Malware Analysis Report

2024-10-19 11:32

Sample ID 240527-rfnhjagb77
Target 7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118
SHA256 25df044b8be41f8b1c3081befa7f7e465b77b90361b198ae6a64abff05b9ea96
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25df044b8be41f8b1c3081befa7f7e465b77b90361b198ae6a64abff05b9ea96

Threat Level: Known bad

The file 7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 14:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 14:08

Reported

2024-05-27 14:10

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 16.37.50.108:1034 tcp
N/A 169.254.239.88:1034 tcp
N/A 192.168.0.26:1034 tcp
N/A 192.168.0.26:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.8.34:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 169.254.10.247:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 24.95.227.78:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 169.254.56.97:1034 tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in.g.apple.com udp
NL 17.57.165.2:25 mx-in.g.apple.com tcp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 aspmx.l.google.com udp
BE 64.233.184.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.152:80 apps.identrust.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 email.apple.com udp
NL 17.57.165.2:25 mx-in.g.apple.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
CA 16.55.145.212:1034 tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 icloud.com udp
US 8.8.8.8:53 mx02.mail.icloud.com udp
US 209.202.254.10:443 search.lycos.com tcp
US 17.57.156.30:25 mx02.mail.icloud.com tcp
FR 172.217.20.196:80 www.google.com tcp

Files

memory/1692-0-0x0000000000500000-0x000000000050D000-memory.dmp

memory/1692-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2408-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1692-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2408-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1692-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-36-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 4ef979747ea830f09ba24e94ecc58b84
SHA1 cb043e8ec51e8ffef3254eb4268dd9d7c928bbf6
SHA256 7ae9d966780ae7417ce4562e0a1b1d1c762097e96f1096d49e8456eb1dc7522f
SHA512 0cfc2fb4280b86e5424793f7b9b4e72dccf4a4205ee27460c6b18ddd109d1ea5fac84c2e811c808e8bf723ce8b289e10e01c9a0f2f8f0d80a752bfca442d65ce

C:\Users\Admin\AppData\Local\Temp\tmp392C.tmp

MD5 22971960738e705fc39359c946ebb5e9
SHA1 3981553c2aab17b09a98e7e262ab739cfbe489c9
SHA256 1e9700564dedae322ac767c02378514ec9e064c30e1a565aa5d0cb9a91babf08
SHA512 ef24e602fe5c067542330cebb319c16e4b644a8d47d2b9193c3cab1d896be34307ea09bd916364a747adfc40206132f615cc40b23e9c5e7c12936416c9c7b92b

C:\Users\Admin\AppData\Local\Temp\dnWozue.log

MD5 8376a5557453d936871e40c6387b6cf2
SHA1 ffa106ace1d5502527ca955e2b98b90a61b9d09d
SHA256 925b93676fde85d421eb4d93f3929a4facbb9a8eeaef06f5688dc2e4f17e23c6
SHA512 d52ae76a3cd3b7010f6bb675a47b73573e6d49cf3d052e87c65c84f6aa2d9c5f7b33453c0d1664ac96ecd543a6a8e42cc2bf1e12b624c54ee6fff60abedc9339

memory/2408-56-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-60-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-61-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-65-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-69-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2408-70-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e78dd1686441a248d7e162a174590c2a
SHA1 17613446f84981302349c95538b3ef6da57b5c71
SHA256 d09cd1264110c274bb598ffa429b7a3df07667c87cf1516570b0c0fbb69daf23
SHA512 5aa8038dd7b4bc6ce88ec22e4fb2b66aa5bcd601c4d22f4a19cdb7c4e8b72ba7c4a5eda2756a82bc98d9b5c333eb4d0d42deb68b67932277fd710ba740b7159b

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 68f9f67adbfaa1b6d02e2ff503ffbc39
SHA1 186dee4207a63379cdf1cd82d3bd22df0e24b673
SHA256 50ff01a0ca6df0a0f1c52195b89c3aac5e20724ffdbff8805d5a1f93a02126e9
SHA512 ae176f77c2bc2425086294d09dc8652bdd3139fd7e40811db10c70e276444e140b4b9b217c7b4abf034e5285162b2facc4c233208595fef1f2afa5a75104edb9

C:\Users\Admin\AppData\Local\Temp\Cab36E3.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3705.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6865873494f548d0ddba02091ca3a9e1
SHA1 843633a6ef380513611a8cc6af0e304935de5357
SHA256 67df346a2da7141888d7f11b58197e1470ea5ff9c8c87cec36871f718e062825
SHA512 c8a3ca148766ef37f0e669f3fa090ebf196111e7acb8128663ba044260dca20827849a2e85497fb1bc15caa434d510f71f1d843a47e5e3795f42f805ab1604cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b0e014a69d0841f9e35d81debb1373e
SHA1 53ca41685b374633f40f3a27a5ea75ba8e2f66a2
SHA256 ba357549df723bb89a2affdb7fc053f3ff95b72cf1e32cae014127c7569b8985
SHA512 134a487584227ab906e841c4ea6c90a00104b696a4a40ee98db88edbbf65fc4d9bdf922824ccb21d6f5a9e97c0d982ecc1c60fcd0a3e5e9d6379a12dcd8b3ac3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b695984ae06a59b7ba435b9e70963d4
SHA1 49f8fbad9f05b9e2d2b79366bd65aa52f39d4796
SHA256 082d71c5d4b88b862735d4a678150258aa3fdc269df109ad2552e220e36e4117
SHA512 bbf90715379bf7c2ad38a729478454cb411498e051f82b7a00426da02a467f072ec8ee8258ecbf4a681f8c1d8d74401c58b62c9bc18d2a32138c36012b7da1b0

memory/2408-550-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a58080abd19670f51ea0cf227cc01f4b
SHA1 24c17f6d03ffac575f4051e6d0fc0b31f3284e90
SHA256 d7619dc84841b034866af4e0089035075af723233f58cc9433807bc8aa241da8
SHA512 a48bc9f003b85621eab16ffb000d184b9532fbcff24b236eda6b485dfe42ee05cb5611091906a19436bf9723c786797ade5a535f5a123a3de6c917d0735f2533

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8924f69b8a7324606ba60cf6c8551e1
SHA1 d51d3a46820d12d86c7df202a3e0120d8d8f748a
SHA256 55e9d756d9956ba8c6fdcf2b49296adcec84f26d0347223ba650740263b3333b
SHA512 0a2fd6f4aeee535460ab05f905d33b23b9b1441d9ea0fdcf75c47aecd739c374777c91ddf60f093324607ddf0614365e8738572ac525717cf357e6873233af01

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\search[2].htm

MD5 804143c60e7c4b20f19e2e5725d04499
SHA1 62ca39d8dedb8e75da0f64271daf1951e22c71f9
SHA256 231af4ba9d87a34d812e8fbaed4e742070f2a4a5174ae189b93451c9fab40b2f
SHA512 8a17a4ebd249efabf9fcbcf8ba7bbd1594948fcd6562d5597e894f982dbc999dea20104bc5450db9b425b54a5d9228fbfdca745297d7a5a9374c212eceba84ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\1WUTYPI3.htm

MD5 302384ec71d6339fc83cb37c06535387
SHA1 205d6ee397c9a545f242e4ed415403c20ef81c6d
SHA256 be244ae70e1e3a2aa3c8b6deb32866fdb766d68765b7309113af9657489466b3
SHA512 8ab62c4740d32a4b0ee895f7706d88162f461808d2a1dc51b0441e0b1497096b0debe8980540af545f1eac4e7cd215e45297c60b47c4edfdb5282cc4310145f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\search[5].htm

MD5 a3b61be768e26afff0e7d36bc25bba1d
SHA1 4dc1348ded1fe07eada8f9a8613747e80a76f62c
SHA256 42af470233aa660903cbad6b7243ddecb624858c7624d6859eeab58173589983
SHA512 dba5a63fe9e100c594c042261885a38f9909fcfda86e2e091e2aba522f0e7ee5d4988a0210feb6b1b32fb50f321440d4da410930d221bf9c5464ae4141515d4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a88af9a86f8d0feaf81bf1f976ce859f
SHA1 1aa8d8dcdc8fcce5868f2f82776492dfc586f631
SHA256 18bcaa12ac4b9cc3429b63564f65f9b4b225ab15d0c0722d188ee207d2712808
SHA512 9426c1cf3844b09b6e55731366d7b3094f217fbfb558a392e2fd38a3f06685c381692e3c38bce2bb1daa9293c0feff00ecaf8ba6588423a9f62bacd556621fb2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MEFTDE7Q\search[6].htm

MD5 201658f472bd95ff5e69eab718e1acd9
SHA1 40baf62fad4ddeb9c9772e3f2e3c9b874535ee5d
SHA256 a93393854cd335446ffb643b5ea2e72977ee03c4ff99d8007e01b09cfa8ae488
SHA512 6394b77512ad2009da84950d31e36aee161a4bea0b28b0318696c29d461546fcd424b8f97a5a44de32ca915242a893cf3a15eb7718fbf585bea15c3d6df4a989

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cd9f107c59c613724bec5098a733fdd
SHA1 05cac210bc820f8b80332cbec89e6e9697f6eb68
SHA256 bd77812eb47c19d6dea654d65870132e332ca3edbfc3860e91f136342c188df5
SHA512 a13b4634f89883afcc2054257e0f03ba3a8b45236cda2cc3c545d0b3972ad19a03351a9a612c9765ee37d3c7230a1f7c8c7b710eeb96a56969e42318bb1e5f8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a1dd2dafed7d481ac2e36530f30089e
SHA1 bd9d1bff68d47aaf70960fb29aab79e1cf1b38c5
SHA256 2fc5deefc29ea13ec91a5bf891f785ffbfe3999da7a702541b259ee14a23f122
SHA512 34717ce8b1c7177c2493a1e79d6fd6107b607dc44cf44fd2a6acb87c9ea994edfa62193c94796de075099b1d344f7504f64e79c8ec5cdb572dde8b7d8d00bcfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24d40d2cebb239ed018b2d611a28c3e1
SHA1 a0dab5b637b320b5f01e6630b557dd42db97022a
SHA256 74178ef8e70bf38d689c830c003d3bd962589b209aa8bd3adefc3b0c7efa2eca
SHA512 8a36304cba65fc9743643d05225254a0d4d825f2e57a903cf7304e56941eabc1d7c625c560110951ec17bbfeca3abcee1e650c7f9df9c64f2e2bf9406a58ab8a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MEFTDE7Q\results[3].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d6f207bd758ff3c82fff53a0c196666
SHA1 7ec1e81cf517e650554b418a9592bf8bb997e823
SHA256 14b892703d6cd66563333c39ca2229211fd340c6852f062aea31727adc5e8211
SHA512 f7b61ea4001a086cb2ea876f87c5bc6927ea340c6295708359f518db450d9421bf0ab50e04abfa1906f3eb0af517b73f9cacbe4fb37bc99d827c718279aeb757

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 14:08

Reported

2024-05-27 14:10

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7959d6f8d5d5ae1b4a5f83d3432f53de_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 16.37.50.108:1034 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 169.254.239.88:1034 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 192.168.0.26:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
BE 173.194.76.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.8.36:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.0.26:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.227.224:25 burtleburtle.net tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 169.254.10.247:1034 tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.251.9.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 outlook.com udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 52.101.9.18:25 outlook-com.olc.protection.outlook.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 mx.gzip.org udp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 24.95.227.78:1034 tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 hachyderm.io udp
BE 173.194.76.26:25 aspmx.l.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.153.27:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 52.96.222.226:25 outlook.com tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 8.8.8.8:53 smtp.gzip.org udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
BE 173.194.76.26:25 aspmx.l.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 169.254.56.97:1034 tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
IE 212.82.100.137:80 www.altavista.com tcp
FI 142.250.150.27:25 alt3.aspmx.l.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 mx.cs.stanford.edu udp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 mail.cs.stanford.edu udp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 mx.outlook.com udp
US 8.8.8.8:53 mail.outlook.com udp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 smtp.outlook.com udp
GB 52.97.211.66:25 smtp.outlook.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 smtp.burtleburtle.net udp
US 65.254.250.102:25 smtp.burtleburtle.net tcp
FI 142.250.150.27:25 alt3.aspmx.l.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
CA 16.55.145.212:1034 tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
SG 74.125.200.27:25 alt4.aspmx.l.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp

Files

memory/5388-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2516-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2516-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2516-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2516-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2516-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2516-26-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 27f0f545947acd9b519f9f8e8aa8a367
SHA1 8dedd067a52d39e2b7d888b6d0a61ec175a5a0e1
SHA256 feda6fc6d94b0e9becbdf40451fba17b5d1e66cfe5ccc9131ef4b5d0a8bc88ba
SHA512 e7341c24d5a4097405d7c81406297242362abc48558f6d8c33e306ef92872b1c52b0d73c8cfc69aca6cd2914157f13846aca635e694799183be03ea97ec77d21

C:\Users\Admin\AppData\Local\Temp\tmp1625.tmp

MD5 9eca96cdd1842dbabae906b0a5b2a111
SHA1 a9ffdcf67c8617f65c864a20186896ea05b1692b
SHA256 14ca0040c391bfa0423d18d7416473d38d533634d199d7d51b3132be300db404
SHA512 d0621820c3f3f231a0c89abd3b8ffdb89fdf2a344fcd0d5295ed7c04b871898e7c90798a777180146eb75f59373ac726041549760f263b48b8fbbf74ac2a80bd

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 2b997f2d56b8971617f17b31587da477
SHA1 ded9a2df8c614e04e1a2e10213f9156b0a65b4c7
SHA256 fc10d05042e2599185cee12701e73ef216c174aebd398f5dd338d885ce9de86a
SHA512 12e930b822d32b149a1d04f55ea68fc1d7135b4724930d9d9737bcd76a6ecbd50651023848d9bb3a301c346f96efdfc7f9db14c287b3956c74f3340ec4fd3f90

memory/2516-92-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\PNUVV1YA.htm

MD5 31cb30ca2bc5cf73dd0c5149cf3362ed
SHA1 44604e631cb3d49d6f94c84e146a0fddca7625c9
SHA256 650cf160c755e7d35a0f0eeb7c2934a60def6e0cf09e54acbbd726ae3ba0bae7
SHA512 b0a7d0b150392bc448e82240424dbf9d8f79a9d1fd9f268ca8e9aad8109c5d185250b5e55e31c9e9c2b7f0b9b7b98b058678bf88f2335ee0290fb6924d53e06d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\LGW3Q69W.htm

MD5 7d991f0b5b1f1571396c34801b537c44
SHA1 ce287e6b3a291f58766d345b11ff88352bfb3834
SHA256 3af9deaab1a761b4455b9b7a3ab2a1369ae082f09d522fa412fe035c40b95416
SHA512 3a89cbb3502b74271df2f65b683e06d8be1784fffad155a9a71e14dae9ca0248a9aea9f7aa05e81e52c1fd0e0db16b71186a3119a11141a6213cb8c7a2063a2e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\search[5].htm

MD5 bccee012fb3400682dfa8ef37c55fd0e
SHA1 b980719600e0643ab9d7611ad7b95c6017a38950
SHA256 528075cb7f1ae2222a02073facb21521e023601c0e18ecce725fe34e202eb24c
SHA512 912c24af8f54521340821997552319c58bc81a96e3327ac97f5c6ca22395f89b842d12b030a41e34c4a3cea153deb85232235c650b0a400353f611d791d4c718

memory/2516-261-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hwQaiw0ffh.log

MD5 61345a7a144cfdc76e50eb6c5df9779a
SHA1 0221fc0b8e4553723f9e8faa81e17cfe4fd78a04
SHA256 d11b1a30c93cb002f1f5c504a36597322905d0789b3a73cb237928b3e4e88c8f
SHA512 d07511b0434cb8227ec165b7de8a052e7faa1160b80ee88f68a5dfb434b04b6610eef69a265f511790ee30ad8de82b9e6cd8a835b4cb1b9dd91ba69f1028c779

memory/2516-273-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2516-277-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2516-278-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 8023ea4627cffe798eb7acc85117814f
SHA1 ad6b69c4c4febf6168ec3ff34a792ffd21192b5e
SHA256 3cdc10c16066315667bdd2a8862a8321e98dd38ebbf4e7a528933896d2e8fbcf
SHA512 e7a7389040a34b2f5afea8408cf5616d6ef0b2abf6e2b61efeffb1f192cab0785a5d0d7c55e99ab4782b2b40756138f19011f07e94a6f9d5b422f4219129d859

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\results[4].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\searchKW68T8PH.htm

MD5 14f02947ca56d607e958563d9f543798
SHA1 55cddd1ef5b75e713a105a6ba8cf87026c6e6522
SHA256 262b2220d54cf353323b15cd8ab0f2a97e920337fce451868167dcd281a9debe
SHA512 20bc8b40e44e7ee3b4ce0aa691fb62c6991e74d7af8d4e3b0bf862dab1435b26cf09a65c31da1da14ce7e353615e00f4fa4e148990511db4e1736e50c108b1b1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\searchJE8T2Q8T.htm

MD5 6c8bdc6ddb4d2a0d8eac179120c6c141
SHA1 93f176d8f67d9539fe9a2b1b3b4184cdbfa0c092
SHA256 ab702fc145043d0fda62575a62bfff97bcc241f4d6de37f834f43de139be461b
SHA512 8ee0d78daae93f44708fa01adcf9a4a6b748662b5fcfcc33effc347b316d7441bb54deeab2aa048e8ca51be288a380163beef77a8ef261088a78edc9605c468a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\search[9].htm

MD5 16a43dd258e84f00e901cdb624d3faea
SHA1 0137ceab1e1a0c6e424630e58b67c3efcc3cb41c
SHA256 a30d63c70e963fe0f8f7ac2c724b6f299a4209742488fd3301dde793101a6294
SHA512 273d44794b77d61b36ab38328b4feb959a947c484aa0879021283225482e8400eee70087fd353cd31fd14d8e7c95af8997b18aa89fff07f8716f79e55426874f

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 61647b88e38c1fd3582aeb0c681ba844
SHA1 6a02a34d95a08ffddea396c1fbc7d26820a8de46
SHA256 5b035072443872a08378d4299df0c35887612378cad668a53e6549df54cb474d
SHA512 6f6b6a2feff862afa8074217031de4012a49847adc705aa018a842aa6b72617912bdad6c2a52216ab71c701da87ef4d8ca494e373ceb20cad63b9bbd94e51aab

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\searchAUCK5NA2.htm

MD5 fccccdc48c28fd1e70d8deeb654088c3
SHA1 d3fbb3dbf5087af974b68870ee963892c12136f8
SHA256 394ba9fea9954a5900cb5b62cf1127ed7796f9b5a22d3fbe6f4d257c5545f802
SHA512 a28dba584a33d1a67a7b6b49b65e3fe8376efe8e895fd70d8844715dcd8d78d1c83dabca213f1f0b00c14e7756a6dbfd4455d731cd13f71b5fb17687276804af

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QEA1P7KF\default[1].htm

MD5 cb42662caffe525e9957c942617edf06
SHA1 615009db9a1a242579e639ee0fc7a2a765095bfe
SHA256 312bf5c9a1a122abc6361bf8ed01a44346285b962c0d273ef2de0eb796ae1b15
SHA512 3e6777f1f74f64fff6cb2bd1a81a6c08d9a64feeebc3deb7cacb8f0f41b23a5c59a8e6294b99c76dd386aaaf9043a1a252ac47910fe1801bdc2995f7b675692c

memory/2516-420-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QEA1P7KF\results[8].htm

MD5 35a826c9d92a048812533924ecc2d036
SHA1 cc2d0c7849ea5f36532958d31a823e95de787d93
SHA256 0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512 fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\searchC461ORCS.htm

MD5 2eb144ac51c5b52c455acea8dce6703f
SHA1 f2f45fc7ceab811808776b0ec6884d0442c31ee3
SHA256 1071a4d42bab5f135d6a85362158c98a01a45b63a292000297ea7b07470545e6
SHA512 bb67bf7abdebf4660821f5bbf2f7d8013db9ddacbc097fdb305b3776aa2d64a9c528d4919afff0ff8f22ab9ad269b115f2575dc9eebcf0da0e38821f9006c8cf

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\searchI5UNT4YS.htm

MD5 ef7a3a31997c469cf010d5f3dc3541e3
SHA1 280fed793bff764e009c70a1ab7ecd5401bb4461
SHA256 3cc7898b0b21bd5d888967a293d2c98c138e43bfcdf8765c7839d524b32e6ecf
SHA512 d9cd8224eff982b5079c8fa1ab1ea3f556954ba230ed7dcf5c7137d0cea4ddaca05d92d726057f69574444123bc21059ee0d8727faead7a9302b3c05f6d1f3aa

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\searchZXO31UO9.htm

MD5 e3f3628782f3e35edcd197abfd2bf4de
SHA1 8f187163a49b6dd2ca91d5e83b2f1c0ae36cec1c
SHA256 464dcd059344c12ba8b49ae2aa28e93e0c0445432da5d2f59a56cf9953720e81
SHA512 a6e49b2515a1f9be394074e319679df640adf0f6c1b1327c7759c1e0d091d5b8b1a2cc7f6bceac631d2be6b31246f22b5155b948477df29e84b4dbfc3b12082e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\searchWARJY6M3.htm

MD5 461f0c0e480e8164c09fc0001a314f78
SHA1 148d480e89b4ec5c4a196d6bf16bd0287536ed30
SHA256 0b8fdd66ae88744b2b84711ec5b8aee4b3f422774a3851c7ec5117d08fc37bf5
SHA512 1beaa6fba28c75a978267f96a1036fa72b0b76153d75ceba640292d5d260d172a6c83edbbb392124a96af2eade19e79fc82b00dd84316fc6ff8d01684bfe688a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\search380N0T5H.htm

MD5 b61ae8ed3fc6dd566a0db7e217f3bd2a
SHA1 8cd53d449c4e77a9604de59b0a54d8815e7283de
SHA256 3167a8ba635e7c41c4b984d6fe76340f06c42555f14c519564622b033531d1e8
SHA512 02d3b684871f5eef80db1bb3c858352b62dea68b91b53556c8e1a4453a75319de3f299f76b742598532029b78810353fcf93eb995f51977f538446b334d98f6a

memory/2516-575-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d5506d9d64e7ca68d070bf0232f0256d
SHA1 4d82f2931d973bf24da7e68ecd2b48b2d9def169
SHA256 ee8cb4e72657b71ef1f58391ec7741c981958423e0cf7ff13359deb11e1ca600
SHA512 3e50b0be33b0e294b51daa58f6fe09f7e5cdabb8a73c467b83a87d1270721595ab8c1f655ae1746944588748979e760bd35b200f814897b4beab1dba15732c31

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\search[6].htm

MD5 e2c8dd3aa1bc0d270415ed8c9734ce29
SHA1 a948895db918fb3023530cdc77c1671fb7342918
SHA256 4689c1d3368d085162a704f6d4ed7a3f6fbc9fe7c79f89cf35ba140d8cf77ed0
SHA512 a6f01489622143839d0025a7b6e4c644be9ccedfc5be9a1f323f2ff21d0d85e80fcc4dc48e22ac54e00d55fd3c40b8320bf78ddb54b3469824bb41fa70487e07

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\search[7].htm

MD5 54e999b5164f1108dfc341aa1e6aebbf
SHA1 890f49277e0814f88cd84eabea1120a8ffac402c
SHA256 e3e1eec1bdeae43cf4a4621c27c2e9eb303a2a6f7532a89b22b55e24bd693d09
SHA512 a1dd83d1cc79be02ee2b83e86cdc7fdfa6b5683bf4077e4f1d8c38a47502ae9161dd4ad57a64dbd6c31d28e683933701170b44e35f3afb6e629ca7cb5d819413

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\search[9].htm

MD5 eac268c745905d7da2d82e9ddfc30618
SHA1 e6f28c1f9de08a6ed6690ac7a391611e0e34d9c2
SHA256 d7bee2c3a3172e37e89bbd48443d651598985d9d4c6cec2ecacf1f9a2732361c
SHA512 b4776c073eee0b6736cea6616ae6ad1e1125a3e44c54a586654363b7e034ba8f095f36c8836929941c3db243145ea7e90d570471546a2fee973130b85a6ca410

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QEA1P7KF\search5YGDNLTH.htm

MD5 59ad1159e65f6941235fb7766c23cf94
SHA1 34af61fb08d51d0330a88f9bbec7f831dc0e177c
SHA256 b29a62ceb84a435364839b4f242140a07d3cbacaf8fd3a4b75329193969655fa
SHA512 2e77b387d84b43bc7124f3ce85933e33150c6d6be9d256c992060139ffe9e6009c50ff17925f83721cff3e15a3226d45aae2a5a80f4dbc8cdf0601c2e81c910f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\default[1].htm

MD5 5431b34b55fc2e8dfe8e2e977e26e6b5
SHA1 87cf8feeb854e523871271b6f5634576de3e7c40
SHA256 3d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432
SHA512 6f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\searchL33CV1I9.htm

MD5 87597c3f803fd92662055de3649898ac
SHA1 c51447b78348860709ab65c596d341558e8b6774
SHA256 d1f05444095056383793d28399162ffe40d0c0680873631ef5ec74d8fe4d1588
SHA512 0cdc465e95eafe43a070f4a893a4e81f198d0e7292543c24e7ff500a00e3e9e34905cb91b1aa9b2bd69ab88a640449703bb85a4c4fc5f35501cf0fc709b08cb6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\default[1].htm

MD5 c15952329e9cd008b41f979b6c76b9a2
SHA1 53c58cc742b5a0273df8d01ba2779a979c1ff967
SHA256 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA512 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

memory/2516-733-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\search29JU7P0X.htm

MD5 941bc2b5b9fa49fceb8088bfa983d255
SHA1 bfa859d43c6e2772c6252cf6ee4b17f6941c6dcb
SHA256 4105349780b2d04cb5355a113a266f16cf42520569956eda98e01039f05a4f10
SHA512 41451787e462785e28af01e882acfd8d857340152b2962301422d992c9fdc25266adb1b1ab55ce8e1a19be94183aaa862b5172543171bff78c03178d7f5a1ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\searchQCE5H74Y.htm

MD5 de9aa52d627beb3e25dc1d143f11b4d4
SHA1 d0a33308bb54f4967a7de89136ed7fbb4e2abd1c
SHA256 7137c82fe6e8060aa6bcd52802bcd2533642373fcdd573ac0d9e106d0b707cef
SHA512 1d1691f9e38856124d0632ad10caaa5a5e6d94594f8946c44989c97f12233140bb2f61dcf7ae43a750606b93ac9ccc8ebad504222d55939ee82bb588b28ed228

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\search9BZIS8JT.htm

MD5 73aa4e3172e0fa4735b26fa0d7e23bc3
SHA1 c565f099267881bc872d4d6d48c3aa789a921d95
SHA256 76be75d862076f4908c3027973e43e33671476ea493afd08776e987096e84b91
SHA512 220bf16365e9d1a1fd5537d16cc1f07582f9a91918c8cc93d7e67d3559c72e346fbfcbbd2f118c062f3e037e6524e03bc78798c1db2db6c596cd1a5889d42875

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\searchE7L99KL7.htm

MD5 a2ecc88b30923dacee36b2775e781fb1
SHA1 34c52770a5662b7f26e5d79f1e17977556eb2d51
SHA256 e54e3d749476f629d841277c0b50396584b36c78c225d0e3d4a517f22a256312
SHA512 409b1b6a4efa30dc93183e7b93f3aeea56a6bb477c074b5999d5cfe1f129a07c78a0682dc875c531501d420ff34ef0d47c051908ff628fb41c26b39a0b84f530

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QEA1P7KF\default[5].htm

MD5 5243568476eb2052b2f3b67dc9053e86
SHA1 b126aa6506772f9024b76580bdf28b45e3a7f051
SHA256 2d458622dc76eb87e44cc7db89309efdf50f99821145ae86864fd1b714cbaa80
SHA512 3c68cef4e3daa4bca6e8b3aa5a31874be1e4dec38fe9781c6fe4890980744527d0c6818eeb519f8e6b322118e1f08302d85972fa7da4ba8be9421aabf9a77833

memory/2516-885-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\search1Z8Z3RTK.htm

MD5 56d4226e69de676933a47dfd25a02a02
SHA1 09371b39e03766aabbf58bb31210ed26b7a1b6c2
SHA256 98a1f99e725ffc0cb73872e14577dc1c983cb824fb957305c86abebef0fb1ffe
SHA512 b58ffb8d9f77bd8e48125b57cdfada42dabaea46a9ed9df615e340fbe8569a846c0c3d52f84a941d3ba0645cd36ea558550cd6206b68b2a6559649a8fce3a62f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\search15L66J5O.htm

MD5 812e0d8289fe9f668a0654aeaf4e6635
SHA1 ca8d7b8c428372b3384c266bd3f466f240a29f8f
SHA256 71bb797b9b1788fc2a729fdd02b254bfe745e567453fb9b4b7056cbe5789c7d2
SHA512 b46469cccd02979f86b66e9cc368a734cbf494b4a276dd169f15b54fa7d48be1a3abdbab8e35c72a4a6fd5c09ae02df804753f1a18506aed952bcc70fce839c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\searchYFZNNGGJ.htm

MD5 f5e43dbe50aef05ac76638326d261c1d
SHA1 8d2cc356f4a7fc53c91ce9c3dc2797a9b376e75a
SHA256 b5c510a3a3baaf21f4556d8b68df154ccdf3a3a58200f3e5ff7b5e12fb2c8d2f
SHA512 ec73b9fc016753aacf9112606da08b2e334589b642f0b0f443136718643ec916adf7658ff3082a7abaa4f3f1a0301d013a771be41d8f494d7fa5d5cf0d6278c3