Analysis Overview
SHA256
0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d
Threat Level: Known bad
The file 0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 18:35
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 18:35
Reported
2024-05-27 18:38
Platform
win7-20240221-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2660 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | C:\Windows\services.exe |
| PID 2660 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | C:\Windows\services.exe |
| PID 2660 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | C:\Windows\services.exe |
| PID 2660 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe
"C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.213.60.59:1034 | tcp | |
| N/A | 192.168.2.155:1034 | tcp | |
| N/A | 192.168.2.111:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.10.6:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 10.227.85.66:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 75.2.70.75:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 10.0.77.20:1034 | tcp | |
| N/A | 192.168.56.176:1034 | tcp | |
| US | 8.8.8.8:53 | apple.com | udp |
| US | 8.8.8.8:53 | unicode.org | udp |
| US | 8.8.8.8:53 | mx-in.g.apple.com | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| US | 17.57.170.2:25 | mx-in.g.apple.com | tcp |
| BE | 142.251.173.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| BE | 23.14.90.73:80 | apps.identrust.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | email.apple.com | udp |
| US | 8.8.8.8:53 | mx-in-mdn.apple.com | udp |
| US | 17.32.222.242:25 | mx-in-mdn.apple.com | tcp |
| US | 17.32.222.242:25 | mx-in-mdn.apple.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| N/A | 192.168.2.17:1034 | tcp | |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.41.28:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | mx-in-vib.apple.com | udp |
| US | 17.57.170.2:25 | mx-in-vib.apple.com | tcp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| NL | 142.250.153.27:25 | alt1.aspmx.l.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | mac.com | udp |
| US | 8.8.8.8:53 | mx3.mail.icloud.com | udp |
| US | 8.8.8.8:53 | icloud.com | udp |
| US | 17.42.251.62:25 | mx3.mail.icloud.com | tcp |
| US | 8.8.8.8:53 | mx01.mail.icloud.com | udp |
| US | 17.57.156.30:25 | mx01.mail.icloud.com | tcp |
| US | 17.57.156.30:25 | mx01.mail.icloud.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | mx-in-rno.apple.com | udp |
| US | 8.8.8.8:53 | mx-in-rno.apple.com | udp |
| US | 17.179.253.242:25 | mx-in-rno.apple.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| N/A | 10.159.126.116:1034 | tcp | |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 17.179.253.242:25 | mx-in-rno.apple.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | tcp |
Files
memory/2660-0-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2660-4-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2912-10-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2660-16-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2912-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2660-23-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2912-28-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2660-29-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-30-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2660-34-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-35-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 0da3acce255be0f37bb0b2988bafe9d6 |
| SHA1 | 3862c4581c5e98287a4d3f6ece034d1cf074b813 |
| SHA256 | 5e2e27b89d2e77122ea8f8acf41bddba89be99ce579dd6f1ee402158668991a0 |
| SHA512 | ecf7e233290bdc1a67dc6296067ae73927686118b099bb904b6bbdc26a142fe7c9bfb103b8f032b4a7b6b41508d5af02b00898c80d6ac7f115ffc1209558bde7 |
C:\Users\Admin\AppData\Local\Temp\tmp4896.tmp
| MD5 | aa082a7694913a5821f444219953c0ef |
| SHA1 | ec368d075832f93767b221712d61c6daa5ffc258 |
| SHA256 | a06f7739903287dd495f34f5f96725fd48c2c572c4e2b73b23d670b8c036e2d5 |
| SHA512 | c66568c7781012d6271cc59f8eddbb6f680141fd1212b2e5e7837e3c39c3e66b0af9ccf375ef289c14f96b2a4ceb0f66948812a3dc9a2de17f91a98dcb214cbd |
memory/2660-52-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-53-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2912-55-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2660-59-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-60-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2660-64-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-65-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2660-66-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-67-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2912-72-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 43456fec0e19ced837e59857ce14b629 |
| SHA1 | a6298895a589a0df3ebc385f3c34436de5698f60 |
| SHA256 | 601ef4a3c9e25fbcf656368fc70231f223ff9ee784340b24470c5897fdf0d164 |
| SHA512 | 29610ca1acce07e452eb1aa99c0bb6d91c840a00c1d370bf6fdef9f0175f6a9083d16ebc99b8e594de5e264fcfc3b6b88e4e5f4991f616afea8cf34e62b3abc4 |
C:\Users\Admin\AppData\Local\Temp\Cab4D8C.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Cab4F07.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39ac38ec20ad3618e118312e7bd9b1da |
| SHA1 | 0278124802b39bd203a739918c2c5f3221371682 |
| SHA256 | f62fba98cac41906fc005b16f77d2659d9273e77ec5017c8703300c7ec2fe0e4 |
| SHA512 | a189c578b34bdd2b4a61ee183a279b6b8a8279579572be6e7a454bec977f7e108d782a120fcadeb38c5d02f3fb9a8caa3a8acc35fddb89f987d128a0196ce40d |
C:\Users\Admin\AppData\Local\Temp\Tar4F39.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3613f011c3ec170ad4f546aeb607ed99 |
| SHA1 | 1a5507aa51bbfa2592f358ec4315bcd6b672ee42 |
| SHA256 | 3a107c4162e7afa5526f9d3b7de68796acbcea71cee03d655cdf235de6acec99 |
| SHA512 | 9f0b75f0804f1d3fb388dcefcecf0af69dfc816ff91c5a8e9867e8c55d9d4a3065ad695e3cb074b97626b8b7407111509ea0000161875ce23c15fe2d8be636b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57834e32fd42266f28ef85d286b4040e |
| SHA1 | e374450efe0f24749db44485ff8c79460805ebe8 |
| SHA256 | 6696b1362123c731fdf35fef3b04fa8ffa49cff913869b78022ac35d40786cec |
| SHA512 | 6e1a049e39abb485bea7b42f8975c472714d03c6a3feae796f713d76800999af7618500d0347fe871285c6ef810e2d72b1d7384d12353323e0bdac74c47c1223 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d7edb6d255a77244f55c3b7cc8bd11b9 |
| SHA1 | 55ed2b1faa09115c4c9d912b111aa06521d4cbd6 |
| SHA256 | 978150b7f85b4ff95a9da701868dfc16a9ddfd5d9ce7f7f16d72e75077107861 |
| SHA512 | 8157da44f7cef6284e10ec902e14d89eb16bd926d1b0e3e7bfed464dc142cab6d8b5bd2c2528c3ac7d2397acb07424a3945fb0b69524a77959d2f4e733917639 |
memory/2660-423-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-424-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2de07dae217ecd39edcb16b47d030230 |
| SHA1 | 77faa0348ccea481a4bc5c7536fd182f0a5e7d03 |
| SHA256 | 69842ef1c52b48d227bca3ce55e9ee619fe33660506d757dc6e8103f519a8625 |
| SHA512 | ce4038840f8292d3633da040c2b5b4bcba726d1d4cecfcc8700487b6f923577697511fa086387971a6fccc6b271410351b82d194390a2cae37e93544255fdb3e |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 5be6ce5349a8a3171bd9589cbe556a84 |
| SHA1 | 6ac35533d24d90f124882206c15ef1af03c73a21 |
| SHA256 | fd3dd24d828b339f94fc39ee42a68e0e541e3e93cabd68aef4d6041ea54c6e0e |
| SHA512 | 4af8083899dc4bedd0229e42641c441cd2ea799d05cbb113813660ce132c770b9820f30175d621d4db1757bfc4ec671b6b8e0cca41f183467cceffe9de3aa539 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\search[1].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f4b419fbfea0a998c8557e5395a26df |
| SHA1 | 837a25ee3f41a4c5912ccc852754f474b4032e30 |
| SHA256 | 38af6b2082ce59094de1c2ad1ae206e5c239cecbe63fc8c4c52a7477d2a39260 |
| SHA512 | 9c72cf4b4d2e091705ad4ab7bcf89af856e71c71a0e41398d4e8092286944a15db489067913ea48eeb77f496b0e5996481f6bf2f43b0172f8e1cbfc9817bfdc5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\CWZRCJNC.htm
| MD5 | 83ff7a7935cfda7ebec65e9bab6c49b3 |
| SHA1 | edfad17c1b9c16f406f41283d59d6f7f0be1ebd6 |
| SHA256 | 1c530034baa88218317d82a859f8ef1112e8cf37df9b24ec50bc559fcf8e8385 |
| SHA512 | 18f7ea9f236b151008514c19456a4e486f88c8c585a7fcf6130973900cbc7872d0ca66a3ee4d31abbffcbc217b0f89c059de6fbc2be0d79ef401a70dfcd1f0a0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\search[2].htm
| MD5 | fcfd9ee75ae5337db39bf610c2698aa9 |
| SHA1 | 3770a86d45f31973ea00bcc1d188db9574dfcc7f |
| SHA256 | 42421e48a85ba5eeabb6ac27fb598e821df29d156d1b708b1e7bbeee57f9c945 |
| SHA512 | 915ba0d547e39189ef5f5518b04d85e4b814acccbb4d9e01375e7d2f88c0974b4fddb2dcedc677bba066753f03260ee9255b8f85b0754dbd861c4f241c5c9eb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 090832ae1c413a4c347f54dad347b9d3 |
| SHA1 | 22139cffd78e158c65fee4193b896b926cd98c8d |
| SHA256 | ba950f34ec0678fd0a3f189ad2181c6370f948501df4743b06f06752537c069c |
| SHA512 | 46f39f01b76db037c6d9bb0f42040bde99484e4aeb97f0fb1a78e1ffe80e6b7ad514c882aee732ff87157d161dd1cfe2648b145ca70575926bfe8f20b171056b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3aeb9b3e1abe23cabc6250f645749205 |
| SHA1 | 51824917b229df63542348382a1e6baca2e0a9d3 |
| SHA256 | a7cad4676f9bd388d6181207f2b19af6c406cb74f57f56a84e0aa8074e9a23fb |
| SHA512 | 9bfca3e62f502a2beae2721e84d832b72a3ba7fdcb08cc3b081ce0822cc9769f5cb9f0d309ed8f965aa72878b520da2437266e4c1a6d59156f1cde1153e16829 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\results[4].htm
| MD5 | 211da0345fa466aa8dbde830c83c19f8 |
| SHA1 | 779ece4d54a099274b2814a9780000ba49af1b81 |
| SHA256 | aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5 |
| SHA512 | 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c37270b2efc3043cd2216c5942577dc6 |
| SHA1 | 0c64830f4fe9ac611cee51d10906b7203dce7ea8 |
| SHA256 | 1c650c1c84f3ccb12b0d396f99ff5847c8c13801a43076d6f837cc15fb3e3e1c |
| SHA512 | c87744d9306d08aa8e28f786f527d0312631936546928eeeae2b3c307fbe5f1cab86d06330d7187662deb1b9ad4ca9f110741a2ee629d43e64e34d5b78bdbd4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\VLGWY1S5.htm
| MD5 | 15feff54a885da403bac298ee20d044a |
| SHA1 | c2fa1777ab0221fbe6383ba8d3a9b744220d7698 |
| SHA256 | e45a146049acff1c3c1dafe3ecf23d19db6b0567f655b981376ad2b926c96306 |
| SHA512 | 2905d56d1f58707d303782246dd3cb95a9cc90ceb9c774d24a4ab0add6265542dd372e943ca529e88d6d996a47ac0462c3742d073c9b1a18fb9f26f9a6b6a6d8 |
memory/2660-866-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-867-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38d87b83c3530579481fb4c92f633ca9 |
| SHA1 | db574d8ea08b81309e0fad4530b63ad805183efa |
| SHA256 | 19ad2eab3258038ba76e6b97a55a5c9127793d7d316757931e7cb6d3ead3b384 |
| SHA512 | 93f5284e0788294661a07b8ce2f2418e5fadf58b6ffb9e52948929fa504f3f38b76fc5b1f9623802661949c8740452c70cbf4aea7b344835b4ad4a59e7da3a13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d205e51056212f373731feb7ad6fbf2 |
| SHA1 | 7c99dff8def421f5a5c25e45744b1a0ff9058360 |
| SHA256 | dfa2504c6a9ab0b05606ca3178279066a9c7470006a622b6c1f683894a81e524 |
| SHA512 | 1eabc346b10feed26fbceeee2ada95f65a8fb5a100632447979f61d0877125da9149370732c35ff33d61f47080992ba6598ccd3dffd858cdc04301f3d3f4d4c9 |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 3af978d87dab015daebdc2aae30bd387 |
| SHA1 | 193eb68ce6a7596fff7107b438b9da4234a6db94 |
| SHA256 | 2e1ab9a00c4d72edb216730ccc01b6b2f0d25732384a41461b5e5342fe12680c |
| SHA512 | a5bd678a1e8c3fe608259881037d358531ca77ac9dbe7ed64bbec3d1cdac975d83e40d70fc396e4030472f650f931a62dae9485c01a5da54bd2073355e215920 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9216cbb47358c7e89249489d6414499e |
| SHA1 | a84b61d4861b6c9bd37a96cce754a941dd7783c7 |
| SHA256 | a7765932d44912c90d0dea275a63d0aad7c099355e49b1447a3f41c297143503 |
| SHA512 | 2a1a4288714d57f840d1b90f72a26587aeadf2bbd9e59f84556e319cb15db6401f8cb27048fd2e557b472057629a8bbda05be1ced28f2bc4ea8bd40b6ee217b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5484ae63ce26b2c7b3682c67af5d87c |
| SHA1 | cdd7e1a4678129d7a5683e632c12cdfe4080e9bc |
| SHA256 | d23ee294af97856392d4cdfde91bcfc273e3f37b3d93b7006d01cc2564dd515f |
| SHA512 | 3b1dc5c131aa5576ca33306d4f9138bc0e0aedc8ee88894d48f22a0058c848845806052ad3a62e1142b67518ac272a56e7c6bf856c4e1ce6efdf39438b82d7ad |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\search[9].htm
| MD5 | 5d3d9cc3c4a77e8969cd0e627d6d388d |
| SHA1 | 89a8eb6aa0a1d943b12c8e269aa339b108a8642e |
| SHA256 | c042f41a28de3beaf1948676f6ea6abb6132139e8460b4e4e8db60ba0798304f |
| SHA512 | f5752c41367c9e61e392367b05109a10b05b997ec4ed6678d885dd5e427c0038cce55c213a6b9f33062aff6f9484dd473565d78063f2aebc1e07e59cb2544d4d |
memory/2660-1410-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2912-1411-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\search[10].htm
| MD5 | 89ab876a0e519869c0d015f73f7acc46 |
| SHA1 | 37f17be66c5c403df9b93ff82d27333e9e7adbaf |
| SHA256 | bfa9ac351a86002555199118f1cf8d35c38122776e5509d384770e83ac600eb2 |
| SHA512 | f3459b465cfa53b71ef9d6a5a855211036221b456db28d65f7855a48cbf26f4a568fcef79cdf37ae18309b788023b9a3eeb7edf0dce6d69b03a02c578d61a2bb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\search[5].htm
| MD5 | 147ecd5f19093ed35e7d3e59b656dfe5 |
| SHA1 | 676d8852a9f2ce67b929cd850ed48ea15cc21273 |
| SHA256 | ddac5c0d9af46dc0dc669b013e68719f28486bd280da6c0608eef60f019c038c |
| SHA512 | 0269d08c9e9199367302c300e44b100ef81a7747ec4cf4b1ecb6c74c2d6a62c53fa3565c5b22510f074fd3f8cde334513b6a086ab62b1bb9e8da4886cdf5d7df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 18:35
Reported
2024-05-27 18:38
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1060 wrote to memory of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | C:\Windows\services.exe |
| PID 1060 wrote to memory of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | C:\Windows\services.exe |
| PID 1060 wrote to memory of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe
"C:\Users\Admin\AppData\Local\Temp\0869b803e276270fc43cd6d9d805324782f7161eac8a5c7ec62db6e09009791d.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.213.60.59:1034 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| N/A | 192.168.2.155:1034 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| N/A | 192.168.2.111:1034 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| N/A | 10.227.85.66:1034 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| N/A | 10.0.77.20:1034 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 192.168.56.176:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| BE | 64.233.184.26:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 199.89.1.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 65.254.254.51:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 36.215.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 52.101.40.0:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.90.14.23.in-addr.arpa | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| BE | 64.233.184.26:25 | aspmx.l.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| N/A | 192.168.2.17:1034 | tcp | |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| FR | 216.58.215.36:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| NL | 142.250.153.26:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.79.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 75.2.70.75:25 | alumni.caltech.edu | tcp |
| US | 8.8.8.8:53 | alt3.aspmx.l.google.com | udp |
| FI | 142.250.150.27:25 | alt3.aspmx.l.google.com | tcp |
| N/A | 10.159.126.116:1034 | tcp |
Files
memory/1060-0-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2168-5-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1060-13-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2168-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2168-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2168-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2168-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2168-31-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2168-36-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2168-38-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2168-43-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2168-48-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1060-49-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2168-50-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | ba84bca51ef6dc29ed38ea55b85e34fe |
| SHA1 | 9b3198e954dadf499b656de3656d7934745a7fe7 |
| SHA256 | 48363960e82543bd5d826b12b543fa8f831afc7780be282a0f60a19f5f64592b |
| SHA512 | b786d700dc3d5d68ad5863a0978063585160a9d4c3823aebd3abb1a98c8624bcf8110f3b4f0f6b9e0a70bd07563bed5deaffce4b35234ca8e2edd2acb2cdd149 |
C:\Users\Admin\AppData\Local\Temp\tmp3639.tmp
| MD5 | 629f1f95b08de6cc624a42a85396c2d2 |
| SHA1 | c0d00385b7a55c18f9a954eb46d831f8967b9925 |
| SHA256 | 7ab6cb38fb7b66022619d6c5d9fed03a65fbbe36ccb3bf9c56a88f68a239cd6d |
| SHA512 | 3a09105e561f88f8e899eff85c39211ad0d1b3e2d6f4073120c57c40f8f7ae52827803b3c6f6f4d4184c98c999e65e8ecad3cc4514e459f81f28297c5492f143 |
memory/1060-73-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2168-74-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\search[2].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\R5UPGTQQ.htm
| MD5 | 36d1a56d977b2d73dff47a7969a5a545 |
| SHA1 | e34edcd03022cbad100d488ca0784f7c4ab3d055 |
| SHA256 | 2720a25ceb8dc158b875d824873a79d7c1bb6f44babedf1cae78869ac1faadea |
| SHA512 | 9f574bf58cdd54d6788fea6a1a10263ff96b1292a57c16f03766f9d3d8af14ca2975d87f5c5359e610cadd16e170894b523b895d638d4e1bf65cddf40179ede2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\0ERT023H.htm
| MD5 | 30ac8c75c325b0c4715e02dbc177ea83 |
| SHA1 | 303d85752fa4675c8cc963c6584a439e5f0e02b4 |
| SHA256 | 538f769b5502d84a3fe9798a55b05c80c994ece76db6d7b6449470400087027a |
| SHA512 | db8c5aab2f7dc712db8235f473aeaa60e512f87aacee86c304c8d6c42cdf8d250e8327e6fc497ff3c90aed742cde19f476197b221b5b437fde9c7371f5618f52 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\search[3].htm
| MD5 | 78149efecd828169569207e41ad26e2f |
| SHA1 | cef7a7fc826ccfc34bacf7c5bbaaf0f9f6687ff9 |
| SHA256 | 5869474d81d25e33ada927dfff38018526ddfebca48eb6c8df82b40d664a56ab |
| SHA512 | fae4c88e21b9cb209445faea1733b0f9358b2b333e669b1c35cd118b38330c866c04183cc0df440b22e61a4661b55755565bfdceef3b859433a9f29b0a4e2f8f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EO73ZF47\search[3].htm
| MD5 | b9c32159929400575f530fc26564b7b0 |
| SHA1 | 0a3752b27bf72060ddaaa04dd2683ce5d99fa009 |
| SHA256 | 5fb31d733f6d7037a2608de052b0535af1baa6a05acc8d2979bed1219901bd97 |
| SHA512 | 890ee28f775711365ae2e21fe45f0cf65cb3197dca70f9ebad10c5c41d5c453bf9d7f278754f486615f766fd96df7c15df5f09cb56498fe73e8f697cfaae8cde |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EO73ZF47\default[2].htm
| MD5 | c15952329e9cd008b41f979b6c76b9a2 |
| SHA1 | 53c58cc742b5a0273df8d01ba2779a979c1ff967 |
| SHA256 | 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7 |
| SHA512 | 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EO73ZF47\results[2].htm
| MD5 | 211da0345fa466aa8dbde830c83c19f8 |
| SHA1 | 779ece4d54a099274b2814a9780000ba49af1b81 |
| SHA256 | aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5 |
| SHA512 | 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 945e065e4502a0b1a2bcbbf70deb9624 |
| SHA1 | b93ff5c269ee4730a20a82fcc692a5e1a834ed14 |
| SHA256 | 5ee7b31fb6cbc4dbb129cc76e218b61f0ff43900ef9c409761a58bfad059f5a1 |
| SHA512 | 2d5cc453dcea7fab7e8b4ddb9f2262cfdd5a333ff140f8627b40fa0bff6e3b7e5e51c2f51e81db025f340bbbf2ad57730ad76e3f5f5efddd914def5b21eae830 |
memory/1060-248-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2168-249-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\search[6].htm
| MD5 | 8280938c9eeab664387e425ef4781994 |
| SHA1 | 0777903f71d85c42e79d882bc9d91eceff3e5450 |
| SHA256 | a2dd39977ee24cbf5c2af1639ac5156b8dbac765b2979d43648f846a190c026b |
| SHA512 | 76137c28815920cd3b28d23637dca0a5a927dd091c96e5622e94903f88f03f4f537aece82f8cec48d72736d52c6c55c9cf995fe8b460ac2d7866cbc42002b709 |
memory/1060-289-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2168-290-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2168-294-0x0000000000400000-0x0000000000408000-memory.dmp