Malware Analysis Report

2024-12-07 02:15

Sample ID 241117-jb97qstngt
Target 93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c
SHA256 93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c
Tags
upx mydoom discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c

Threat Level: Known bad

The file 93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c was found to be: Known bad.

Malicious Activity Summary

upx mydoom discovery persistence worm

Detects MyDoom family

MyDoom

Mydoom family

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 07:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 07:30

Reported

2024-11-17 07:33

Platform

win7-20240903-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe

"C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.156.133.4:1034 tcp
N/A 10.213.60.59:1034 tcp
N/A 10.128.8.216:1034 tcp
N/A 10.0.0.36:1034 tcp
N/A 192.168.0.255:1034 tcp
N/A 172.16.1.136:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.19:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.18:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.155:1034 tcp

Files

memory/2720-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2720-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2720-15-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2720-16-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/2836-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-53-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2720-54-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2836-55-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2836-60-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 c7037d9d8f2b300900f732d62497bcc3
SHA1 2164b0527a0450f1e38f5e129011d3603c75d911
SHA256 f2e565bcccc29cde7e63262c0b021618ef1a2490f3884cfa3763a68a846d863f
SHA512 02e8bd02409a9a3550a72c8e904ed19283f2e83eb4b4f80fd3fd65837fa4796606ab76586aa86df7dfa39b9616f2410ec83563dc22a273c58417ad5be62aac22

C:\Users\Admin\AppData\Local\Temp\tmpBCAE.tmp

MD5 c68ba8dcb3504289ed0cde29ecb5033b
SHA1 46c73f41730a898b33c595e5e7f3c4cdbdf84ad4
SHA256 28191a8cdd73719b5b68d08a4ccd4f533af16cfaa80c127c8ca9e04d5dd9d596
SHA512 11625233d3bf68105d912756397934e13461e8588fc153da93e642627bb2f9bdb55d4e7d6cb249b6834657d98ab7b1d8db01a1083334ab91da97d01ec9db8c53

memory/2720-83-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2836-84-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2720-85-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2836-86-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2720-90-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2836-91-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 07:30

Reported

2024-11-17 07:33

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe

"C:\Users\Admin\AppData\Local\Temp\93ad3be02d4e5e98faa3104f16350b04937b5c4069cd3bc48c44619899a3db9c.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.156.133.4:1034 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 10.213.60.59:1034 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
N/A 10.128.8.216:1034 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 10.0.0.36:1034 tcp
N/A 192.168.0.255:1034 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 172.16.1.136:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
BE 74.125.71.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.41.6:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
IE 212.82.100.137:80 www.altavista.com tcp
GB 2.18.190.80:80 r11.o.lencr.org tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
N/A 192.168.2.18:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
NL 142.250.153.27:25 alt1.aspmx.l.google.com tcp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 171.64.64.64:25 cs.stanford.edu tcp
N/A 192.168.2.155:1034 tcp

Files

memory/1244-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2976-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1244-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2976-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2976-52-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1244-56-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2976-57-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 c48e4cd378e4fe8cbd74da0b85906179
SHA1 06a83d2595e6ca90587508b0176d1ecb97191fc7
SHA256 f2edd47d4cf399ab7b6fdc650f747d3ff760a976d8082f5a4fe800d8e1e80d3a
SHA512 bbb124359a6a04e7662e10938ba5777f786ce65cf47d86fab9e6c59a4c13e7327077d2106e91971bddeb5ea1cc45a87345267fe2b705bde631c14e7f6d77dc47

C:\Users\Admin\AppData\Local\Temp\tmp70D3.tmp

MD5 6f522412255a3db61e37f9a7520da72c
SHA1 34b6db549de406a6bbf55b89ba1e29a50b8acf36
SHA256 dfd02be6ad67bb2056c9a8e87e9c9c18f3633d663e6de303f439152840530c98
SHA512 fac08926e4b55a83f958dd2e4dd8174c7e7c7d744686dce37e2e20809ae1093f2c5af2485047522292f0e234f87362e79dbe43bbe5be2a74f4470586f54efc8f

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 821a882206ec52d9c435794b13ecda3f
SHA1 0bdccb31a775e1fbe78955eaae631f416a996aa7
SHA256 c06c3a51b9b022ed1c8b5561dd5b4a11d5368e3ecd88b3e5922a5f2722857473
SHA512 076ed7a96bb47141d1c9501725635007ebfd369878cc1c3e54807a34960b79cff689589a49eac432888e3af7f325f17dc129561e9f58709677d905d523f2ee5d

memory/1244-111-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2976-112-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/1244-172-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2976-173-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1244-176-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2976-177-0x0000000000400000-0x0000000000408000-memory.dmp