Malware Analysis Report

2024-09-09 11:21

Sample ID 240618-1w6hqasajk
Target 5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede
SHA256 5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede
Tags
microsoft persistence phishing product:outlook upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede

Threat Level: Known bad

The file 5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede was found to be: Known bad.

Malicious Activity Summary

microsoft persistence phishing product:outlook upx

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 22:01

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 22:01

Reported

2024-06-18 22:03

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe

"C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
N/A 172.16.1.166:1034 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 172.16.1.2:1034 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 192.168.2.105:1034 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 192.168.2.108:1034 tcp
N/A 10.0.2.15:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 mail.mailroute.net udp
FI 142.250.150.27:25 aspmx4.googlemail.com tcp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 52.101.8.51:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.altavista.com udp
US 8.8.8.8:53 www.google.com udp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 23.63.101.171:80 r11.o.lencr.org tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 192.168.2.108:1034 tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 104.17.78.30:25 acm.org tcp
NL 142.250.153.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp

Files

memory/3540-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2548-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3540-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2548-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2548-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3540-49-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2548-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3540-54-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2548-55-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 89a1814a8047dfa9fc4fa50b2f70e662
SHA1 76b56750be54416af683962b90dc55bed8ad716e
SHA256 bfff4a52ff2a736cba7cac913c5f3ba0f52b442e1378b5488d80f5bac6d71404
SHA512 4106f4c9f3540f547d710f13bc0ae01e20d34746d1be6431c48c0ff2766701dd3667e655df061346413608d6d0c3476da499ada474dc138437865d430143ce54

C:\Users\Admin\AppData\Local\Temp\tmpB8E9.tmp

MD5 23c3db2ca20f2fc026e7ad4ac9e2c45c
SHA1 c776ed0a0516a1b5eae28f60b1fd85dd3e356be7
SHA256 9e6678cfb106e60409e35d69aae1a1cdbe6a5b370357b2790e9d0b6babb14870
SHA512 25fe3c4380cbc2c2e1ab99709191edcf6896ffa042ac324c51d037ce36040baa42188b36f6930a9689af777bedce30116207d3f1110c92b6cada03cf96cccffd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\LJF2LJZP.htm

MD5 a139f44bc42032ab5ef7e704e145fdce
SHA1 98f2c900adacc7056f5b4731f83efdfe3272f97e
SHA256 f26b24bd8b79fe72d9a1149f345e177c826eef1ea7a46961054903151fbe0cd7
SHA512 9dfb0f4f91dc7eb539ecc9aeb4d8f059cc641aabb65bf85423f1a538b277947370381f804b697e2c37aa1fd6479836727dad39336c21a2e265da283845f9dfc9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[3].htm

MD5 4edec6102b7f1b452ccbdbfd0ef621ce
SHA1 38d35dece554d34bfcf84bfd849efd25422eeba1
SHA256 278eff19453bf38b67b878ff060c122ceb76e46391e7c046d142d366d99c49f8
SHA512 f9ddc8d1c74fd18b3f34882f605f184fd0e2ab88fc294ba5989ecef6e586e47eef9ba0cb6d0bcfc69a4bf7cc51b429a9d4a07f879439b9ec709c0b9eb6430678

memory/3540-200-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2548-242-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 574d43f30be1726ed489687392b22ac5
SHA1 a2726b35034623975c2479e8e49db8d68d5f6a32
SHA256 bba6700a0a2aec9835e1505ec6f02e269a94fc26cce3dfbdef40416bd8c60d60
SHA512 8c2ed20bd23cfdab236a3d35e696fb43c18a549e775876dc9fc1db7c119a380fabbd99c5856c7b8e1c346daa1bbe64b059d1e9bc2d783fa652aea98067bb73a0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search0J2K2U74.htm

MD5 2d2324491f42f3e5ca1e35be4d850a48
SHA1 7c365731c4077db1da5f53178f2a9014e5339278
SHA256 9d155fbde3efcb1bff6e4747e54f403cb4cdcc2bed02b80289ef52493bbc4033
SHA512 ad4410513e853af868a89a75c55d07bad4c2479a9b93b2956657632a9f5bd71f51d7773e808129b77205136a6eb2b6fac11aba972d8898abcff4ceca888592d2

memory/3540-358-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2548-359-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3540-362-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2548-363-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 22:01

Reported

2024-06-18 22:03

Platform

win7-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe

"C:\Users\Admin\AppData\Local\Temp\5ed62c048e28abf12656ab1b06fafd354be8ee7497880c628df4f8bb656c8ede.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 172.16.1.166:1034 tcp
N/A 172.16.1.2:1034 tcp
N/A 192.168.2.17:1034 tcp
N/A 192.168.2.105:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 52.101.9.21:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.108:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
N/A 10.0.2.15:1034 tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 192.168.2.108:1034 tcp
US 8.8.8.8:53 smtp.gzip.org udp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.153.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 8.8.8.8:53 www.altavista.com udp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 23.63.101.171:80 r11.o.lencr.org tcp
NL 23.63.101.171:80 r11.o.lencr.org tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 192.168.2.103:1034 tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 tcp
US 209.202.254.10:80 tcp
GB 142.250.187.196:80 tcp
US 209.202.254.10:443 tcp
US 209.202.254.10:443 tcp

Files

memory/2240-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2240-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1564-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-8-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2240-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1564-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1564-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1564-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1564-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1564-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-41-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1564-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1564-44-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d9018d0026f6205a325808529366f860
SHA1 7a14e6926d8d3d3bfee3e4e2e8fcb7676fca11c0
SHA256 6b52441301d7ba628d250c22f61a82c32d126baf38f94de57e8a7031398777ec
SHA512 439f758866c611b56b82a9d95b0691824e1bc5e0057b13172b04f5ab86b15cd2b3a027d44635ffdf346f4e3705a11de96c84caa76a1f32fcd1516f218b83f3cf

C:\Users\Admin\AppData\Local\Temp\tmp83DF.tmp

MD5 5bee8bfb91ba76aeb5499b79b3a692d3
SHA1 05a394e7edf0d40ebf82e995171d7df576a69270
SHA256 35c87edba14af27668c505ccc831bfaf51b42970a919475f81833d58091cf8cd
SHA512 ec6b1fd31ff6b0dc44dbb25c2e905d4de6dd08fb58086c030255257e667aeacae3f38a2b45869b44b88dfb513fcea5e83402dc7d7dd5cdc8c1e4be32d1f4ce37

memory/2240-62-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1564-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-66-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1564-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-68-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1564-69-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1564-74-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2240-78-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1564-79-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1564-81-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1564-86-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 f201111f0fb75fa0102e7f9235bdd99a
SHA1 41add1ad3305e0c1344b729ee52464790b8f8f79
SHA256 d9e66d09703367f6cc4a62586668f3f3e53b65431f57db6d4378ab69cc930f40
SHA512 7d37d6fa036b785a08824f4c2d410d56503d086221ff20aa12e6ac7dcb0f821bdf6630af8e6644fb7371b1af36d535cc3df0fe4c03beec58e65d40c6ef1fd1c4

C:\Users\Admin\AppData\Local\Temp\Cab8FF8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar905A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44de2f8db4b41358b7f1568f4a354138
SHA1 14753d07cedb2a682b94c4793b596b2c17b6e3e9
SHA256 74095db23c20f8c00250d8d15b1c0366c541a4c118e0642396f39e478af81515
SHA512 bca1dbc7e9cc9a66175a5d3b75955feedd7071c92285980552bfd73a7959e2b1b11d2e0be422116e524e21107a84c8f782cb880efeec46ca651b71712715a551

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23175677859348997a7f2f9ee9bb13ee
SHA1 dab52656c4b89470ed10d9f837a98cd6240fad7b
SHA256 b2a72db8d58750b2d93b42036b5690dc48d6ad1c22792ac1fdb376101b247f26
SHA512 afc1066d17c7198675bcd61043a70e0d838ebf5bad0bef2e83701ec209be13255b936036733d297216cc77a5ff328bfa07e2ec411ad83aaca4d765eeb9a07695

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWTP8BNA\0N1O630G.htm

MD5 80e774528012de1cab6518fc4d0813bd
SHA1 8cd7e145c0f84600e8597be4b9d11fd5cce4f185
SHA256 0c804251d859f38a353ab90dd0fc5de0000c9272b463f9d52f26e676740bc928
SHA512 acc545e3b730bdacca4c5c9257c0fd7c1fb5b9be9f97c1f059230b38c65e5777a0b44139ff6dc3a48af63b9f66b27e5603104a22443db0fda5466e65ecc99550

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\search[4].htm

MD5 625fbe4c199629a512ab66508470b51b
SHA1 946905316d28540aae680d9e14afc94486cb6fc5
SHA256 f3860bb1426c467e9f74e8d2335f1c957de4171d0772f7006d4f03a50547bf03
SHA512 86e6391bc3a5a00e076759e4ae2e15b5114be010c94227e53ac8ad590e392ded38dc461b28becf3fbf4f86a788ea42af610e1425885e7790aba1f67b2a93cf0f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\MF4NTPSB.htm

MD5 10702eb5a2c3f898f5d6cb816ef0ffd7
SHA1 fc264386b9391ccbd1c436a6a9e28bc45b23aeaf
SHA256 bfcaded045b50e6d10fac9bfd9f4bdf5b284915b90130adab1b3e1c6c57cfaea
SHA512 ff4f62af5ba8449b9643a54010c02b78f5bd99af2c74f7a655e31bcb81637796a3d3b23751a215fed3b408d1b7744645baf7156848d4717bea019abd8b9185d6