Malware Analysis Report

2024-07-28 06:54

Sample ID 240614-h7pegazdqb
Target a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118
SHA256 01e884e7ea3b60efbeb0099b8280c3b27b9ed5674cc0e54efe6f03a0ead116f8
Tags
persistence upx google microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01e884e7ea3b60efbeb0099b8280c3b27b9ed5674cc0e54efe6f03a0ead116f8

Threat Level: Known bad

The file a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx google microsoft phishing product:outlook

Detected google phishing page

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:22

Reported

2024-06-14 07:25

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe C:\Windows\services.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe C:\Windows\services.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe C:\Windows\services.exe
PID 2884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 15.198.4.103:1034 tcp
N/A 10.1.68.30:1034 tcp
IN 4.240.75.122:1034 tcp
N/A 10.1.67.172:1034 tcp
IN 4.240.78.64:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
IN 4.240.75.168:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.10.23:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
IN 4.240.78.237:1034 tcp

Files

memory/2884-0-0x0000000000500000-0x000000000050D000-memory.dmp

memory/2884-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2840-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2884-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2840-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2884-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-44-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 04892f8b6de63710b299092dfbbdcbb2
SHA1 fe79ad8f52229b20ae5b1bd30a162c0755686ad4
SHA256 03e938b9483540802030d416970b413344d35963471d52b2e2d24767901b3c6e
SHA512 725833db28c3b660bf9b0f819a39d5d527020d2d504ecbdb9b2de7cb0df2ab646bd7280cc0faa72f196c88a10828cc646461711adf2b88a07abf59b1d44c998c

C:\Users\Admin\AppData\Local\Temp\tmp8D26.tmp

MD5 9a1c6f4952d4ee63e3c592981e4f57b3
SHA1 08a99f67a28541b1695de6ad74fdba096e1da6c5
SHA256 0df6d1b64a30b604778fd39f0a87f0c6296e98c28d00a62a276d0398b653a0b9
SHA512 4200b3c06cdca9b82fcbbec3b15ec420f17ec6184db5aa1ee1057793e6bf290b6c81d8b09f12698b4fec5bc1503497b1e818c14772662a528088dd0fcdd3ee40

memory/2840-65-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-68-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-73-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2840-77-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 07:22

Reported

2024-06-14 07:25

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe"

Signatures

Detected google phishing page

phishing google

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe C:\Windows\services.exe
PID 2368 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe C:\Windows\services.exe
PID 2368 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 15.198.4.103:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
N/A 10.1.68.30:1034 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
IN 4.240.75.122:1034 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
N/A 10.1.67.172:1034 tcp
IN 4.240.78.64:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 acm.org udp
NL 142.251.9.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 cs.stanford.edu udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 gzip.org udp
US 52.101.42.6:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 23.63.101.170:80 r11.o.lencr.org tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IN 4.240.75.168:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 209.202.254.10:443 search.lycos.com tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 85.187.148.2:25 gzip.org tcp
US 209.202.254.10:443 search.lycos.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
N/A 192.168.10.23:1034 tcp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 mx.acm.org udp
NL 142.250.27.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp.acm.org udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.194.1:25 outlook-com.olc.protection.outlook.com tcp
US 65.254.254.51:25 mx.burtleburtle.net tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 hachyderm.io udp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.251.9.26:25 alt1.aspmx.l.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
NL 142.251.9.26:25 alt1.aspmx.l.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IN 4.240.78.237:1034 tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
NL 142.251.9.26:25 alt1.aspmx.l.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
GB 142.250.187.196:80 www.google.com tcp
US 52.96.172.98:25 outlook.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp

Files

memory/2368-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1800-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1800-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1800-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1800-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1800-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1800-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1800-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1800-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1800-35-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 6f90ff0356a72a5adb82465b40fa6479
SHA1 41e562306b7be32d9c2a44ba7e3a04db66657405
SHA256 39c31f0788ce3930f7ed6a8776a922cb7fbda2012d9afd46a00c53579b268578
SHA512 053fffdcdbb2d0244bf3354fd9cf4126867d9a9e6a8d148c69ee4268daebb737acf46b9d561cd00ca8ef3f7bcd9826bc0ed4b58b2deba823a8c0339e0763db44

C:\Users\Admin\AppData\Local\Temp\tmp875D.tmp

MD5 06a8e6db1bf0de710e57117b9a5629ce
SHA1 7c24f0cfbf3a8447cc83c9fabda9dd325547319b
SHA256 5a2a052c869271eb20b7399d0838b4384c88e4406201cebd53a0d3d7be7cb300
SHA512 c5faff3b5effc0a26082edb441b90e2dfa064ff0cbfc1cca4096edb6c126b5f26bf3e5f294f9861dc7e716b54af4325645a13fc1ab7480aedd4ce7b7f8ad34b5

C:\Users\Admin\AppData\Local\Temp\tmp895E.tmp

MD5 69d62347d3d95a35deba67376780c297
SHA1 7f86226cd39d0a4d72d074249f012f469c019153
SHA256 b03c0501e66c802a9192add249495f26a1ddc0884a9c60cbe16c12c04257bb1f
SHA512 7c5e862024d66b200a86fc7bf6001b4b1ec94b97ba6b3ce316c91c30c197ee2884585ab519f379b1e8e09bedff8a3c3e65ef89aa79eca6983e73c733233d01d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/1800-140-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[2].htm

MD5 4d1e7bef3137f5764f30067d7661921e
SHA1 a4a6634167d5998dfb3fa75af970298c75aefdfd
SHA256 3810b99d84e7988eaeb4a712f5071bf1779c500131212a3997332dc75c546ffa
SHA512 a41c234a6ac2b9357ad66af31b4d4dffe22f0052d16d2eff4a044df27bb14c794c64dcec6c920be8244ff33608f542a62cc0953f5e55f9a2774e4bcec4aa1ac6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\BG6WAQR1.htm

MD5 c181ee77ec7cf07f60ff338e3d22f88b
SHA1 b6c0f362b69fb16247c3f0549f8d638448f48281
SHA256 99fff104369b1f9a1b9c1ae8056bef04614cc31497560938b60e6973fb0a014a
SHA512 dfd3efc74803a18d93dfe5cd94eb3b1c81394e5756f4fcdf9b10f67858aed0840ae83b95ce76bda9c8f4d7d20bfc7e8a0120f325a305e0882f6b870ef1c13ec1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\HP21EDLG.htm

MD5 aea7014e33f0b3a21f675ea497b4f4d0
SHA1 b19367e4bd4fb269798cd2b6983d48059d8e6578
SHA256 e42a0a651dfc609a5242ca0f4510d136eb8962510df21876962b75b42c84413a
SHA512 f126af64fe9f75740dd65b7619ca1e4936f8a60cf421e7c7ea7b8c02d3a341f4442eccf0bb43ad81574defb9a3e0c908022f3d4a17743fc4c95cedc7a51d3a73

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 7215afccbc2650cf5be990cce80535a3
SHA1 e9b363e7a5b548484aa9e4bcf79f0f7aa96060ca
SHA256 57d26a28e56240a4ddbff278c3b512d3d51355c81e13ad5c17db569a0dfcbbe0
SHA512 41a1fe01a551f421b70df386cb542395dd693078d2223a4c2f3aafb243efa1b41ead39cca7b2c85f47f63829af204b0f2885a7fca3f32dfccd2f6304d0a74dc2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[5].htm

MD5 fb4ad2ef3415d5d7fcf7a092bf7604e5
SHA1 98e0fc7f12fd2f27157fbc95250d29b5153921d9
SHA256 1957ea30ebd78dfa4f820dede308e504d9a2e6214765cb4d6f143ee2bccefa6c
SHA512 2151e39a1cf04244a3034e9555edd922a3bae3b7bd369d0e0fbcf98e9fc7542c0bae08ef1b4396ac086e16b3046f13cdb2b7aae4a6cc721e9ab31b8c69470369

memory/1800-244-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\search[7].htm

MD5 d9fe86d012211d6ef6c8bf90a767d7fc
SHA1 039001ecea415531e565b40ad885c5a0c4cd789b
SHA256 b221eac3335fe05db33595f379b4fa3f3bf03fd755b4494869e4d421bb18e123
SHA512 46b0b066946f211b12cd651a53c27ca106d0a2d764b37a384208a96f2f8b2098dc16593b72cb5c0f502e1e39c5bf14c219096f6dcb329b43c511f50bc720d07a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[6].htm

MD5 6b7c0723d6ab60e1ded51f820569ffbd
SHA1 909e83b041b568fd82f802abfe002faaa32ec2e2
SHA256 b9beb9e84316c35c31835709a717c3c9613ac5891737e17799ad87e307ff2ab8
SHA512 f4ad76739af0d547fcd1f43589989e0058b976285bc2867f2d9f8525f786a846b3a51346cfeb01d8a64a359fe19e3d871d9f7e70ed9fd46cfa43b2a1c8b0b980

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[7].htm

MD5 08196b12057dcb6517c7a504a4ae4cf9
SHA1 a5cb51219a97b7e2e83e4ee16651ad5c0be45b00
SHA256 cf7135cef9a4b5c3a0eca9c690825e0bf7ea405d67e62bb5770974f3558b4cea
SHA512 279f97658ca4f9e5b95982705e9539dc9211b1f9a47bc553f9be20a6ef886232614c55c36bfc522ba2f49cbf085cbb9200e7191bc04a2923b38b51763a4a0fee

memory/1800-287-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1800-291-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 1274d0a0c3ef711c5de8abd751b3f65d
SHA1 ba76e10ad9cce7bba4dadf79e029d1551d872d38
SHA256 93b1a657d8036f0313fe301a1ae39d0e57c711de8eae783e46e37b17b10244a5
SHA512 cb6b2be3134eba5fe2f826be633286f4055a2a0629dd55daffc623ab599de337dee8d04899a3b2fca3a46556e963778507ef03226c39173732a10f7389fb1ff3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\Y3MY9MLZ.htm

MD5 23ead7ac7270c2c61759027496835b46
SHA1 4f9b9f8259a20ee7d7d5c43b63a3d6b56a41b28f
SHA256 d6cf13714626e8e18fa5f1dc9f376deaa257399a02b85b2b34694cff2be00dec
SHA512 d9836859ac7f79db5480d19dee7776e8529e6140426754e6caf137496e34679631c7729e4234d5d03f4c13f45871fcf3200a29e9ed4a4413a032d10098a68c3a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\results[1].htm

MD5 35a826c9d92a048812533924ecc2d036
SHA1 cc2d0c7849ea5f36532958d31a823e95de787d93
SHA256 0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512 fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

memory/1800-342-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\default[1].htm

MD5 c15952329e9cd008b41f979b6c76b9a2
SHA1 53c58cc742b5a0273df8d01ba2779a979c1ff967
SHA256 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA512 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\results[5].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 f5bff138113d7949b3a831ae5e053365
SHA1 50bc58b6d954fbc9b4ea4b352ea613d05ef43a71
SHA256 8dcd179cef4555c88cc3d3c319a0c5d264b7c75487d899b15ba8b4576b42de07
SHA512 2ddb24db43e4b7a3f3d28a77cf16ef574901a2eedd5b0b35e17aad231b9a81cd0c75f2a22ec60c9cbbe11ae5e5fbd0b56ecf1024788a959c76ddb1974b01e93f

memory/1800-480-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\results[7].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\searchR5FPNVI6.htm

MD5 58dcdc5b75231433953db6560d1398eb
SHA1 e1e6c8396ab49124322116a23083019b1be00e05
SHA256 5cfda389069f5cd9febcca516183f6193cb4f1fa123f160d912aff9965369e2b
SHA512 03625aa1840d484d472b6d72fbe0d038c6d81dff9d7b26797852797192af04d9801d7e708078ac783afaea305859a3af7055857f981e13bc857ebabad9428804

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search[5].htm

MD5 61e5328ad0c064020f66d1f069f5cb4c
SHA1 794cb7013c3a0a72c26b99ccf13999ee18e14001
SHA256 842492f92c20e9e607796b2b3aa96f36de8e2f7b38778a27a2c3cfc3cb992729
SHA512 46ada6b7453ca97adbe4d03db29b04fdc2f0ec792906498c14c3903b0ce00ca0ddd516b1af20976666c7c49179c5a2b42fac1ad96c6fe82882e356b50f1356eb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search46FIR3WS.htm

MD5 58e3b353010032afbe95a3cbab448095
SHA1 7116d6f2bc4d6fc784d6ec3a060b8a81edc108f6
SHA256 eafc85c5a789c9a61fba0f0251a0e856f3e319bc6e611960d90ae3f14279bc97
SHA512 20cf734131cabeb4198e4aa587e278386266c68a8fb552ac8f43483ab4b152aa4671e46deceb1eee44a1f3a22d1e39bcef63008e892cfac768f610f59214f18b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\searchSOFMLZ83.htm

MD5 c9e7b30cb1b578dc921c382cdf190bbf
SHA1 8e79a8febba57343d3005f866c555eecca33de4f
SHA256 2d47b0366b747fc2e9c8c432cc5906c04146a09e10a46d92b7ebce1ce98eb93e
SHA512 26b68a27be6bcd431b502a9d8734bcc290fe5d36ef70f9c179e1e7a769894a319b4960229e0c9f4b49b611aaef4e4443bda31b88f5db5cdc6a3f253595a8f9d9