Malware Analysis Report

2024-12-07 02:19

Sample ID 241117-sf6jsasfmj
Target 4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe
SHA256 4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb
Tags
upx mydoom discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb

Threat Level: Known bad

The file 4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe was found to be: Known bad.

Malicious Activity Summary

upx mydoom discovery persistence worm

MyDoom

Mydoom family

Detects MyDoom family

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 15:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 15:05

Reported

2024-11-17 15:07

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe

"C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.128.8.216:1034 tcp
N/A 10.93.103.153:1034 tcp
N/A 10.150.78.55:1034 tcp
N/A 10.202.221.84:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.11.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.124:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 204.13.239.180:25 alumni.caltech.edu tcp
N/A 10.226.153.157:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 udp

Files

memory/2232-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2744-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2232-10-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2232-9-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2232-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2232-18-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2232-19-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2744-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-34-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2232-43-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2744-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-46-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 da73797fcf421c1cfbf8f25cdc44c6c8
SHA1 b98109d43f0f523cea38dfd1932ee90f4f246f2e
SHA256 8c7ed9ff3dc89ce51913bbc241449c23697fd20397dc2f6c742183caa8b623fd
SHA512 69b2981b601ccb4e89bcbbbb9cf0f95e7bb8a0fdabe993d9c573462bf90e00cdb57281a68ceae5ff73fe93cd383d3ad6f8783dcffa201046f3fc6b739f36fb2d

C:\Users\Admin\AppData\Local\Temp\tmpA17F.tmp

MD5 53f4027878af421f7b7ce318c008ef20
SHA1 ddcbc129d8f7a6316d69a6507cc805d500118696
SHA256 5cc14e3902a09f50a1e301e9209b8b863c1eac853728d7fc4b305eff443e9d42
SHA512 ce7d389205d72cab7fb1bcaa8f9f2249134d2cfc5f98847aa1d76ccdf1ad65ef48894f7d917b9bd04d412b7c603c02de28c02adb96fe9c3478c58505d548d645

memory/2232-64-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2744-65-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2232-68-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2744-69-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2232-70-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2744-71-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2744-76-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 15:05

Reported

2024-11-17 15:07

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe

"C:\Users\Admin\AppData\Local\Temp\4231cbf6cfa7a3c534b8ed947f06b1e328e4e7ba3afd08b66f2a090bdf1031eb.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.128.8.216:1034 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.93.103.153:1034 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 10.150.78.55:1034 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
N/A 10.202.221.84:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 www.google.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
BE 64.233.167.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
US 52.101.11.2:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp
GB 172.217.16.228:80 www.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
N/A 172.16.1.124:1034 tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
SG 74.125.200.27:25 aspmx5.googlemail.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
N/A 10.226.153.157:1034 tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
DE 142.251.9.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
GB 172.217.16.228:80 www.google.com tcp
US 52.101.40.30:25 outlook-com.olc.protection.outlook.com tcp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
IE 212.82.100.137:80 www.altavista.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
N/A 2.18.190.73:80 tcp

Files

memory/1872-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/640-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1872-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/640-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/640-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/640-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/640-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/640-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/640-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1872-37-0x0000000000500000-0x0000000000510200-memory.dmp

memory/640-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1872-39-0x0000000000500000-0x0000000000510200-memory.dmp

memory/640-40-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 b43c0aeec9a7c7743ff7e08b46d17e72
SHA1 91f90654b95118659f3c1cefaf11afb7be904d63
SHA256 8b44102163b401307db472a2444879b8ea06a9ae32849d73a4486519ada1ea92
SHA512 03ac040f5cb7eeb29bca09c8cd70ddf6c2a9d1ad88c5a955f5ab77f052711cf1c4e4ef400aa7f6e973d7ef2165debb314377974658ccfbefe51ed7fa6b4fb952

C:\Users\Admin\AppData\Local\Temp\tmpB87D.tmp

MD5 c771fb06612e72a33b6dfdafa4c311b3
SHA1 db1acb1648152f85a642ed3ba99f522c6d5cf8d1
SHA256 1047ecf463f23dbcaeefabf99b3a8fd7ef35379ac6c8ab36037eda3efb61e9dc
SHA512 94295f252e127fc2ce8d896afe478a9c8d5f5b5d68a8b1348c406f088a1d49920ac6195abd39b9fdd1470997d80b2787f72f63d443c0ba9bbf7210b011d20d73

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 ee77dfe137a2c128f17a514e0a2d67ff
SHA1 5d01ae464165ccbbe5e1395d3f0cd30b3eb1f5d2
SHA256 7014535f5c89a04b3682af5c34f4bf580673599ce0a18083d93f1c4fd9dbbabe
SHA512 6c812040f80f9f07929425f4cc3e65084853e025869e0dd231fe656b6ccb9cc4c4a0832a84cae41d02e8b7f7ffa90d113ca6ad6e4e91416056f91c3571f019ef

memory/1872-113-0x0000000000500000-0x0000000000510200-memory.dmp

memory/640-114-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1872-129-0x0000000000500000-0x0000000000510200-memory.dmp

memory/640-130-0x0000000000400000-0x0000000000408000-memory.dmp

memory/640-145-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1872-149-0x0000000000500000-0x0000000000510200-memory.dmp

memory/640-150-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 a177a7e89d401a6d0909c9e3a8f5db31
SHA1 54eff7057880ccdd4c36deec34c60edd5c6d14a2
SHA256 3265a6eb78e4b8616f20c7376a49801af1ac9787aea737c11cec82f3ab63e44b
SHA512 c6921baf14110ac0a99b2e3ced594785a1b132928270deeb59f22b837a814431cfdf91572969a6b9c5558bb0d605a9058ca388e809a96b7a5c2cdcfd1ffe873b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IQ93NPJ1\7ZBUQCIS.htm

MD5 ecc0a811e3aa4c69b086abf9da20032b
SHA1 452e3956768d083a1f360a1ba0325d8391e8b50f
SHA256 e82986f649146d44d1da2f393bd72fb081072a8123ca0bde434739afbb4bd5fc
SHA512 cb42d919c2678143c5dd3870bcb0fb0caa890750b124a2445fbc67a8af1a607c5cbcf5417672ed99dba40c1d1db7adf5829b57adb255d65d83d247ae01fbbc0a