Analysis Overview
SHA256
cfdd109bd6e31693ed86ab83582491e3853d91c4140561176f1947fadd1401ef
Threat Level: Shows suspicious behavior
The file e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:48
Reported
2024-04-07 18:50
Platform
win7-20240221-en
Max time kernel
152s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | N/A |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2480 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2480 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2480 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2480 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| TH | 203.209.66.40:1034 | tcp | |
| TW | 218.172.200.108:1034 | tcp | |
| HK | 16.163.25.90:1034 | tcp | |
| US | 16.49.35.97:1034 | tcp | |
| PT | 85.243.230.220:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.42.6:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 15.197.223.35:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.10.2:1034 | tcp | |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| N/A | 10.0.104.180:1034 | tcp |
Files
memory/2480-0-0x0000000000500000-0x000000000050D000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/932-10-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2480-4-0x00000000001B0000-0x00000000001B8000-memory.dmp
memory/2480-12-0x00000000001B0000-0x00000000001B8000-memory.dmp
memory/932-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2480-21-0x00000000001B0000-0x00000000001B8000-memory.dmp
memory/932-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-23-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2480-24-0x00000000001B0000-0x00000000001B8000-memory.dmp
memory/932-28-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-29-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-33-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-37-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-38-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-42-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 19ec68a74ece46e7b6a9abde587a2b7f |
| SHA1 | 0b6f9de6c54cb3b775456ad94be8263cb74e6ddd |
| SHA256 | 71f182e4dd170db2dbf29b1427c22909fa90add3776ba23ef2e29487d92e0e06 |
| SHA512 | 3448ece9310300843aedfff94b7a11bedd172c0184f35a7f5803f4bf45ca0e03b71e9267071fc8ddbecbf2c5999c8ab470ebca75555c203f7ea2c15ea0ca0de2 |
C:\Users\Admin\AppData\Local\Temp\tmpB396.tmp
| MD5 | 00b3d14c39b4005c336efa7bf47180c0 |
| SHA1 | 613d48d2105728ae4ef7729fa03c6f3675dc3816 |
| SHA256 | 4aa6f7df036dfd8820812552f23422295ecbfceea2bb9b754be4adbfd9ca1953 |
| SHA512 | 132dc35ff4c9a0031a12396687414b4f6b23f03db4e0595bec4c1130b645d6e7b97354b0bacc8ea6e9fd361bef5bdc4ac42319f4416c9e98bdcdca5af33c0765 |
memory/932-59-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-60-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-64-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-68-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-69-0x0000000000400000-0x0000000000408000-memory.dmp
memory/932-73-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:48
Reported
2024-04-07 18:50
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4332 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 4332 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 4332 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e59ccd5d9281b078573b95d38c59cf80_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| TH | 203.209.66.40:1034 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| TW | 218.172.200.108:1034 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| HK | 16.163.25.90:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| BE | 64.233.184.27:25 | aspmx.l.google.com | tcp |
| US | 199.89.3.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 52.101.10.6:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| DE | 172.217.16.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| DE | 172.217.16.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| DE | 172.217.16.196:443 | www.google.com | tcp |
| DE | 172.217.16.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.18.217.172.in-addr.arpa | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| DE | 172.217.16.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| DE | 172.217.16.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.101.63.23.in-addr.arpa | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | lsi.com | udp |
| US | 8.8.8.8:53 | lsi-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| NL | 142.250.153.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| DE | 172.217.16.196:80 | www.google.com | tcp |
| DE | 172.217.16.196:80 | www.google.com | tcp |
| DE | 172.217.16.196:443 | www.google.com | tcp |
| DE | 172.217.16.196:443 | www.google.com | tcp |
| US | 16.49.35.97:1034 | tcp | |
| NL | 142.250.153.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.79.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 75.2.70.75:25 | alumni.caltech.edu | tcp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| BE | 64.233.184.27:25 | aspmx.l.google.com | tcp |
| PT | 85.243.230.220:1034 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| NL | 142.251.9.26:25 | alt2.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 8.8.8.8:53 | outlook-com.olc.protection.outlook.com | udp |
| US | 52.101.9.16:25 | outlook-com.olc.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | toyaku.ac.jp | udp |
| US | 8.8.8.8:53 | toyaku-ac-jp.mail.protection.outlook.com | udp |
| JP | 52.101.157.10:25 | toyaku-ac-jp.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | lsi.com | udp |
| US | 50.112.202.115:25 | lsi.com | tcp |
| US | 15.197.223.35:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx2.googlemail.com | udp |
| NL | 142.250.153.26:25 | aspmx2.googlemail.com | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | smtp.gzip.org | udp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 52.96.214.50:25 | outlook.com | tcp |
| US | 8.8.8.8:53 | ebay.com | udp |
| US | 8.8.8.8:53 | mx1.hc2186-24.iphmx.com | udp |
| US | 216.71.155.88:25 | mx1.hc2186-24.iphmx.com | tcp |
| US | 8.8.8.8:53 | toyaku.ac.jp | udp |
| JP | 202.249.50.48:25 | toyaku.ac.jp | tcp |
| US | 8.8.8.8:53 | mx.lsi.com | udp |
| US | 8.8.8.8:53 | mail.lsi.com | udp |
| US | 8.8.8.8:53 | smtp.lsi.com | udp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| BE | 64.233.184.27:25 | aspmx.l.google.com | tcp |
| N/A | 192.168.10.2:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| NL | 142.251.9.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | mx.cs.stanford.edu | udp |
| US | 8.8.8.8:53 | mail.cs.stanford.edu | udp |
| US | 171.64.64.160:25 | mail.cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | file.org | udp |
| US | 8.8.8.8:53 | in1-smtp.messagingengine.com | udp |
| US | 103.168.172.216:25 | in1-smtp.messagingengine.com | tcp |
| US | 8.8.8.8:53 | mx.outlook.com | udp |
| US | 8.8.8.8:53 | mail.outlook.com | udp |
| US | 8.8.8.8:53 | mx2.hc2186-24.iphmx.com | udp |
| US | 8.8.8.8:53 | smtp.outlook.com | udp |
| US | 216.71.152.175:25 | mx2.hc2186-24.iphmx.com | tcp |
| GB | 52.98.201.82:25 | smtp.outlook.com | tcp |
| US | 8.8.8.8:53 | mx.toyaku.ac.jp | udp |
| US | 8.8.8.8:53 | mail.toyaku.ac.jp | udp |
| US | 8.8.8.8:53 | smtp.toyaku.ac.jp | udp |
| US | 8.8.8.8:53 | aol.com | udp |
| US | 8.8.8.8:53 | mx-aol.mail.gm0.yahoodns.net | udp |
| US | 67.195.204.80:25 | mx-aol.mail.gm0.yahoodns.net | tcp |
| US | 8.8.8.8:53 | alt3.aspmx.l.google.com | udp |
| FI | 142.250.150.26:25 | alt3.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| N/A | 10.0.104.180:1034 | tcp |
Files
memory/4332-0-0x0000000000500000-0x000000000050D000-memory.dmp
memory/4000-5-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4000-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4000-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4000-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4000-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4000-26-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 1f238fc29c7390846ff68433ea0597c1 |
| SHA1 | 244b806dc930a4141df1c92c660c577a39430ce8 |
| SHA256 | 1fb7514bcde20781bed76c59527e96eadfbd97f470e3dd41f8e34e7fd9a96586 |
| SHA512 | 84da1c6499d5a78678ac70f0bea27a5ae92a9204f157dd0932675ddb4b47c48fe0f5dcc35d8fe6a0b8496f1cbc1298a6eab637b12dab5aced614847381417152 |
C:\Users\Admin\AppData\Local\Temp\tmp3DA3.tmp
| MD5 | 396cab5a9bf4b84efafd3ec15c48406b |
| SHA1 | d0c03182c927feaf88b2b86228618e0c657ba96f |
| SHA256 | a9e27950aeced980c783215f3bf9ea5d35e610a5211c650943eacb97e36fba62 |
| SHA512 | 7db3db183a15691feac5fafe9d626662e5a5f2119af863a4b599fca2013aa85895f313cfd9240252ebb3e137c7559d5a9b989b344003aa77f9b39b74f4faea74 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W3XJQI43\search[1].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FILN3D3Q\search[6].htm
| MD5 | 3204e450c7c0442042ed1af5c6ac812e |
| SHA1 | 369dc59baef8a6540fd225c4cf60be8e8ced948a |
| SHA256 | 850dd0e7850b8bd889d2346f1c7b51619a3e45901457a4889387d63b83765501 |
| SHA512 | 465877e6045431ffde95d82e5959bf3be19cc183a29036adeb7ce8c021e3a89ee346adab187df4bd5f2872e722a31fc9a1158a4b9f2f7d1c491f0d4dae54ef30 |
memory/4000-203-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3Z27RA7P\search[8].htm
| MD5 | 8d867cd4e44ac51dadc2098881068231 |
| SHA1 | 6309c255e5992a5a1fca5054472c87dda0328e7d |
| SHA256 | dc5d054ce4da2d697863a044c91f52714aa16c656d77f56b3357745487079687 |
| SHA512 | a28b0064e35bc33a713569b1e18500d6e5ab18390f6052657b533cfc681c2d74ca8d137d0e421855a4d32f78cb2f49e3d75f1c5a8100b71acf3bb1e48c1d6d0c |
memory/4000-263-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4000-267-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4000-271-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | b91e62f9a9865b1b8202907a599a89c4 |
| SHA1 | 7addb158c4cdd9d6271ad75c8ca650fc01b48ed4 |
| SHA256 | b6cff742917782308af1dd5b663a6fde3b3fd1f6635f332a7828cc41e359d407 |
| SHA512 | 7934e2a33e40b610714ae229e51fd20b30ee4389c99c1650054536e15b8e7f977ca0d26468b8bf3296b046d106c2b96e0bda7b8debd5a060cb6f17e9215a9aba |
memory/4000-297-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4000-300-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | e27cfc474d35a0d99dbc5246fa1537ed |
| SHA1 | c402de8e1b65a515ecf99d26b644f7bdc99748dd |
| SHA256 | 7de9f0b42cded26b08808abecf133ec53341ba1e9146d41eacd1d56e99779570 |
| SHA512 | 6d6d11936bb5955fc636be7d5467f16fb1d4d98f604fe94ff935b4a3f9d549639d853161f86d31f1207715cb0915d4d07210ee0bc390cfe32d484f6e346c31d6 |
memory/4000-312-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | fc2ff4f36e3f911c14b206d050c10538 |
| SHA1 | 0cc69a529c8890ea2011bfe6e0be8235c611ec9b |
| SHA256 | bd41b52dc5c2c6ee661427d46839ea03925116387688871358359aba76d8c838 |
| SHA512 | 9e836d5a2d230987cd1b451ebb464c76b3d06113b97d50e2c27776c7fe2e8f3e4bcf36e2fa73b99b3c2165cb9622a72a4eec7c56a7f47cb1237ada769eeea1cb |
memory/4000-322-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 7ac61be9b06e19735083789e1733f27a |
| SHA1 | bdd1533c2a57f8a796ecc9f1dc0b95b29915d642 |
| SHA256 | af51140fbd452ea1c9271cf1efc770266ee9e2177ab9d4bb24aa5dc28f9f08b7 |
| SHA512 | bb62959edf31846395f265d079a6b509f2e06c1fc0a537a5d3ac54cae6b51355fe9c790bba692677938bb88f9c55b9c80086b93d809f498b8c33d78be86c9f1d |
memory/4000-348-0x0000000000400000-0x0000000000408000-memory.dmp