Malware Analysis Report

2024-09-09 11:23

Sample ID 240618-kk3dxswapd
Target bacd393c726300649bfd5eaa017516fd_JaffaCakes118
SHA256 343c41bf691b66fcbf07f89059cd97d320fbf1facd0b95afd31da3e654fc4716
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

343c41bf691b66fcbf07f89059cd97d320fbf1facd0b95afd31da3e654fc4716

Threat Level: Known bad

The file bacd393c726300649bfd5eaa017516fd_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 08:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 08:40

Reported

2024-06-18 08:42

Platform

win7-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 15.244.197.231:1034 tcp
US 16.150.109.128:1034 tcp
IN 4.240.75.91:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
GB 81.152.168.204:1034 tcp
CA 16.55.206.80:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 15.244.200.106:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.altavista.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 search.lycos.com udp
N/A 192.168.1.220:1034 tcp
US 8.8.8.8:53 www.altavista.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.altavista.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
N/A 192.168.192.146:1034 tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 unicode.org udp

Files

memory/1988-0-0x0000000000500000-0x000000000050D000-memory.dmp

memory/1988-4-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2436-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2436-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1988-21-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2436-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-34-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-35-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dnWozue.log

MD5 860a0d0629460bb2157b453dd5f9aa39
SHA1 e5bf550673ec1ae534efc495cead77fdceb09703
SHA256 06954fc8488a59afc2d8606145bfe2f49c52327f22d4b4aa225fcd2c31dbba0f
SHA512 45ba51411cda98ecd8dfcdbdaf6afd64431b5b3ff8af20c79dbfcc74bed947ee904dd998195740b40370b89b18bc59c0f58ce7d1c67353bea18c7a5e4536b3c2

memory/2436-39-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-44-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 b8db9acadc1920dbdbfe4589b3584370
SHA1 ae268a03625ad4e882a1adbb1ffd357010a65013
SHA256 b9bfb9cdd904b85d7c5a662b14fe31f23a526f4f9171d5b0a550ccacfae67459
SHA512 0f7c926a2f5606de29afded51a35120c9ac8f8c28eb605afa07bd5955168fd540f8712fad7ed60db9a02ba394d5f4419264a49bae257a67c7df8ebdb54e1dae2

memory/2436-57-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-60-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-61-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-65-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 08:40

Reported

2024-06-18 08:42

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bacd393c726300649bfd5eaa017516fd_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3856,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:8

Network

Country Destination Domain Proto
US 15.244.197.231:1034 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 16.150.109.128:1034 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
IN 4.240.75.91:1034 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
GB 81.152.168.204:1034 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
TW 142.250.157.27:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.3:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 gzip.org udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
IE 2.18.24.17:80 r11.o.lencr.org tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
CA 16.55.206.80:1034 tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 17.24.18.2.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 hachyderm.io udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
SG 74.125.200.26:25 alt3.aspmx.l.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.251.9.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 85.187.148.2:25 gzip.org tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp
US 15.244.200.106:1034 tcp
NL 142.251.9.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
SG 74.125.200.26:25 aspmx4.googlemail.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.9.22:25 outlook-com.olc.protection.outlook.com tcp
N/A 192.168.1.220:1034 tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.102.26:25 aspmx.l.google.com tcp
NL 142.250.102.26:25 aspmx.l.google.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 smtp.gzip.org udp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
SG 74.125.200.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 outlook.com udp
US 52.96.222.194:25 outlook.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.192.146:1034 tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 tcp

Files

memory/1300-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3424-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3424-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-31-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lcpitpvwg.log

MD5 c1acdd3f1e967ed59b2aa3cb539aeaf9
SHA1 ff3dda48264b710080d34cb784882237b253339a
SHA256 4365dc01be8a24884cb880f9c59ab60bad9ba97013b1b46dcf57a1c40b8510a2
SHA512 fd4c1440c08fc8643651505a61e7c789d17a2e763fc6e0ea59b6ea16be2de6a8e36ba30fe0db4eb5f4484529b951f26da679a4c603c716ba0d2a39b5074e45ff

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 38d32e0d926779914c4d40b87e210b84
SHA1 ea755d654789dfa524eb4e3f76b6c66b8644e685
SHA256 b8a99117cd579ccbd89727ab08de90fa1dc50f2d164a1eea24e0ea10667d686c
SHA512 e6d5b831bbed6819316d2768e7e12a1da7ca1aa537a04620d17efc2ac15658f7ba4e2c4a235944bdedb0dadc01eb408e13e45fa5cbf93ac980daf82011b44ad0

C:\Users\Admin\AppData\Local\Temp\tmp3437.tmp

MD5 07ba90ade48b515a731d173dc93ebe7d
SHA1 af932459c06d46d2c30776b1a5552ff1bec906e1
SHA256 21f838d4849cc699bddd051d6a656c805ff508f169c2965199f8c067d7d92ef1
SHA512 77ce4167cf38eb4899b5e259b7e9d183a789dacf1ffc44c58d169aac5790e816bed716869baf4b18007caa3c2e6a5374bbc09ca5981db4068a0b8bf66d5eb388

memory/3424-49-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\44ZGVQ6R\search[2].htm

MD5 7fd66af0237fb293f5b042b2ee7452da
SHA1 15281e6b7d4aae57695ab5cc91a7d50bb2cb9bd8
SHA256 e279bcecf2dafd24a621e9a2d6aff5d3aea1aeb6f529502188ef4140b351863a
SHA512 0fd1c162ba4c5eb868b3d01b54bf208e06312771b110939d08de25fd2c3c26e975b3d92222d8f35f77873410fe4e78bc10ae655296ace016ea85740084d5393d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\FW2KQDC5.htm

MD5 bf829eb177d73d25608349add33c63ee
SHA1 a6ca7bef29c78e2c21ef39c9b82b5d261eeb2e5d
SHA256 8e422f0d23d757da0612e07aa8286e4234a15b37902daa0a81a706b8a1134977
SHA512 54f7995ddcdad162708c8c4659c04289c710177f0de59adef4e15295eb2197a3d24db4c295576222711a3e9688978164db7a7c8d094ebc91cb14be6c91defc06

memory/3424-211-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-220-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-224-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-228-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 4a04e455177bfe5483b9bd7bf53a3b1e
SHA1 18493adbea52cd2037176177e18fc6499ade698a
SHA256 91b90a5a47da3186f2c6830ffef1b63cd0356e6d5dfadb16d1ed263ac0e3bc37
SHA512 333b92e6b1d06f261dbde0483da38a4f24ff86e1ce19af0313fea9f558fb95ec1ea1fb1310ba2c6e623bf9d7cdb8440813bf35bc8e8fe23241fe17694f7f62c2

memory/3424-243-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3424-246-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 2370bac887ef61a3d3d2d48088c97b16
SHA1 716505fd23d1694a7abad496c5503a6496695cf4
SHA256 5f281118c5802fc70bc50636c369f6c722b8913b8a5c371a1d947ff532887c92
SHA512 e963b62226ae1a8f2f8929018c898deda8bd78294193430a14281264a852f4e68e341c8f45f9a4fed565f0a5c7b0fb79f20e12e643915a21d42f275b0caa04f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\results[2].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\search[10].htm

MD5 fa4c3a890892487b7657380d377d2764
SHA1 9dc1f9de75efdf795ec7f724195eae91658d7b62
SHA256 ebe65bed2d2fc1244271aa0bf73eb00398167cead0ddb7c09fe0e299d2fd9079
SHA512 2fb922127ad9e5f099a2a37cf252389fdc6a66dc5d7a65e67973690f906525470689f6e17cbd017c484e9ed99f2cd7ea7c5d670b65593b27e7d5ad3302637cb1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\search[1].htm

MD5 69e731b77ef79ce4ac6523bacb127474
SHA1 a8612c29437c3e42b750516d65a5ee1080488678
SHA256 92d63bb01b703ff39a35ef2329c622e2b7f48db1ac9131d89e3a6552e9af6b8d
SHA512 f944564cebea2423120492b8f70f1624e49f6b61bde920a032498e45bc2417377e8166c149f2c8193f56e6669672ec21bd2d1d36731f7ba9b4d32a7b63ebf41e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\44ZGVQ6R\searchW1V3JXX5.htm

MD5 541eb3c5dc4f0dd668780760138c0faa
SHA1 ef7f8c20fd3a521553ab24ff9dcb4fe167608b36
SHA256 175c7494e4da62ae68dc2b8a386b1ca7ecdcc0ac312a6d9e472727fb92ffb2df
SHA512 a52e964123db78c1f41e7c27d14c55ac12e1003590208087e93b91f6086ba6ad4a44b3f3618d99c968b6ab7206e93b83fc0b6af8a45ddb174117f7472a33449a