc3950-10.iphmx.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 email.com udp
US 8.8.8.8:53 mx00.mail.com udp
US 74.208.5.20:25 mx00.mail.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
CA 16.55.145.11:1034 tcp

Files

memory/4740-0-0x0000000000500000-0x0000000000510000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3144-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4740-13-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3144-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3144-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3144-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3144-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3144-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3144-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3144-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4740-42-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3144-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4740-47-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3144-48-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 10cf654c81c39df0846bb54cb68013fb
SHA1 9400bf505724297991bcdbbe7d40a1f2db179c0a
SHA256 f4d7249680262066ac24c241421909cab28e2ca30677d5b66c96ad36f3203aa8
SHA512 241960110608565c7ecddb076ab6c0b3dbc19deb099493527b2d1630e77a88ebe14d11ed7e5f8bb09e1848786cb9498cb640b2adde8476a780494b26a14eb4af

C:\Users\Admin\AppData\Local\Temp\tmp574E.tmp

MD5 88374c6ec3c7ea58d5f0519075b9e680
SHA1 89e0ecfc57c5d12e1b15c170bade2563252a1e6c
SHA256 54e97c79feefc9059360eef5b3087c1bc45ea9932ba965517d829cd5a768a77f
SHA512 adc5de73250a6263af607d0013496c8d1e1310a5fc51a8ba9d0732ed39b1d1a76f4d1c1648e49c53382f66703fca3705766c33a923f58c8c3df83763db8bd05e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\search[4].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VVOFDIUO\PBK0HGNY.htm

MD5 d0ad38b81ec98208fd5dc09403f22a40
SHA1 a80774bd46563852041c731df56b64b0924ec08d
SHA256 603ce4a5b3c80bfec21cc59ea145745fe99c368eaeec9f2df988b2c9fa29f0ce
SHA512 cd4247129b79b9e4c6f9bc1945a83a396530a6e75be02ba54e7482ab46c8360c34e9bee9236f6c540c0c3d64695f627826dc9b0b984e3c66388c479fbc2f9cd2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\44ZGVQ6R\search[4].htm

MD5 887babb5a5ff2c0a67b02ec40e6449ee
SHA1 1addffd26ba72f7485452a63a1ac46b0d70db085
SHA256 376dd73a6a70ad7ec79011a19e2c25005be5951dcc1e4235a76ae7b398ca1147
SHA512 6cad1849220cf230d45f36dd75c738729a74277d02c96fddbbf07a54fa5c99bc45e12218dd010d2df5447da52ecf8f734a780611a7dba631e833cb4a668e4c1f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VVOFDIUO\search[6].htm

MD5 99ca52dfe04ad62e3d911bab802ef8d6
SHA1 e61f297e8c7be7a605588699f2d918046a4a4aff
SHA256 6ec43490f8554c1658128f875c312f40d83d28de4beea3e47d3d64cfddc69c42
SHA512 8ac89494d14a1358f75c7ec6a30f07611c91a7ac901c708740a4df77497e6671753b4d1faa562469e54b3142fe0b2c7e1f0a602da09832c5e20b3ab4185dc648

memory/4740-233-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3144-234-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4740-237-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3144-238-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3144-243-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4740-244-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3144-245-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 1d535bef12bf4055adebc231e57cbe4d
SHA1 43ed173233e0701757550f82c7bf386b51457e2f
SHA256 81ee7633840bc869ad8c0b97ba08a5c166fe69d0d43a015fc5a85c645c19d31c
SHA512 b48134f4f5a571908049da4e351c45aeea1dc71610d5dde15205fce4001792adc47bceb361aaba967539b5510f8623c7d1f21753d9ff75bd3f8df7c2c7c01e00

memory/4740-290-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3144-291-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\search[8].htm

MD5 e8a7b4cbe8f68c80aa7099a9852302cc
SHA1 ea1dadbf83b5dd4b485aa88a4aefd2dcf0c4e05a
SHA256 165472dd9be8888377a790325eb567f6cf480f7347394fb9883c66dbef6d85a9
SHA512 0db903ed8c28c4e3d4e3ccc431fee178827f02b478a857c7aca35094d2f9c27c5266332ae9c47ac2ef2b8729e5fa47153bc01f57f6b323677070f9a8c28b3d1c