Malware Analysis Report

2024-10-19 11:41

Sample ID 240702-v6db2atekg
Target 2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118
SHA256 557548955d31a8e2d0a2ff5f93e6149c367f6b3a606376282fa35a9d9aa69d0a
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

557548955d31a8e2d0a2ff5f93e6149c367f6b3a606376282fa35a9d9aa69d0a

Threat Level: Known bad

The file 2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-02 17:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 17:35

Reported

2024-07-02 17:38

Platform

win7-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 155.208.95.174:1034 tcp
NL 145.58.172.133:1034 tcp
US 16.38.10.93:1034 tcp
BD 203.76.97.63:1034 tcp
US 16.202.85.155:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.41.58:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
IN 115.240.104.28:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
AU 16.27.193.226:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 172.19.34.194:1034 tcp

Files

memory/1968-0-0x0000000000500000-0x0000000000510000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2784-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1968-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1968-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1968-17-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2784-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1968-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1968-47-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2784-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-53-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 c2ceb48180a76ba4b7af9fe97584fb35
SHA1 9acd9af1ef4961aac516eebad8a4f6a3aa07e849
SHA256 f6ac1b54d17ee27e20295acbd2c367f1d5b9fbb73ff52d710aba07f67439c370
SHA512 699848933fe7425325cbcd55031a497f0f9e522c05686f5b2280562a0cda3189baa9fcce22ddf0ae008a78cbbffc3b012d867d41b706431962d2a11c83042a24

C:\Users\Admin\AppData\Local\Temp\tmpE5CF.tmp

MD5 8e4a2083cfbfdec92811a5ec5a6afa9d
SHA1 2bea2ba535d94465af45cce95fe1daff941c5431
SHA256 d2ee49181d36ea8291495b53d08be946d157866981d2b5a1de695c065ddd8f1f
SHA512 e5b8eee935d77f74ed23a923c2ecffb6d4cf24f9d55aebff8ef6dded39a51671b90c04e81ce028933190b601c2a574dcd850bf107e82726aed711ffbfdf6caa5

memory/1968-71-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2784-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1968-75-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2784-76-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1968-80-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2784-81-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2784-83-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1968-87-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2784-88-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 17:35

Reported

2024-07-02 17:38

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 155.208.95.174:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 145.58.172.133:1034 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 16.38.10.93:1034 tcp
BD 203.76.97.63:1034 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 16.202.85.155:1034 tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 m-ou.se udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 8.8.8.8:53 cs.stanford.edu udp
FI 142.250.150.27:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 gzip.org udp
US 52.101.8.36:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
BE 23.14.90.74:80 r11.o.lencr.org tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 investor.fb.com udp
US 8.8.8.8:53 investor.fb.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 investor.fb.com udp
IE 212.82.100.137:443 www.altavista.com tcp
US 162.159.129.11:25 investor.fb.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
GB 142.250.187.196:80 www.google.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
IN 115.240.104.28:1034 tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
DE 142.251.9.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 85.187.148.2:25 gzip.org tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
AU 16.27.193.226:1034 tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.194.11:25 outlook-com.olc.protection.outlook.com tcp
GB 142.250.187.196:80 www.google.com tcp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 hachyderm.io udp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
DE 142.251.9.27:25 alt3.aspmx.l.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 172.19.34.194:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp

Files

memory/3284-0-0x0000000000500000-0x0000000000510000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3324-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3284-13-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3324-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3324-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3324-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3324-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3324-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3324-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3324-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3284-42-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3324-43-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 2b5cbbd28caf2ee442f1dc3150c2be0d
SHA1 de79ad8c2622c776500c6bf36a3dfeb8b857097c
SHA256 d340e92be83d710f8ac31cd5c9943be37e60a8be71c6d7c4e0cfacd62a0caf88
SHA512 32c842c52aa06fa2bd9df2c2522f1249e00b8158c8bcd5cc83f5625380b8f861ed667ba593c9bc3cd09969478ab51a0ba781a89554dc6a4e93b7ccdb6e9dad86

C:\Users\Admin\AppData\Local\Temp\tmpAAA3.tmp

MD5 cbd852762bcdf2967d511ac451f6a6a5
SHA1 7c16422e2892120d15597f8077a39484cd586806
SHA256 21b62da94de837c7c680aad1ff7e35f7fd60634eabc69a0f3b2d966f853ac6e2
SHA512 5ab7cb67171f90d8d50c2ed1f2cbdb776f4f82b27e1f3cf69c503a5dae5879367f7d682f26e56740273260b12e06a6cbc9a80c1b4b03200b4effcbac3822e004

memory/3284-110-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3324-111-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\E8E0V98Q.htm

MD5 b6a4e3ded24c3abb6724b4a707e3dd28
SHA1 8c5ec033361d7628d0412041da3773d9e6d5c30a
SHA256 0ec79d83b7f9d4fef337395be8eb035debbe80745c36681a094ef57f2745d9ea
SHA512 e5c04c3702e4664fa1dd3fefd2e2e63a7986b2433d67ddd09ff2cc85b329186fb1cd61651dd93e3e827ea7373e9e4aa6e28a7a4c80b2f435707bc4e4a31ce077

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\search[4].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 172b83958d35e9a1b9b902efbf75a3e9
SHA1 d0d325daf8c47538e86b0933ce0df9460d575aed
SHA256 71212b5e1f1ee109ac40b9509462905d6de15f1096e643bb6b28b40b9960ec5c
SHA512 6288e0aacda5f6ab60111bfcf5a3a770e81d4aade4cba05354ed3d15c51ba891cb8699aea62b94cea9b3866913c6902b65396721e8b4666e916586f4ffdb8323

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\search[3].htm

MD5 36f42dab85c172f143ef7756cc5c4ef4
SHA1 570f99e43162ca7bf91cfe5974d770065b4aa9b7
SHA256 8d6911e9f46b9fdb55a650ad6bc983dec89607f200319ced88e2ef05943f3bf3
SHA512 3026a9758c9c8263610e3651e5ce33bf5a841a501a0866fcbd3240b33eaf9060acfb513239760dbfcc670b3d4dcb3a90fb1cb92c4850c36a04c14daa3751c124

memory/3284-248-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3324-249-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3284-252-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3324-253-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 ceea153c79b7899b4f39d4615514fbac
SHA1 f69f98d6ab4ce7e9cb2f96b9ca1276ac688f16aa
SHA256 b7b49ac56e9239f92412979deadff045dc0dd3d587dda271cc11a50e034d2e26
SHA512 235755c592c3395e39731803868bc514547e0826c217a2f019229ef6a403b8341f7171c3ba4af0b60e6ac54c3fa05715c098a8ea3152d6a8571cf45174ceaed7

memory/3284-263-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3324-264-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e21acc06e07d4a3c187462895dac1f93
SHA1 f242411447cedeaf40a46813678ed037876342c6
SHA256 69f372ad1250ca741ddd04d22c4b9f3a02c9d418e31bc513a3ffafe25a2d056c
SHA512 be0d558d01ab107013da56f2b162c8dc8b96fac4935cb2c889c24f87bcba82a426e86b558a196e48696bbfdce59d755aee23009113ca839313969648d589f2c8

memory/3284-282-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3324-283-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\results[5].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

memory/3284-450-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3324-451-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\searchTGQH9DUM.htm

MD5 482c2be289e796855ad3c5245371935c
SHA1 1a2ddb3edc514204b565e82cd8506889d3730e51
SHA256 0f023132f9ef635e97d342af8070320aefbe505db20d30c31f810eb670bc03da
SHA512 6f4141eb6201eeef259e3e378b815e180a79f9092d7df2f12f08dc3fa0ca19f3ba28b8e74ee14ef3585a88330d53d0cd7d3eab41bc237d4f3552877347e8e493

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LU15KQ7Y\searchA355G5JV.htm

MD5 5ef9ae0177b4749cb4458288fd39c1c5
SHA1 af3471656b24630e2ad08364baed5c65d16c89ca
SHA256 4dabdde638413a9bf650692634c164258d47dfa0dac05c57ef696b054b24ebdc
SHA512 5a459e60c1876377f3e35ddf1ccc0a55333c3e25b6e0b1702903bf970c4a31bd13336f6ff0e0cdfd2dd0b8a3b9e364b15a3fc1687674432e06766de0544405e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\searchPO9J0YF2.htm

MD5 f4e6dbdaaa453bd03af8c4e8bbae2bcd
SHA1 9f45e5458449b07b6cbf46d6d896b4f29cdd309e
SHA256 d4da1f05c0c4ec4801782afb8b558faf6fb48ac6d4f4f6dee6e0a5aaf46ffb0b
SHA512 d064d289baea2c9d1271b2267554ab8c8468c6e03367db241ce3a734d9fe92b66435a21ac9eef6e0f44b6854987a8d40001493b5f0e624e9b9422f56a6b92dce

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKM56LDW\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\searchLFEXY445.htm

MD5 3a5cbfccf833f3687c487f16f5e3d78c
SHA1 c81510f67e9d16129992b7063ccd59a3026a1905
SHA256 641615d372f3d4174bde2d0a8c2aa807e43322e121787058e6f2e79a78212a8e
SHA512 f43018da7430e0daa2698fd0006be2cfdb2eee0d120fa8f660a6ba6fae57bcb9b8952955ad64765fdfe1dd6e606b946beaadb17d21c05bfffe5208d2effcfa70

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\searchYY66KW60.htm

MD5 8317f3fd8aa44035b3eb28790f23fa1e
SHA1 27cd37c3a1cada476aa2a6127af619aef55ea1fa
SHA256 201677b8ce52e901c772953223f5ff1d2ee97a6d4da9fd3c4a4d8ec4f923b6f9
SHA512 64fd81582c4fceeb796b869f42c8fcfa8b89eb5f04265b32baf8a9cf47bbbc8cdfa4060ce4ff97c5d8e5e3c74c3b22d3ddef0c5f9172ec163e442fa1cfbe1a6a