Malware Analysis Report

2024-12-07 02:38

Sample ID 241115-zmt8nasbma
Target 3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068
SHA256 3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068
Tags
upx mydoom discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068

Threat Level: Known bad

The file 3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068 was found to be: Known bad.

Malicious Activity Summary

upx mydoom discovery persistence worm

MyDoom

Detects MyDoom family

Mydoom family

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 20:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 20:50

Reported

2024-11-15 20:53

Platform

win7-20240903-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe

"C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
N/A 172.16.1.2:1034 tcp
N/A 192.168.2.9:1034 tcp
N/A 172.16.1.182:1034 tcp
N/A 192.168.2.17:1034 tcp
N/A 192.168.2.102:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.9.12:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.12:1034 tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
N/A 192.168.2.103:1034 tcp

Files

memory/2548-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2548-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-11-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2548-8-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2548-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2548-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-34-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-46-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vuqnx9bEaF.log

MD5 8ecd198d977b13c6ab9d81289576fc40
SHA1 5d2b108d43d0c1975256193e6b4bfc1f256d9246
SHA256 30780dbd99e71ba01bec96814d004d202f34dd3956fcb1ae4edbbd751b3720fd
SHA512 31d0fd1af16b6a38e063d4c2f2d80071d6cdd2dc365ba69c9c37a08f39452119788c92bbbde6652b643491b4efd77a0e4426a41381e06491b56107a5bf09f60a

memory/1956-51-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-56-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-57-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1956-58-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1956-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-62-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6642.tmp

MD5 c5024dd3af54a497871e2a1487d584dd
SHA1 3ed4d99b92c62a7bc3f476e596fc6d62e98347af
SHA256 213954f397fd8b88e72e9f52a1f531704a466d265db19f3081801112807834e2
SHA512 67d4e5db838ae1a454dae967ae17c902f3a611c05ecbfe909ebbac1d8581d78658151829bc215d057c4f3655258a3914c210cbaec1dd1081f5cf2267160a6267

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 de0604d6bf73cb8b0c25d9b371b29aa5
SHA1 37c31eac2d76f3aed036379153edb5002c2035d4
SHA256 0727ca8b02c02da2aa11c3765443ac46edd559f91524c4700e205515793b21b3
SHA512 f98fb9ca1ef1739ce9066f7f5744086b401afc859d1eca8098109d7879bfe625ebe8221cc284936b2bebe8d3bf94e1468510d8a028f8a2989fba2a74d956a948

memory/2548-83-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1956-84-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-85-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1956-86-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-90-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1956-91-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 20:50

Reported

2024-11-15 20:53

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe

"C:\Users\Admin\AppData\Local\Temp\3116d03263f34f85b897d28b03764bbcca92e5e62d6f9552c6a80968749ca068.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 10.0.2.15:1034 tcp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 172.16.1.2:1034 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.92.23.2.in-addr.arpa udp
N/A 192.168.2.9:1034 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 172.16.1.182:1034 tcp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
N/A 192.168.2.102:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
FI 142.250.150.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.11.17:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 www.altavista.com udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.google.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.134.89:80 r11.o.lencr.org tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 89.134.221.88.in-addr.arpa udp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
N/A 192.168.2.12:1034 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
DE 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 85.187.148.2:25 gzip.org tcp
US 171.64.64.64:25 cs.stanford.edu tcp
N/A 192.168.2.103:1034 tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/2512-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1320-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2512-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1320-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1320-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1320-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1320-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1320-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1320-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1320-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1320-40-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xs0fkpfakf.log

MD5 7d2c78ded0f5063782d29c05bf9d30d0
SHA1 ae763060b6e35beea7469e2c303aded8e62b6600
SHA256 75de8e637f9aec8d492fe3dfb44e2d440e4340e44c6e7fc7d71b768ccf7dc33f
SHA512 74e5543dfd51d106a7ddb9be43d03665f84150f67905f95ffc199ab7148bbd2125926988845fe2d7f751a3e41ca2700a54d212ef2d10552c4a593cdbd5581647

memory/1320-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1320-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2512-51-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1320-52-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 9bf939347ce00f5fcd71f1e25eb39ab3
SHA1 65e0c1707c8a374a5d6ebae1f766fe885c1b6cb5
SHA256 1be035d5166ccf445d3a9c76cd9c9e68a514bf5f98050d96c0a83b7fc0c166ea
SHA512 8f15ff9a5e293c49c6282f94933e170301dc92619871298c46dfa9fb4dc5c971b1efde6a67d42f55d0b5b16f6363c9d4e8ffbbb89a71b3bac056120598866501

C:\Users\Admin\AppData\Local\Temp\tmp6FBA.tmp

MD5 e5b5dfa9c1550068793f452696cacc98
SHA1 05b192a8b2b0b6c1afd010ad774b4f56c2bcc2f7
SHA256 39262803cf5d39b82a21fbda562db5fa944b2098a53609cdbd4d1e604f0e1c77
SHA512 98d5152cd4850b45e2eb2233f232d317276773e5c884cfbb812816cd9148a98565d6bbe77613d36ed48779a7bdb7d5a0d60726047c07b0109011543f2f035b3c

memory/2512-112-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\LP1TE8TI.htm

MD5 88f428031580c0176887d4b6d62a0c81
SHA1 101b459b94a4b3aa05cd9c3b76f71cee9f9a424f
SHA256 55ad08b5bb1e405eb5e6266b9196c127d75a2a7b854cc8830926193449acc0ad
SHA512 4d1d0f25da365d8807ac619599d11db5935648bff3e86bb596463f4659451edc7f32d266c850f767a80f99fc7234bd2e2d651cd1146379d84029018e7a014c85

memory/1320-142-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YY018DS9\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\CIQOO62Z.htm

MD5 b0091faa240c0526c72bf3587b0f396a
SHA1 3289159575b92b4795b482bfa2980caaad7938a6
SHA256 d595cd8c45a89b66177c928cf38d4c7319ce7e6fa831d05ae466e71f79628e06
SHA512 112e07c18f84a5d9050b361dff38b23a65c863e6d6a8626dcc524d515a1ee79d702462568a1dea0f5868e8b5cfff5aff863ff54562cce4aa97582528bea05839

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\search[2].htm

MD5 b0c0bad7521ca85b52f6b6e1133878a3
SHA1 fc01400236ec27e34e552f8cdbaed57a3e064e5a
SHA256 37ce94e55d31e0fc8d59a2da0a5ab9b999bc5b1352fcbd0452d4632d68557ad2
SHA512 334aee0abd26314933b0aa4b12cadababaa29b205f77fdde09deb872853e9ec8cd0236e9514c69c22584c3f0ad7dc1b8de2a5cf5d72b4d59ad521aa10a2692a2

memory/2512-220-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1320-221-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2512-222-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1320-223-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1320-228-0x0000000000400000-0x0000000000408000-memory.dmp