Malware Analysis Report

2025-03-15 00:45

Sample ID 241025-fzbgjavclh
Target c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d
SHA256 c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d
Tags
upx mydoom discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d

Threat Level: Known bad

The file c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d was found to be: Known bad.

Malicious Activity Summary

upx mydoom discovery persistence worm

Detects MyDoom family

MyDoom

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 05:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 05:18

Reported

2024-10-25 05:20

Platform

win7-20240903-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe

"C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.156.133.4:1034 tcp
N/A 192.168.2.18:1034 tcp
N/A 10.152.243.207:1034 tcp
N/A 192.168.2.9:1034 tcp
N/A 172.16.1.165:1034 tcp
N/A 172.16.1.165:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.41.26:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.14:1034 tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
N/A 192.168.2.13:1034 tcp

Files

memory/2968-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2968-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2968-15-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2852-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-42-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\valyETpypq.log

MD5 d971bd453a97d84ad8bffa572cf0b8e5
SHA1 46de8ff0f3cc73f898675e73260ea7f2fb5fa774
SHA256 81d1c91ff794eff4f2d71990c34573cfa0bf8170a2cfbfbfbc342761f75a350c
SHA512 b4e76eacd8d4b68fd7ad6d163ef3cb18f0e050b05f90155e8cce79908f52af156ba3564890888e7aa36a631540a4ee82484509b10e17aa1936079385727385a5

memory/2852-47-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-52-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2852-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2968-58-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2852-59-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 4150c3b87ae23784ffbbcf78192bfaeb
SHA1 1b099912cb3ca1b74e198b77b9049f615c5a4458
SHA256 af3c9e360220f27fc7b7d7359093a26ed6c1b58b90f528b3dcef04e78c4199c8
SHA512 44b058d565d1c951cc9aa53512ec6943f5ba9097f0a00c5954f203f6254bb41df66cc22bce4bc64dd76168c88d9fc7758a9fed3ddac6bfbe84c2313de6a4e0ef

C:\Users\Admin\AppData\Local\Temp\tmpCDCA.tmp

MD5 de4e7f5181e4edcd9bfbc74e7a28627d
SHA1 f772aa8829ba2cb0dc47270fd31f9f85bcbf9db1
SHA256 516d55e96ac41e9f32acafd43879249e960faad7234c7acad73e70e1aafce1e0
SHA512 0caa58ca80b9b016113847baee5cccab97011a2e323b7428b4924a98c53b59e8b7c585ff86d09d56862cc5e2029786456041b4eb0d832a00b504621c368b2b9d

memory/2968-76-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2852-77-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2968-78-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2852-79-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2968-83-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2852-84-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 05:18

Reported

2024-10-25 05:20

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe

"C:\Users\Admin\AppData\Local\Temp\c55af0cdd189dd3dcb34bb6b22235c8ef56fb90b9550cab289b11255e038737d.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 10.156.133.4:1034 tcp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 192.168.2.18:1034 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 10.152.243.207:1034 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
N/A 192.168.2.9:1034 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
N/A 172.16.1.165:1034 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
N/A 172.16.1.165:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.153.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.40.4:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.169.36:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 36.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.73:80 r11.o.lencr.org tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.2.14:1034 tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
FI 142.251.1.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
N/A 192.168.2.13:1034 tcp

Files

memory/4512-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/4808-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4512-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4808-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4808-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4808-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4808-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4808-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4808-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4808-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4808-40-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Crxeuokzi.log

MD5 299d53f4ac06edc35b6d4139bb5a0794
SHA1 2d5de84abfe090f50823de62e7e97cb52174b187
SHA256 077967d487365bcbea1268f0e28e1681f228440be53ba43e8b593709e94716de
SHA512 71ec38adb3c531d3a59ae193967d969f3c5c23b0eba9d9c0d242ba707c99b0c6e2d1133e966b0432dab8897d80d49218621be417b790f472695024069b439c46

memory/4808-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4808-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4512-51-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4808-52-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4512-56-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4808-57-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 9b41e1e62f0a17d36361efa844e4b447
SHA1 0544afb2a56d53a21955c40c73bb236faa77059a
SHA256 7703cc0bab8ed9f316967f6d9c48f5ae7c87f82f2e5d784337c8fcbba041f238
SHA512 93d30f04c0d9b382ae18fb477227e53273a23fecbe703fe3594f6149856b36c28a116dd9a179a8ca52578368bce582417b4b89e058f20c4ed0e2a8102e776194

C:\Users\Admin\AppData\Local\Temp\tmp335E.tmp

MD5 f401ef1d53baf91c06552f2014050cc0
SHA1 d3b6cf6a612007352e91d5632aa4823379d9723b
SHA256 4e18e97b4c31667c379013454089bc8252dcc4c74968143aa06871ba310f6551
SHA512 de9e1025b255147a266048fb9e61814814d4f5df59f109ecc121e0d190454bf869a281fd1d82fb32fbc46b7556dc2aa9ca08380c14befea1089286f6cfeb8a90

C:\Users\Admin\AppData\Local\Temp\tmp335F.tmp

MD5 78e68b9a00042b782521b745dee12d6c
SHA1 225b8ad2c5c5e263f0089ccf98445e24d8cc3166
SHA256 c668f348a045d855e4c579efd5e596a90d1f64795d58873b43e0957448c89fbc
SHA512 58f78add881837c172bf681d0462bd24b433a436b1b0921467f08f6f222a0d59653286d08b54e0965c5f8b94885e2ca09cb70dcdd12749226e4d5f46ebd3fc87

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84KCLP1T\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\search[2].htm

MD5 24186c5536549c9d963b30327c6f41eb
SHA1 fc17ba68363e5a7355e2c82e94d02c3cf8ba02ce
SHA256 fb87b846391448bbc499e5f7f082aa9e92bf1e44490abf67a267d30aebcd7244
SHA512 269a32985321bb585d4bb2ed87b4435be29cc744f3ae634b56aee1c1aaa13b6db1eba898686f5123b61207681a98d532b8d96d6825b334f29ae49a3baa7135ad

memory/4512-164-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4808-165-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 81aba4e4a5a3c1fb79672ba828069497
SHA1 ef11d9425b7a4aaca833886be59638f918be4bff
SHA256 34b8dd69d3cdba226080e694d577faefc5562eb048d5afc8060c1014497fcce4
SHA512 0221e22f9af6106a8d4a7b535f1399b5881b47a7d8a5511dde0cb33e874f406b95268aff3ea738e6b1f7bfb7229653b85e275415fb315a37c8bfc275019b3d87

memory/4512-190-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4808-191-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4808-195-0x0000000000400000-0x0000000000408000-memory.dmp