Analysis Overview
SHA256
ed170dd2a76723734f2218871155d6b6111f95ee27badb133539745e4341eb7b
Threat Level: Known bad
The file 1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-07 07:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 07:19
Reported
2024-05-07 07:22
Platform
win7-20240221-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2036 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2036 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2036 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.161:1034 | tcp | |
| US | 16.150.139.43:1034 | tcp | |
| US | 16.150.130.222:1034 | tcp | |
| US | 16.69.10.81:1034 | tcp | |
| US | 68.154.184.41:1034 | tcp | |
| IN | 4.240.75.111:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.8.36:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| AU | 16.179.5.82:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 16.129.13.21:1034 | tcp |
Files
memory/2036-0-0x0000000000500000-0x000000000050D000-memory.dmp
memory/2036-4-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2144-10-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2144-16-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-20-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2036-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-25-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-30-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-34-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-35-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TVbqjvjs3p.log
| MD5 | 804743f263530e77efbb657260c69c1d |
| SHA1 | 683daf3f4502ebd4e332928dddb3777b99cc4344 |
| SHA256 | 86357b5bbd809fb3bfc720fa032b95060ce31c4d064b6349b25211d85c1dd2e2 |
| SHA512 | e900f007a499bb9b1e5730bd1d4fd2075c2da7363ba51e85026892cca3b944a8690c7a9d132b173f35e3aba7025059d3aef1642022b57450d80918b33e84fcea |
memory/2144-39-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-43-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-44-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-48-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d40492fb8118b2ff6393b18a96de742e |
| SHA1 | 8b3d2cffd92d3b4780de944507d8d69280ee286e |
| SHA256 | d008f5fb31182555bbf41d517fb78c02dee2d7653a76d42ad172ffa6065b61f9 |
| SHA512 | 66778ab5d515095d20e6e1cbc1eec42658365f9b29b71a767708ce35f3911d6c06e0d3aa5ddeca13d71869b52dbaf6d8cd9349c2c139591faf6a534255012359 |
C:\Users\Admin\AppData\Local\Temp\tmpDDF2.tmp
| MD5 | d68f602d3a01a912181b7e32a266fa7d |
| SHA1 | a23e9f2df6c45d334b211a7d20948a84160c6f5b |
| SHA256 | 4022fd8c044db672ff530576efdd9c3aba3e4fdb25920a2247fb7e0bad50d824 |
| SHA512 | bc272589f3f0aabe2fd50eda8cde4c182f74c0dd70707793f135d1d058c0afceecead2264678991acc60d96f8d38d69890e8e0e0a56373d5df280e6791befcf7 |
memory/2144-68-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-69-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2144-73-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 07:19
Reported
2024-05-07 07:22
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2220 wrote to memory of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2220 wrote to memory of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fdcdaf92f89e97e71b986df45b69618_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.161:1034 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 16.150.139.43:1034 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 16.150.130.222:1034 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 16.69.10.81:1034 | tcp | |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| IE | 172.253.116.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 199.89.1.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.9.11:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| IE | 172.253.116.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.81.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 68.154.184.41:1034 | tcp | |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| NL | 142.250.27.26:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.79.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 75.2.70.75:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alt3.aspmx.l.google.com | udp |
| NL | 142.251.9.27:25 | alt3.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| IN | 4.240.75.111:1034 | tcp | |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| NL | 142.250.153.27:25 | alt2.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 8.8.8.8:53 | outlook-com.olc.protection.outlook.com | udp |
| SG | 52.101.137.3:25 | outlook-com.olc.protection.outlook.com | tcp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alt4.aspmx.l.google.com | udp |
| FI | 142.250.150.26:25 | alt4.aspmx.l.google.com | tcp |
| AU | 16.179.5.82:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx2.googlemail.com | udp |
| NL | 142.250.27.26:25 | aspmx2.googlemail.com | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | smtp.gzip.org | udp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 52.96.223.2:25 | outlook.com | tcp |
| IE | 172.253.116.27:25 | aspmx.l.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | mail.burtleburtle.net | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 65.254.250.102:25 | mail.burtleburtle.net | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| NL | 142.250.27.26:25 | aspmx2.googlemail.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 16.129.13.21:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| NL | 142.250.153.26:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | mx.cs.stanford.edu | udp |
| US | 8.8.8.8:53 | mail.cs.stanford.edu | udp |
| US | 171.64.64.160:25 | mail.cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snai1mai1.com | udp |
| US | 8.8.8.8:53 | snai1mai1.com | udp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | mx.outlook.com | udp |
| US | 8.8.8.8:53 | mail.outlook.com | udp |
| US | 8.8.8.8:53 | smtp.outlook.com | udp |
| GB | 40.99.150.146:25 | smtp.outlook.com | tcp |
| NL | 142.251.9.27:25 | alt3.aspmx.l.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
Files
memory/2220-0-0x0000000000500000-0x000000000050D000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/224-6-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/224-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-30-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 037387cb637fe108a43fe3a624d326e6 |
| SHA1 | b44190308f1bcc22e2c596bc158277962fdb6756 |
| SHA256 | 7a8b8a3515806191d892c2f577785189cafeaebeacb9e105023db65465e5dcff |
| SHA512 | 603e0c085a60eed41d24082b4d52884c2c1b86f44c080eb0887e96894f5560c021cb8439001dab1acb693103887fe4fd286f4cdf8b2b96d967f692e4a4d4e9fe |
C:\Users\Admin\AppData\Local\Temp\tmp3F29.tmp
| MD5 | 36e25068f7a14d101e8b974353800c72 |
| SHA1 | 20c0294faa492f1be964b63582993088420c5389 |
| SHA256 | 9c8fe570aca7f0f8059e73d5fcd795e6277d618d42930bfa9b131f39f16d46aa |
| SHA512 | a3112e8afe63c1500c70f84d366d6d1d147e936b91a0111ed2a07997bfc8677e82edfb08ad03ab501bd5dc7389cf605738fb565f608c1387a5f81fe4bfb37245 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ2TD4H5\search[2].htm
| MD5 | a78751aac94d45c3379e0eadac040d6c |
| SHA1 | 90f262891274d15088ca19e4dd59d293a5a3edd4 |
| SHA256 | bdef3a0107453d5d99667a36d5b77192a9ff245364325f982c5d3d75ad9eba7c |
| SHA512 | 5c337463b823213bb15046a326f825842a0f7ce6075308b32c2fb1aa13caf7631cb9c1fa90b85230091d633cfd2180a90a3f2fda4bee1ac94857990500293dc2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BB8X2UQ6\search[2].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ2TD4H5\V398Q50J.htm
| MD5 | 892f9173a2d132c7f79a7bb3d08572de |
| SHA1 | f043b5460a6b90f037bc45bd218000a7ea00dade |
| SHA256 | 18a401221a7fdf24421a3401c69fbec6da5d9c524ead2dda2a02ae8900ccafc8 |
| SHA512 | 895e53965e156072f36da48b0a6d52468b11b5825cff6c6117b59c4002ea99a606441af5c3285ae3390c8938f674a454311df7cbc26087e5c4c36af907ee92b3 |
memory/224-159-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\22GDAN8B\search[5].htm
| MD5 | 1f6a1df6c0306ce8aa46c7f54512cc53 |
| SHA1 | 844af703d4d209e23987b01325f76d526b1c7a29 |
| SHA256 | f57c3cf61a15dd11ebff86cfd823943a1de38c40bab07e411c35dd925b86e2e2 |
| SHA512 | f8bee457ea336c334122382d6a1754c325b6724de0987eb70c4c1c76a5ee6d7b2a9354d2c61812568d8c434b1c98e1a67b786103c7f44fce035933b54be67842 |
C:\Users\Admin\AppData\Local\Temp\jeqauh8.log
| MD5 | 17fcaa4706dbd7c7f64ee879f4cd8052 |
| SHA1 | 8a9b089d71989b539032957976330332261fb368 |
| SHA256 | e097625fd89e18a8287ee7187f59e6808270db902ecea5144a29e41389a56228 |
| SHA512 | ce6c0e91e21c4fc4e653f2a42d1be89694fde682d33fb6e3ccf1a528f142ee5ccdc3a7167b06a0db3ef52c1d5dffc29adc38042fb269be533299dbcfc6208c7e |
memory/224-207-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-211-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-212-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 64fa1c52a7bd8780d095e0fb0a1a9e12 |
| SHA1 | 9479061d4c18eacaa5af0e3d27e1865edcac84f0 |
| SHA256 | 288aac376edbd3048a9788d65744f08ea0be06509e19550f62e0128a37cf99c2 |
| SHA512 | 0bfb18875deffc7b604a102b44ab68fa1c649668867b6d46c8d7d8b144c02bbc187006e7f3deeb0a1255830d077c240719f1ac45cd4676d5200552a8cfe8f852 |
memory/224-236-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-239-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | aa92dd529c90d81ba3ad71b8e97cdabb |
| SHA1 | 8fd36a3189d01b1a2e27fbd9cb3dc1fa39daf74f |
| SHA256 | 1dda4b76e23f0c30f878fda049ae3bea280fdc20bb4f783e2acc8026295a3a72 |
| SHA512 | 92ed93a765cf4a039c7ad6e5d284acc051b364b7e9b3e97294e27d4e4f5127c6456eac4b40d97005e904baefd8fb818c89f67b39be8bbf53174f160049b819f3 |
memory/224-281-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-292-0x0000000000400000-0x0000000000408000-memory.dmp