Malware Analysis Report

2024-12-07 02:15

Sample ID 241117-g9e35sspfs
Target 771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe
SHA256 771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626b
Tags
mydoom discovery persistence upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626b

Threat Level: Known bad

The file 771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe was found to be: Known bad.

Malicious Activity Summary

mydoom discovery persistence upx worm

MyDoom

Mydoom family

Detects MyDoom family

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 06:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 06:29

Reported

2024-11-17 06:32

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe

"C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 10.128.8.216:1034 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 10.93.103.153:1034 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
N/A 10.150.78.55:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
GB 173.194.76.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 cs.stanford.edu udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.10.18:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 88.221.135.115:80 r11.o.lencr.org tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 115.135.221.88.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
N/A 10.202.221.84:1034 tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 8.8.8.8:53 acm.org udp
SG 74.125.200.26:25 aspmx5.googlemail.com tcp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
N/A 172.16.1.124:1034 tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 mail.acm.org udp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp.acm.org udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 8.8.8.8:53 mau.se udp
US 52.101.194.2:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 mau-se.mail.protection.outlook.com udp
NL 52.101.73.15:25 mau-se.mail.protection.outlook.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
N/A 10.226.153.157:1034 tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
DE 142.251.9.26:25 alt2.aspmx.l.google.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
US 8.8.8.8:53 outlook.com udp
US 52.96.214.50:25 outlook.com tcp
US 8.8.8.8:53 mau.se udp
SE 195.178.229.20:25 mau.se tcp
US 171.64.64.64:25 cs.stanford.edu tcp

Files

memory/904-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1976-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/904-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1976-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1976-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1976-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1976-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/904-27-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1976-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/904-32-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1976-33-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 18478fe7a8d8b1c9aacc89c4811a28bd
SHA1 0af34d7691031478ebf2756fa21395fc57144bbb
SHA256 018c1b3bd7d5bf64be909229a5c46a99bc48737d802a67762b53e4912a653742
SHA512 98ce0792c13246650c5727adc641193ad44988c5352d3850fef9d2fb8735416b69da33bcf5816a196fd3b7dd1af2731ddc7e55e2e768a139be6254d7f17b06d8

C:\Users\Admin\AppData\Local\Temp\tmp8EFC.tmp

MD5 3f00cc3ce050ad935febe9d4a250cca5
SHA1 2128828432c5247ce913190cfbb1907e0e3e1966
SHA256 6d04d11aa4d1a9305c25e3154d19a50d2c8d3cd164010de6fb9dacd7dfe233cc
SHA512 c1f5fcf24170ea152e169b3746ef4c193c575bc95262c2b60d52a80f65bafecb007ca05b4055bc4133405df86bdaf3712bc4acc6a6b9f1002d33d2a72f4b8624

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\N7HG2JJX.htm

MD5 469aa76dc70ccb11bac6b044fe2690f2
SHA1 97a374f481033a57ad13e42cba9e48d24f03f360
SHA256 c24b0d15c6b98480e1113f52dcb4b3dd074c0a32a929bd2d2929aa561ba236cc
SHA512 b30bdcd38305030052aef1d78bc47817723d1cd7d3c3782b048570b5b9083f5442d2a3dd20047d1ed441dee4925373ebbbaf2fde6f4c6330844f2f24a6cb2800

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZA7RG4JF\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IQ93NPJ1\BVPN9KT1.htm

MD5 c1c54adcbb51525ba7dc7442cadcccd8
SHA1 7fb5e1b63ed67017f69a3c6386e78f4cb350ce94
SHA256 ef8688ca86bb4bdcc13ceac1cd03b805cf68ce90fe6e3a4350c5a54f6794ca97
SHA512 6cc2326b8c796549d9bcb4013777c6d53ac6a2ccc59029f21aa9a9315351dee86dda3255d26419be72c9ab57f1a0605c2d5f8eebe625825b06d5df83fd10d861

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\search[2].htm

MD5 ffec2063cf4f08f325be8dedc2c7ae38
SHA1 6e120af49a9f3b44491f33c77b0b302b221675f6
SHA256 091a8674687212bbce254e77d2c514d502fe139d7a23067090750c5996518546
SHA512 117327e126e109184251d82cfa44636a7c082af018f698397e9f7952fd8e9f299781acc8e939a7bd802dcb6b388dd53294cd2896e63137299fded0ee90a99994

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\search[4].htm

MD5 7d99ca97dab694b67f57c3ffcd1d3428
SHA1 276f9940a9c52a05d028ed4d4a3c825fa9bfe1d6
SHA256 38ab3c949836bbd1e1ef4e3a8cf57a47115338fdfa050d77f064cf8bf2fee7e7
SHA512 18ea498327b8f468aabddc3d35efd7a4404b95765ce69c42f95f45dcf5d3ce4d4745da5a43d18f1e7d4aca67164e0d0c9460502f164ec8f0298e78270c0ff262

memory/904-195-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1976-196-0x0000000000400000-0x0000000000408000-memory.dmp

memory/904-197-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1976-198-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1976-203-0x0000000000400000-0x0000000000408000-memory.dmp

memory/904-207-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1976-208-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 3192e60911797c80ec2826ffd4e8e3fa
SHA1 161886ca11e7b03a7aacc53ae3aa6ddec6a44e92
SHA256 35639904d89d4355f5b5da731e8c3fcf651be1d128c685120b20710d54e160cc
SHA512 4d9584c715c694e9200c02481ad24013d07eeeb5b226c6a88534cd9f98e9bc2c58446c0d1fbc9b5eefd118343d1c86b885a1926f2512af17b2e6b35052f29201

memory/904-231-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1976-232-0x0000000000400000-0x0000000000408000-memory.dmp

memory/904-235-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1976-236-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 06:29

Reported

2024-11-17 06:32

Platform

win7-20240903-en

Max time kernel

120s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe

"C:\Users\Admin\AppData\Local\Temp\771305b3454a0a1ac23ffa6a5d38a452a9ff106629bf9311772dd98faa40626bN.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.128.8.216:1034 tcp
N/A 10.93.103.153:1034 tcp
N/A 10.150.78.55:1034 tcp
N/A 10.202.221.84:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.42.14:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.124:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 10.226.153.157:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp

Files

memory/1680-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2972-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1680-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1680-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1680-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1680-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1680-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2972-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2972-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2972-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2972-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2972-34-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1680-38-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2972-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2972-44-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 1c66c55553c29e1f721b038867c6d390
SHA1 1564e6145988b0ae8ce909f20ea87c939d9f275e
SHA256 a38841e93b1ddf5891e39a30ea243c826e7df2eaa87d4e116a8e824446be9f14
SHA512 95e4ef2e21b452f2e89e3a1ba87d4b6767da36c1766fdad9c04b2d3d8b54def3173b604b0719c517e4d737a33668c8cae4280ddd938aa5966d690c6a68c4603e

C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp

MD5 5c183af5aafdb13f9b7dc9f5b1e420b5
SHA1 79731e2270e952ee93bbdfed43014b9c39d37a84
SHA256 a3108140c67842fd2c8dcd2a845dc9209011df8e914a49254b735fb835d6f866
SHA512 4994db237f00f5534285fed90aa646edbf045a261020a8597dc4567c50aa2028163cc03781a8129fc128a2cd18888ccbb1c77c5607fbc1ffc0923c66e6419908

memory/1680-62-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2972-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1680-66-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2972-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1680-71-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2972-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2972-74-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1680-78-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2972-79-0x0000000000400000-0x0000000000408000-memory.dmp