Malware Analysis Report

2025-01-19 00:30

Sample ID 240507-eb7dmagf5w
Target 1f57822e307136f25cd37727b1905dce_JaffaCakes118
SHA256 9eb9b2f49b8a9a465f3795aaaacc499776f7563b3d19cb316b6fc5f6b953c45e
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9eb9b2f49b8a9a465f3795aaaacc499776f7563b3d19cb316b6fc5f6b953c45e

Threat Level: Known bad

The file 1f57822e307136f25cd37727b1905dce_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 03:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 03:47

Reported

2024-05-07 03:49

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.0.14:1034 tcp
N/A 169.254.65.12:1034 tcp
IN 4.240.75.206:1034 tcp
US 16.188.129.22:1034 tcp
N/A 192.168.0.32:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 129.42.208.182:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 15.172.2.91:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
US 16.56.164.120:1034 tcp

Files

memory/1616-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2740-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1616-10-0x0000000000220000-0x0000000000228000-memory.dmp

memory/1616-9-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2740-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1616-22-0x0000000000220000-0x0000000000228000-memory.dmp

memory/1616-23-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2740-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-45-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 68ee5d03eccd7caa45e6fd1113fc7eb8
SHA1 2c5bc23e9dabe7ab9342da455bd0713967c9423a
SHA256 6bf7f253aec806e4074010ef73b610f7d00a96e32782c18f6385b7d8a67bb2d6
SHA512 f81c8df26e8cbbb20e5d2c9c9a422b004c43460c571de197e0ceb65f8c68300c37a60dd298cc56da36abc5f61bc93995b502454eb30cd23ee0d21c2fb76a966b

C:\Users\Admin\AppData\Local\Temp\tmp7C24.tmp

MD5 00fea8012392879b64e7787df6e5d940
SHA1 a3564fc9752f63ce76bc90cec574d9c9885fae90
SHA256 db167ac88b846102d5f557f5421d01cd0d85194f4785dff3e55ced8de9d8c97a
SHA512 071b39634a7e06db2e1d556839b08c3c02720fd78c318cd9716a67a8d0fc45af4e2040570072cc8d0a7ca8d3ddb11d4c619c9b2f499936a17110a4b70968db0a

memory/2740-60-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-68-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-72-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 03:47

Reported

2024-05-07 03:49

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.0.14:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
N/A 169.254.65.12:1034 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
IN 4.240.75.206:1034 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 16.188.129.22:1034 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
N/A 192.168.0.32:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 209.85.203.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.4:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 129.42.208.182:1034 tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 85.187.148.2:25 gzip.org tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 15.172.2.91:1034 tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
IE 52.101.68.17:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.9.14:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 hachyderm.io udp
GB 172.217.16.228:80 www.google.com tcp
IE 209.85.203.26:25 aspmx.l.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 16.56.164.120:1034 tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 tcp
GB 172.217.16.228:80 tcp
IE 212.82.100.137:80 tcp
IE 212.82.100.137:443 tcp
US 8.8.8.8:53 udp
N/A 142.250.27.26:25 tcp

Files

memory/4856-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2316-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2316-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2316-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2316-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2316-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2316-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2316-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2316-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2316-35-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 ef2e732e31c5b50483e923615d1f6450
SHA1 9ec3f97ba87f69f1506d027dc58e5bfb4b6fcdd9
SHA256 f08ae3664cf2c08a0e8e0a00934accbe93791ba0642f552e01c06d72c8309bcf
SHA512 f99150d19569017c6417f990d89fb14a07bfdbe42cfd8abd5c53e7485c2625b2e7d10e30afc319519901c63500e41d1cf4e96d37629fca728b42ef706155fed9

C:\Users\Admin\AppData\Local\Temp\tmp8654.tmp

MD5 c179f0346d0810f69f30537f812eb97f
SHA1 7c0869d869db6fb23faa0e16529fb5d82f02d78a
SHA256 3b861cb141dff1704b446a22a3b9fedf297ee99db4994e3a5cf1e3208dd2b23e
SHA512 2f8cf254639cdc0b6a520bf8a528c738e460b7d4184cbeba3e68c49d14877ace8348e4f08d6d13a3cb678293266631a572389388858e944c7b1fadace7a528f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQX1KJ9K\U0Z1VPA0.htm

MD5 567a18194551f83ff13ffba82a00825b
SHA1 52293322ff86eb4355a4a4817f64cc94368d559a
SHA256 89f4551d80482eb5b92296c172b2cafb68b3394d7dda6af7fcb19f37bac3e7ef
SHA512 134d822b23c703e631ebc32cbec13d48ac1128a02b7c1cfa24ecca1c5e3ff108c8af0e94495844b43a0b288e424a0ca6429658e25b41acf1e13f1a53db969891

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/2316-162-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\results[1].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5ACXXH1H\search[6].htm

MD5 0726dda84ec6f38fa1b60be2da7aa454
SHA1 5cf219d610a5c1712071051298fad7ed941e3030
SHA256 c49970ced89170e5a78e877c4f67b6e86aa3278446ba32a2bc1d26884d086ebc
SHA512 337c094f3c302c0f761942b18bb5b2744dbef83f0c2aaa237936dc391be61cdad3f8436eff56828924caddc5646f54ffdb1686ff4adab4c94682da49aaa44523

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5ACXXH1H\search[3].htm

MD5 bd07b2a76ff525721200ebd7f3904507
SHA1 428b76ca39ebe057a767f25fdbae19175e218ce2
SHA256 c9e3cc542483692fe661939e1ed897dd35b9514192384759193328d106bdc417
SHA512 021172cf38dbcc5910259e588fa1318fd44d68780cf6a11466caa047a57160454eafb827cc71d8e60faf749a53ddd6850ac1387f79cf9315252b473a37049a96

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5ACXXH1H\search[4].htm

MD5 8d8f90700b2089a6d3547778235ee8f8
SHA1 a53f2b8b635a7e35096001b23cb1d7f1f4ed1572
SHA256 8957947d69a2d77e021a90cca4215a05569c3a91c4329a7cd7b1b6c3e6b63011
SHA512 ae3657a3a2435422a6efa0c87784255b96658f0a757e62075c4c67dc1bfd16b22c304fcd0df436cb437c0e25b4aeed69572ee51145767be56da137200ae1fdfa

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 2db420022c3a1372b141badbaef8f576
SHA1 3ca0d114eab6a2fb9d5e491fd75913e9fd35004d
SHA256 063c7103fd9ee80f36f3919962791b1641db62ec395d3a0e0d8eec299318de1e
SHA512 4a359e8d36d5c3cdda484925cd1a007f2c4beb827ee9b56ca2881c1dfab11343d4a127ac46a76824e1b842b9a07f03652bb073756090d2c666d2c09889b3f88c

memory/2316-276-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2316-279-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2316-283-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 8ed48735d10abdffc3800b4805801af3
SHA1 b4778ed4d27b273f7f06ee0f0ba9b8f3a4e2c67b
SHA256 feb595531dad415ffd3a1492974f28d561bad25266a38799e904a95a4cfd88b3
SHA512 307fc02ff958c0fe317745d158ede9ab7c7fd5247e0a1978e71b8cf7325a0b118f8f917a8dfda7d144f4779d9aabfd2bb5a8d9df6f98351b1b1520fec812197a

memory/2316-326-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\results[8].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQX1KJ9K\search[5].htm

MD5 e618c861014e8a5f3eca97061a8360be
SHA1 295509582fe46a3d5618c72320a725437b069254
SHA256 40cff66681fa9cb7ba0f95f76567236197dfd34f851e5825aee5dd8d0c32387b
SHA512 ca8935d6f3d53a1540a5db42cee7a8280468b48b52430eb4fc15839b6979133b57465b3ed896c1f5f13150372444fa21cbef59c6a0c28585f7f4c5de628828b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5ACXXH1H\default[1].htm

MD5 c15952329e9cd008b41f979b6c76b9a2
SHA1 53c58cc742b5a0273df8d01ba2779a979c1ff967
SHA256 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA512 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

memory/2316-465-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\searchRYN5OUMQ.htm

MD5 2004a91ddac5fa12766799010036e049
SHA1 a8d537bb279e1ccadd6b6bafa07fcd66a61241a3
SHA256 c921035ae59902c3c8cca7e80971142de4c1980efa23b466c784db8c9ae60e49
SHA512 0e4b1c0315c3d8e73428bf9a94081fe177ab45b7d93e57152f0d1722035f825f74e6ed1062d8976d620233861a9df2be67f7fd6a5c6e5c685f3e17442606f8c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\search[6].htm

MD5 3cf3114d212903aa2e7041ac2d415ffd
SHA1 d6dd3974aeb720d30ec38bf9128709127bf16d64
SHA256 44cbab902292b37cb424d2419c7b48763bb84bda6099ce80257ee3ca60e14fb5
SHA512 6a537b432bacbbdeba6449f8b5d93b4badcb28209db28e72bcb81eb3f19a93273aac94f11deb9de7fce331f69756dc4f5b203fd5e90f2c9be8a759496174219e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQX1KJ9K\searchYHTKRNOZ.htm

MD5 e95c96eaa8e658d3eaa7784c782d4470
SHA1 fc03a1bb8c538c4545f815dac9dc73c51cdd24b7
SHA256 a6238113d8b67d460aa8e7c5267f08162725faa6d1bbe96ead1615cf7e06d408
SHA512 faec9a2c7580448a566bb0d822d67ce5d8e424bf4643a0ebf4e12a941ba9265a2cee37b0548e8300d8a1629f185bf4be0364c0014db453b4048387f94f76b35f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQX1KJ9K\searchDXIGW91H.htm

MD5 1cafd807d48d8de55757a708a03ef747
SHA1 6861b1a3ef1f15c440dc8ab7df088b96cf954568
SHA256 e5462292f8150aa64630e4194a5625715332ea6a2022330601e40031aa5da795
SHA512 a37cf4ecbf6ef1166e27ac32516e7b55cf95035d82e1f9cd9df1fbac3666998c5365b1044673110cd93df45080085a15849c02fd35d50a77ed26458c619694a5

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 88a443da46328044ea2b8d263e19437c
SHA1 e66e318f0e66e56a0ea10bacc4847467e28b48fe
SHA256 bdedc528cc378317db9e7c1ca04edf2564aa274c00f15624e62a7e64eea1271c
SHA512 dc1bb4c9d428a612b5c7e165ba9fcdb01597513636ef4023b52ce14c7b5f9653e314518e80c2f52097899611626f3f40b12e16cbd5a9ecfc33d1f3f3240a54f1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5ACXXH1H\search[9].htm

MD5 5b4f6e0cbd4a1e50b37179d44eb31dc8
SHA1 e3343bd7b062a016dc4e0c13e561aa83e8926cb9
SHA256 d44066e108288579f425b4cc29392f80d11f622eaef4cd90dd08d502533af9dc
SHA512 bebf1851f5f36cc32020c06a4a6e1ac09de3f26fbd5b267fefcb3193f855a11dec1e3cf9862ce22733d48e67a90c054691431670144c0507e40e4ab722d5c5b2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\default[1].htm

MD5 5431b34b55fc2e8dfe8e2e977e26e6b5
SHA1 87cf8feeb854e523871271b6f5634576de3e7c40
SHA256 3d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432
SHA512 6f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c