Analysis Overview
SHA256
eec0ce6205e7c5649791f474146212ac716b4dc7bd422be980117e963ad95779
Threat Level: Known bad
The file 075d4363d086106e25e858ee868dabc0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 15:38
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 15:38
Reported
2024-06-20 15:40
Platform
win7-20240419-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1860 wrote to memory of 2100 | N/A | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 1860 wrote to memory of 2100 | N/A | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 1860 wrote to memory of 2100 | N/A | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 1860 wrote to memory of 2100 | N/A | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.13:1034 | tcp | |
| US | 155.208.210.76:1034 | tcp | |
| IE | 159.134.164.135:1034 | tcp | |
| US | 208.189.196.18:1034 | tcp | |
| US | 16.91.196.218:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.9.12:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.1.23:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.1.34:1034 | tcp | |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| CA | 16.55.145.11:1034 | tcp |
Files
memory/1860-0-0x0000000000500000-0x0000000000510000-memory.dmp
memory/1860-4-0x0000000000220000-0x0000000000228000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2100-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1860-9-0x0000000000220000-0x0000000000228000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1860-17-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2100-18-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2100-23-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2100-28-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2100-30-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2100-35-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2100-40-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2100-42-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1860-46-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2100-47-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1860-51-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2100-52-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 149651a0bfbb95274ab4b2a83e9b8592 |
| SHA1 | f4dc741a6cf874ef273d407450da657c2035c0e5 |
| SHA256 | 589f5d7f367c6d4e6e502eda5e9d89eb6d91c263c5b99467286d6399619972b9 |
| SHA512 | af23d2b7e899692cc41833bf087cf947dbb3006a47fa0644b8c4cd3cea64f5f8beb16470baeafe3f4729e10ab84884817c62d9e09306695c2abe769ba5ff6b4d |
C:\Users\Admin\AppData\Local\Temp\tmp7409.tmp
| MD5 | 4b49905d57a35a6ca78c072cffd18ed5 |
| SHA1 | ef31609c8cc07605d11a093df4dcd38f6755eec9 |
| SHA256 | 4334f4f8ee5be8234d8f2d5249815284a945985ecc4db951ec0fd65ff2cba9ab |
| SHA512 | 301c81b6c5d3f0128c43ac6080882dfb36c3df24c067e9bcee6bd14df5217d04e573a2d201be433110ac23869854b78c5d86f8be18764bc2f2b8f9c8226d1f6c |
memory/1860-73-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2100-74-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1860-77-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2100-78-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1860-82-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2100-83-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2100-85-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1860-89-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2100-90-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 15:38
Reported
2024-06-20 15:40
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | N/A |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4740 wrote to memory of 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 4740 wrote to memory of 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 4740 wrote to memory of 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\075d4363d086106e25e858ee868dabc0_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.13:1034 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 155.208.210.76:1034 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| IE | 159.134.164.135:1034 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 208.189.196.18:1034 | tcp | |
| US | 16.91.196.218:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx4.googlemail.com | udp |
| NL | 142.251.9.27:25 | aspmx4.googlemail.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 199.89.1.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 52.101.8.32:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| NL | 23.63.101.171:80 | r11.o.lencr.org | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.101.63.23.in-addr.arpa | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 52.101.8.32:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| N/A | 192.168.1.23:1034 | tcp | |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| IE | 209.85.203.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.78.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| N/A | 192.168.1.34:1034 | tcp | |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| NL | 142.250.27.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 8.8.8.8:53 | outlook-com.olc.protection.outlook.com | udp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| IE | 52.101.68.28:25 | outlook-com.olc.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | coloradotech.edu | udp |
| US | 8.8.8.8:53 | mx2.hc3950-10.iphmx.com | udp |
| US | 216.71.149.25:25 | mx2.hc3950-10.iphmx.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | email.com | udp |
| US | 8.8.8.8:53 | mx00.mail.com | udp |
| US | 74.208.5.20:25 | mx00.mail.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| CA | 16.55.145.11:1034 | tcp |
Files
memory/4740-0-0x0000000000500000-0x0000000000510000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/3144-7-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4740-13-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3144-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3144-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3144-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3144-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3144-31-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3144-36-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3144-38-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4740-42-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3144-43-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4740-47-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3144-48-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 10cf654c81c39df0846bb54cb68013fb |
| SHA1 | 9400bf505724297991bcdbbe7d40a1f2db179c0a |
| SHA256 | f4d7249680262066ac24c241421909cab28e2ca30677d5b66c96ad36f3203aa8 |
| SHA512 | 241960110608565c7ecddb076ab6c0b3dbc19deb099493527b2d1630e77a88ebe14d11ed7e5f8bb09e1848786cb9498cb640b2adde8476a780494b26a14eb4af |
C:\Users\Admin\AppData\Local\Temp\tmp574E.tmp
| MD5 | 88374c6ec3c7ea58d5f0519075b9e680 |
| SHA1 | 89e0ecfc57c5d12e1b15c170bade2563252a1e6c |
| SHA256 | 54e97c79feefc9059360eef5b3087c1bc45ea9932ba965517d829cd5a768a77f |
| SHA512 | adc5de73250a6263af607d0013496c8d1e1310a5fc51a8ba9d0732ed39b1d1a76f4d1c1648e49c53382f66703fca3705766c33a923f58c8c3df83763db8bd05e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\search[4].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VVOFDIUO\PBK0HGNY.htm
| MD5 | d0ad38b81ec98208fd5dc09403f22a40 |
| SHA1 | a80774bd46563852041c731df56b64b0924ec08d |
| SHA256 | 603ce4a5b3c80bfec21cc59ea145745fe99c368eaeec9f2df988b2c9fa29f0ce |
| SHA512 | cd4247129b79b9e4c6f9bc1945a83a396530a6e75be02ba54e7482ab46c8360c34e9bee9236f6c540c0c3d64695f627826dc9b0b984e3c66388c479fbc2f9cd2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\44ZGVQ6R\search[4].htm
| MD5 | 887babb5a5ff2c0a67b02ec40e6449ee |
| SHA1 | 1addffd26ba72f7485452a63a1ac46b0d70db085 |
| SHA256 | 376dd73a6a70ad7ec79011a19e2c25005be5951dcc1e4235a76ae7b398ca1147 |
| SHA512 | 6cad1849220cf230d45f36dd75c738729a74277d02c96fddbbf07a54fa5c99bc45e12218dd010d2df5447da52ecf8f734a780611a7dba631e833cb4a668e4c1f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VVOFDIUO\search[6].htm
| MD5 | 99ca52dfe04ad62e3d911bab802ef8d6 |
| SHA1 | e61f297e8c7be7a605588699f2d918046a4a4aff |
| SHA256 | 6ec43490f8554c1658128f875c312f40d83d28de4beea3e47d3d64cfddc69c42 |
| SHA512 | 8ac89494d14a1358f75c7ec6a30f07611c91a7ac901c708740a4df77497e6671753b4d1faa562469e54b3142fe0b2c7e1f0a602da09832c5e20b3ab4185dc648 |
memory/4740-233-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3144-234-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4740-237-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3144-238-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3144-243-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4740-244-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3144-245-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 1d535bef12bf4055adebc231e57cbe4d |
| SHA1 | 43ed173233e0701757550f82c7bf386b51457e2f |
| SHA256 | 81ee7633840bc869ad8c0b97ba08a5c166fe69d0d43a015fc5a85c645c19d31c |
| SHA512 | b48134f4f5a571908049da4e351c45aeea1dc71610d5dde15205fce4001792adc47bceb361aaba967539b5510f8623c7d1f21753d9ff75bd3f8df7c2c7c01e00 |
memory/4740-290-0x0000000000500000-0x0000000000510000-memory.dmp
memory/3144-291-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\search[8].htm
| MD5 | e8a7b4cbe8f68c80aa7099a9852302cc |
| SHA1 | ea1dadbf83b5dd4b485aa88a4aefd2dcf0c4e05a |
| SHA256 | 165472dd9be8888377a790325eb567f6cf480f7347394fb9883c66dbef6d85a9 |
| SHA512 | 0db903ed8c28c4e3d4e3ccc431fee178827f02b478a857c7aca35094d2f9c27c5266332ae9c47ac2ef2b8729e5fa47153bc01f57f6b323677070f9a8c28b3d1c |