Malware Analysis Report

2024-10-19 11:40

Sample ID 240702-vlz1assenf
Target 20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118
SHA256 3041e03eb013d1a6a21146d64626367732487231ab5ec87507f5a2684c9b0c0d
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3041e03eb013d1a6a21146d64626367732487231ab5ec87507f5a2684c9b0c0d

Threat Level: Known bad

The file 20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-02 17:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 17:05

Reported

2024-07-02 17:07

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
IN 4.240.75.51:1034 tcp
N/A 192.168.1.41:1034 tcp
US 16.48.65.121:1034 tcp
US 15.204.158.39:1034 tcp
US 207.59.216.146:1034 tcp
US 15.204.154.223:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 16.100.225.235:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 16.91.197.130:1034 tcp

Files

memory/2132-0-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2132-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2032-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2132-16-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2032-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-52-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2032-53-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-54-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2032-55-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 885db3f185b10de7694e86abf5171926
SHA1 614e0f3f0a45e36059e795543dd10bf49c5f42b0
SHA256 6c2f0718b96230c5647a58edfbcbe27834f0c11d290ba3587ea27a1cd84a2429
SHA512 09160744c194778c1b9a6a1d1c29d43c6d49e70432a057f879b16631de56a075dae03fb66a46bfad3badbffb9ea47a75aadf07071270b651e9d9ba47ba1be9a8

C:\Users\Admin\AppData\Local\Temp\tmpCA9F.tmp

MD5 f418a582a81cbdb791173016275ff540
SHA1 87db49612d79daf5d4756014014c263da2b54012
SHA256 27ad0f180b6b4daafb6588116bd8d12941b5b07aa325cf6be7a63a08a0602475
SHA512 7f094307bdd9a537e38ebaa999ff53a49cf5a5faa7b1ce6c360589ff93e9471ed2e0ba1a7c3c6d26147b310d7de8418143e07d775c90dd44a30224d927472709

memory/2132-76-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2032-77-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-80-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2032-81-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2132-82-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2032-83-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2032-88-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 17:05

Reported

2024-07-02 17:07

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
IN 4.240.75.51:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 249.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 192.168.1.41:1034 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 16.48.65.121:1034 tcp
US 15.204.158.39:1034 tcp
US 207.59.216.146:1034 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 cs.stanford.edu udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 52.101.10.16:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 142.250.187.196:80 www.google.com tcp
BE 23.14.90.91:80 r11.o.lencr.org tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 15.204.154.223:1034 tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
FI 142.250.150.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.227.224:25 burtleburtle.net tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 16.100.225.235:1034 tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.27.27:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 8.8.8.8:53 hachyderm.io udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 aspmx.l.google.com udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
IE 172.253.116.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.41.23:25 outlook-com.olc.protection.outlook.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 16.91.197.130:1034 tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 tcp
US 209.202.254.10:443 tcp
IE 212.82.100.137:80 tcp
US 209.202.254.10:443 tcp
GB 142.250.187.196:80 tcp
GB 142.250.187.196:80 tcp
GB 142.250.187.196:80 tcp
US 209.202.254.10:80 tcp
US 209.202.254.10:80 tcp
GB 142.250.187.196:80 tcp
US 209.202.254.10:443 tcp
US 209.202.254.10:443 tcp

Files

memory/2664-0-0x0000000000500000-0x0000000000510000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3920-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2664-13-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3920-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-47-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3920-48-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 466ad3452b36cb6bb983e13f2036a281
SHA1 3adbe1c6119a248a992aaca9754796c4812e954b
SHA256 a79c0fec58eb055b58f940ba1bb5b5ed698eef162204b3dc8d56bbb771062c3e
SHA512 9edc8405f8d57a07e44c9348c4881315dd93cb67ee5d5e4e4ef2e0893290306700e890fbe0bc905ae06a2fd4bdcaf24c4903cb4c31bd12c627b86fe9080bdb12

C:\Users\Admin\AppData\Local\Temp\tmpB5FF.tmp

MD5 f1d5cc01d9809546d108757a6f4466fb
SHA1 70e33676e4a263a3d561c998dd849ac467f420d5
SHA256 d9ea80b59895f93dbc3e23ced3aba58bc2d111598138c3791d1fb03dda637ee1
SHA512 faed10e4ab6969aa07c21be3b606b8fc8393248d3f47a7aa31a2f3013ab8d3067ff088730fb6a4a12fdf9de97bf556adddbf434acc8850412b928b6c8fef152a

memory/2664-109-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3920-110-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\DA0J3JX3.htm

MD5 85b80b469bee18b38b2c88ecc805bc67
SHA1 39104a680760a2aa5b4ed682f96e9300066c0669
SHA256 5d259121996b21816b503437d5a2167bad97a4bc855982a32eee86f1eedfbc4a
SHA512 8b107476d3a9e06acb83a82a211b10878dcab2af6ce2225b34cb6e77dfd108d0e47aae990f516b06502e0026c005f46d7c54d3794d64a99ae9c80be51e7a2e2d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[5].htm

MD5 3a894fff96b58e2dff3f4c9566d70b2b
SHA1 04b2b7e5dd460fa081623c806c2351c734c5be11
SHA256 48cbbba3d27eb95b4a5c6c210f6fea7ed707f9b7822b66b7cf1ef38b932342d7
SHA512 a5ca14a0394c873890a5b6b94adbbc0bca3ca97cd143f02169f43dd9ef6d0162bed55705accdc66f12870e35912a3cae985712aef9d2f83d207a76ee3c724c42

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[7].htm

MD5 f8e0e6353240c2fccf95649ea19bb4a9
SHA1 3b41bd1bbf0336fc033a27d5c5220406965bc939
SHA256 9c4a2459c756e37340b4cb1e2e70bacdef3fd2a22fc0a7b170403dd535a92dc4
SHA512 c3882464ec9deaf89062c7590510ef089c7c34890e70317748666fa1e1257d0739e0658659c55b070871310b94b03f1cfcae95e38babe0a63e89744e06e83c85

memory/2664-252-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3920-253-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[8].htm

MD5 bfa6d3466b90d842f176064e85102517
SHA1 826d53b25f5d9253af7ce89b392f734e5ef33159
SHA256 f753c0e51e664afe1d5f393cfc66ffc40c585e21c5a80d545f1838fe8e4f897b
SHA512 38b768838e0ff0926633630c5abbbbb6cef9e89e49d2ff4800008997e8d672b35415e34cd1a86232fdc64f682644ba79853765391d804846d8a570217d29e5c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\results[4].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 c8c5a65a03bb8560ba91beb836fac566
SHA1 53f8b47ee1531745892d829a54cd4e593f685a04
SHA256 443d6cb5b62f536fa77c929749ccebbd0e9c0bdadcb5d4141aadb0ea337f5201
SHA512 151573cb953277d1c0bfc0ef36fda2205895538244ad6b7386aa8ad704ecfd92ed47f2041a4ad218a1f98f49de6f74c578f2ca3a52c64b7c5b100fb1ac9f806c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search[10].htm

MD5 49ea03725d18a6eed0cd3971313499ca
SHA1 16970ad42a7cce57f34bae1ceae568120e794f68
SHA256 b22d26f5878a81632073419800ceb6c4b1c20f22b6eddf532c27916ae495f843
SHA512 4c1f9d4b3acc307cd2699dace0f7f932f6bd59ed721d079fc86e5952144dd492c9c4babdf7ee782345070431fece3473b94079152ef21f7de4ff71e0a3051687

memory/2664-318-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3920-319-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3920-321-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2664-325-0x0000000000500000-0x0000000000510000-memory.dmp

memory/3920-326-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 74c38955909396c198837e342c0a84c8
SHA1 9b948e026d295907f29a2e148743369ecd03398c
SHA256 fe925f5cb6f9123a42fb8641551201f1c5021407b81abba068dbf5b7f3ba49ac
SHA512 8795718b7386e343bc6113f29a03453beb85680ed32556ab60433ccb6419379a0ec316c5581f9e1b699bcca611131a25cf65211c46c4e24b49329e207939d1d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search35XP32OF.htm

MD5 11ba3465fd5866f4d027354225723284
SHA1 ab0df90b5641e5dad483fd0fccf66735ab89d9fc
SHA256 e88afa4dc648353e233762e822b9d00117c115979e2102fe7926a0fcdb858fa6
SHA512 1626606aa9ba805b31ed692609f3bff4f45bcee9c078bbfd61f21774e6fae7608051fcad2f09d1b2cf90a9452fea850b8972641d5c8569318d4c7068bb0ce05a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\searchZP6NQC3R.htm

MD5 b9710e8b0b877cf04a51b4594280f22d
SHA1 47411653f95705d906906c883f8e3f7c56df53a6
SHA256 8dd1b8d1b02eef6b9094ad4313ec014f2c671d504253263f1f7634d47b37551e
SHA512 cffb2ce85e301490dec75b026ce260ff2a839f7070a50d2afb45c23c40cbb60373bad789adb09137ea614df549413a979029e6443c046c42ae6426add59e3d14