Analysis Overview
SHA256
80a9640c6c7b3789d1d7f15e29fbeade617002535261c057e5c49538b6656eca
Threat Level: Known bad
The file b010da852d26ae3178d034ea0d8b8fb0N.exe was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
UPX packed file
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 11:01
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 11:01
Reported
2024-08-07 11:03
Platform
win7-20240708-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1596 wrote to memory of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | C:\Windows\services.exe |
| PID 1596 wrote to memory of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | C:\Windows\services.exe |
| PID 1596 wrote to memory of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | C:\Windows\services.exe |
| PID 1596 wrote to memory of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.0.2.15:1034 | tcp | |
| N/A | 192.168.2.17:1034 | tcp | |
| N/A | 172.16.1.108:1034 | tcp | |
| N/A | 192.168.2.107:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.9.14:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.2.16:1034 | tcp | |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 50.112.124.79:25 | alumni.caltech.edu | tcp |
| N/A | 192.168.2.109:1034 | tcp | |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
Files
memory/1596-4-0x0000000000230000-0x0000000000238000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/1596-3-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2656-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1596-10-0x0000000000230000-0x0000000000238000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1596-17-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2656-18-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2656-23-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1596-24-0x0000000000230000-0x0000000000238000-memory.dmp
memory/2656-29-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2656-31-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2656-36-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1596-40-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2656-41-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2656-43-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 5fa1de2b8570210761ea0a705469c9bb |
| SHA1 | 7bdf3db03bb4fafe45ab9a981d2d08ebfcb83446 |
| SHA256 | 4eb2cb3e424217153dfd4a3e4f82f145fa6bddeb3f0469b0ec7112f24f3c7127 |
| SHA512 | 263d307c5ab6118c0d8aac2366cff50e0259167ca0e3e2a6ad3feae993cfd1c41d715794fcc4fc98bd07d5ff00af587762a1c51a9f14090303e2c17aaabbf4ea |
C:\Users\Admin\AppData\Local\Temp\tmp4463.tmp
| MD5 | 3cf255c8a31666fe36e82d7f707ef398 |
| SHA1 | 77903872eeacea895bcedb1f86e570b479d05290 |
| SHA256 | 001c575bdb6d236393e266554bdc7eb3009c2ed80838b34238f672ffe7d5c7c9 |
| SHA512 | f63e9b343929e4670226fe17a5658c48ab6256c737ffdcf5c80b6ee3451595770598234bbbd62e8e795319045cbf465dc1ddf32cac92bbb9c68899bdcf39ce9d |
memory/1596-64-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2656-65-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1596-68-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2656-69-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1596-70-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2656-71-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2656-76-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 11:01
Reported
2024-08-07 11:03
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 772 wrote to memory of 428 | N/A | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | C:\Windows\services.exe |
| PID 772 wrote to memory of 428 | N/A | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | C:\Windows\services.exe |
| PID 772 wrote to memory of 428 | N/A | C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\b010da852d26ae3178d034ea0d8b8fb0N.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.0.2.15:1034 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 192.168.2.17:1034 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 172.16.1.108:1034 | tcp | |
| N/A | 192.168.2.107:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | aspmx2.googlemail.com | udp |
| DE | 142.251.9.26:25 | aspmx2.googlemail.com | tcp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 199.89.3.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.8.36:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 2.18.190.73:80 | r11.o.lencr.org | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 32.161.74.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.27.26:25 | aspmx.l.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| N/A | 192.168.2.16:1034 | tcp | |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | aspmx4.googlemail.com | udp |
| SG | 74.125.200.27:25 | aspmx4.googlemail.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.79.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 50.112.124.79:25 | alumni.caltech.edu | tcp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alt4.aspmx.l.google.com | udp |
| TW | 142.250.157.26:25 | alt4.aspmx.l.google.com | tcp |
| N/A | 192.168.2.109:1034 | tcp | |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| FI | 142.250.150.27:25 | alt2.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 65.254.254.50:25 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 85.187.148.2:25 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 142.250.179.196:80 | tcp | |
| N/A | 52.101.42.12:25 | tcp |
Files
memory/772-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/428-7-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/772-13-0x0000000000500000-0x0000000000510200-memory.dmp
memory/428-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/428-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/428-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/428-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/428-31-0x0000000000400000-0x0000000000408000-memory.dmp
memory/428-36-0x0000000000400000-0x0000000000408000-memory.dmp
memory/772-37-0x0000000000500000-0x0000000000510200-memory.dmp
memory/428-38-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 892d267988c9c573dab00cead5484ad0 |
| SHA1 | 3b6005c079516f36c27e0bdc073a1c896ebc137d |
| SHA256 | 2527947b5c4ace28b83779a78302a496837a7176ecda6c72370875211b551bc5 |
| SHA512 | bf33965761c395fb755cd21c92a804e6d1b1ffbe963385db89759374654b1720f6e768ab1c55f570d284a80f74f3518adf19deaa3fa27b332bbd9a08c07d4c95 |
C:\Users\Admin\AppData\Local\Temp\tmp8971.tmp
| MD5 | f25b90e1c2ba553360bd2347dadf9ef2 |
| SHA1 | edfc047171c6961287ec3d4ac2d115ddb12d67c9 |
| SHA256 | 49d279a28b8cab8f62fb69b1ffc90c6f61b31948daa1a53032ff14bbf56748f2 |
| SHA512 | f1de07dcaa448b326b1de55ff173924e3c74b9207960bc03f5f72085098efe444548cf581a9ee8f6f6be6f2e03a57ebcd6614b78c842b7699fb6b4e650ea43b7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\U33EOU42.htm
| MD5 | 0cb5db8027a25263c9fcbe818929755c |
| SHA1 | 99c5e7dcc88ceee7957d7f4351bf1252088245c8 |
| SHA256 | 011f36a0ccd5b6be19d42208d1071b0df72efce4689691c6df1c08c685029f5f |
| SHA512 | b12122c9857b7bdc9760e2f17b7fa9688908de99c69bb7ff8fb187edb1498fefd92b6a6fb63da88a4b5b1283d1a42bb4353a313145481680a9beeb89ff1a7391 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\A12XSJRG.htm
| MD5 | 84001bec9ad9415caa7ac2a5f8f1deaa |
| SHA1 | 234f7c2aeb7f9874d6ade3a05299b6d60153ea21 |
| SHA256 | 8f6361c18ad67b308037341af67ea5201d4bcbd5f592bd3266afd9690de0dfe3 |
| SHA512 | 373cdab470f02922bcfc097afa966c147109be4d7b64a510869ff095bffee2e90872af58fe6aba34cffe3add27e8238fe4a462b8f10a55e7a942a0ba1510bb37 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\search[3].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
memory/772-205-0x0000000000500000-0x0000000000510200-memory.dmp
memory/428-206-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\search[6].htm
| MD5 | cd827abb00e927f82da5a4902817ac04 |
| SHA1 | 2be1caa957d0c44a459462f8353b7550abfd5ed6 |
| SHA256 | 143925dfc119e3e91d45b2e9d805988d5317837db88a22f926f52401991b5bb4 |
| SHA512 | 3e0f0bcaa23c15065059752dc1367c70625fd612f277ed594d7a21a7edaecb2daa5ee7240d3e257fd42ba3ba983e81cd7eefcfabc531500684a07a3b35f2baf7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\results[2].htm
| MD5 | 211da0345fa466aa8dbde830c83c19f8 |
| SHA1 | 779ece4d54a099274b2814a9780000ba49af1b81 |
| SHA256 | aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5 |
| SHA512 | 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\search[5].htm
| MD5 | f8044df2aaca9d4f90b44d863ff0a4c8 |
| SHA1 | 942966ecbab311d111bd1e256dec3dbd97f3316e |
| SHA256 | 2942e61189ec503525d10504f8da1d1658331deeb67e7a0e949ffab5271c2834 |
| SHA512 | 1d68eeb0f95c07459d52023be1442c39577b58679297ead532d955d05584e04d468104a5610a0a5fa8f87999d0da254cbc721a0773bf892bd4a5457045497bbd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\search[10].htm
| MD5 | d1a36f23485c7cbb6db3a439867067c8 |
| SHA1 | f6c6433fe7522f6300651de8a3b06e60b0d0dbbc |
| SHA256 | fee8847c308b03135b6e70aca2688ad0a5e7be2e030c8a69d5a910f166869fdc |
| SHA512 | ea27c97d1879ec8f867269a59bd850a9cbb08c4a627543aab8d86232ce643049e10079b83999db1681f66633f59e27ea752bf76217f0edd95d294d07b336d14c |
memory/772-286-0x0000000000500000-0x0000000000510200-memory.dmp
memory/428-287-0x0000000000400000-0x0000000000408000-memory.dmp
memory/428-289-0x0000000000400000-0x0000000000408000-memory.dmp
memory/772-293-0x0000000000500000-0x0000000000510200-memory.dmp
memory/428-294-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 25fae2addac60919e786d61e18897679 |
| SHA1 | c485310e42cd0bfb13d6c83e0eee6ba8bf952778 |
| SHA256 | eecfda30e91a3127f7c512b4295ca5c19c9b76be4c78ce11a8c75b1d647f1229 |
| SHA512 | 4f2c176bf228271109b5ac56d479a0ce87945668ed2ac8fb6bf66ad89a1cbd6a5eca3a3335a694c2d6463a0ba3a5ee7f0927159ad34eec94ac7b0eaaf578efb9 |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 6c27eed2d54247cb37e9b04ba5b2ba16 |
| SHA1 | b5dbf60d536d3b3f26a8611846bfe3632f278257 |
| SHA256 | c991359efe3bbeb64601c43f2f23595a04120e77c4932337233343943a4a07dd |
| SHA512 | 3eaadd4e18169cae2c219aa273435a59cf530d48f3d95e6ade8a72a03ce714a84714eb976b4a80edf18c4c87453096081dc385c477720d8a8c62f34a915b277e |