Malware Analysis Report

2025-03-15 00:43

Sample ID 241023-v9zz7svbnk
Target 8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N
SHA256 8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49
Tags
upx mydoom discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49

Threat Level: Known bad

The file 8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N was found to be: Known bad.

Malicious Activity Summary

upx mydoom discovery persistence worm

MyDoom

Detects MyDoom family

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-23 17:42

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-23 17:42

Reported

2024-10-23 18:01

Platform

win7-20241023-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe

"C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 172.16.1.3:1034 tcp
N/A 10.156.133.4:1034 tcp
N/A 10.0.77.20:1034 tcp
N/A 192.168.2.155:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.9.21:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 10.128.8.216:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 10.127.0.6:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp

Files

memory/3032-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3032-3-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3032-15-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2160-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2160-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2160-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2160-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2160-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2160-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2160-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3032-36-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3032-41-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2160-42-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 0f716581a70351060f6a11c308cab9bf
SHA1 d655eb24a20ca06230ce728cb8d5b9b86cc0a896
SHA256 d53cf0dee73116ae8174e9798f1dfbf435bdb7dfb50c4f6a4518239820c051e1
SHA512 21d0826e9c6e7a92455c299f8de26e5f65fe10f53c210e064eec25e42cb281603bce5c6f8c6d2cd01549f66a8912cb04df1f1888ff443f34eac269483f27119b

C:\Users\Admin\AppData\Local\Temp\tmpD4AD.tmp

MD5 1d880fcb2140b694c104369bf9e64288
SHA1 19a44b15d418a4337150654e124b64d64624044b
SHA256 abfea9c23682d88d129e06fb94ab01047056608938af52462b421f265a3b24b5
SHA512 be8820d1c54ec9398a1a831c3e5529f8c84c594c8493de5b612b683fcca5e7bca73bcff90da9f4a127b48c6bbbf32ec3f442adf74e5ac1075f2ceeac3bbf2017

memory/2160-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3032-62-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2160-68-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3032-67-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3032-69-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2160-70-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2160-75-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-23 17:42

Reported

2024-10-24 10:52

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe

"C:\Users\Admin\AppData\Local\Temp\8dba599b863e224fe8a0d5a839bfddbc6a43823fff895678668168394852fb49N.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 172.16.1.3:1034 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 10.156.133.4:1034 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
N/A 10.0.77.20:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 acm.org udp
NL 142.250.153.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 cs.stanford.edu udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.41.28:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
GB 142.250.200.36:80 www.google.com tcp
GB 142.250.200.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.200.36:443 www.google.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 2.18.190.73:80 r11.o.lencr.org tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.200.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 consent.google.com udp
GB 216.58.201.110:443 consent.google.com tcp
GB 216.58.201.110:443 consent.google.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.200.36:80 www.google.com tcp
US 8.8.8.8:53 caltech.edu udp
GB 142.250.200.36:80 www.google.com tcp
US 8.8.8.8:53 mx1.caltech.iphmx.com udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 68.232.147.192:25 mx1.caltech.iphmx.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.2.155:1034 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
SG 74.125.200.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 mx2.caltech.iphmx.com udp
US 68.232.147.192:25 mx2.caltech.iphmx.com tcp
N/A 10.128.8.216:1034 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
DE 142.251.9.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 8.8.8.8:53 mail.mailroute.net udp
IE 52.101.68.2:25 outlook-com.olc.protection.outlook.com tcp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 caltech.edu udp
US 52.26.125.194:25 caltech.edu tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 10.127.0.6:1034 tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
FI 142.251.1.27:25 aspmx4.googlemail.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
US 104.17.78.30:25 acm.org tcp
US 52.96.111.82:25 outlook.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 65.254.250.102:25 mail.burtleburtle.net tcp

Files

memory/3844-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/4552-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3844-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4552-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4552-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4552-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4552-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3844-27-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4552-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3844-32-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4552-33-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 ab6dd5478a363247d4779e93e8849c47
SHA1 e34a85caf20723181eb9ab407d5fc5b629026009
SHA256 f6932482f92b35ba5b3ff8dec2071de51924c3c3611970bf71c14c6c2e7e4c40
SHA512 a30d007bf6162a3d33d2f1beb53fc7f69ee81a4c5c4684997c836f4755f47f07d79d9007f6e7c67e7c115b51c6530087551bae4f64cb32f2b9eb013cdaded27e

C:\Users\Admin\AppData\Local\Temp\tmp24FB.tmp

MD5 f0024fc25b30fc9751a4c8a5d1f7bb68
SHA1 e3aad6c61642d2b173e943a53e173f22d010802c
SHA256 cdd91bfec1b4095b54614891e00f8956f9d6472cf4fde13139bd0b99adecbbf6
SHA512 a40464ce7a4890dcaf5d4c54bb5c765aacdb33ff4d201d0c97561bdd44de7c5c768a7bb8fd8eeaf798bb81ea05ef0798b6a91cc3d3536ddb1d67f97e8001f787

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DWZNJ32\72BLSBWB.htm

MD5 e35eb77d62de84192138612f2504ce77
SHA1 3d343b9054d9c08a624c04fb4d02ddc8f3d392c9
SHA256 720e41c0a10b0738e63ff0cc8ad03690eaf1f63d54e88c1436bb03835094a8fc
SHA512 a6cdd229e8a649b2f13708ab42fa80debd70c9785e82e40609985f380a8271315a8c42c28e477a96983ca62001ecdbf13223c57e9a87b6b4ee1a7ffc445f50bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OIPZWEW8\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OIPZWEW8\search[3].htm

MD5 d3ca7e7a8fb8f14854c845e073bcb779
SHA1 53aff0da7a902d5e01b065a07f1833feb0ef4996
SHA256 68958d22ff1755cad5aa41cd32191e9646290b4f3831a25dee90cd4ccb371885
SHA512 98ae6c8fcbc21667caae0a5176ee1b399444f3c8c2b3409f40c3df2f23d5aba80ecba50cc60d2045335654b4bb4c74eb88f67e8541380812d95ce83e5508dc7c

memory/3844-256-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4552-257-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3844-258-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4552-259-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4552-264-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3844-268-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4552-269-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 2b96f4b1b69f1b6c5103bf6c4b477e47
SHA1 b7a2980380ad183b588a6168504e929dd83160b4
SHA256 4da54bf66567409eaab0b3323eb314880b9a0c92cbaa419ccdf9f5d95bf1ba8f
SHA512 5eb8cd2bcf25de8540f0f8f2a13f42f64b027129f6f74ccb6df86bd58093c6c8008bb079e8204ab470f3daf755cde5ea5e48fc9a68ab33bee1007c7e3d82ea10

memory/3844-295-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4552-296-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3844-299-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4552-300-0x0000000000400000-0x0000000000408000-memory.dmp