Analysis Overview
SHA256
05de2326abdda4b75ca4df45d93a26dafe75bf00167bc00fb2b36dcbbd435693
Threat Level: Known bad
The file bad35b7db1c9eb691e82051601d01f20N.exe was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
Executes dropped EXE
UPX packed file
Adds Run key to start application
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 11:54
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 11:54
Reported
2024-08-07 11:57
Platform
win7-20240729-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2328 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | C:\Windows\services.exe |
| PID 2328 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | C:\Windows\services.exe |
| PID 2328 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | C:\Windows\services.exe |
| PID 2328 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe
"C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 172.16.1.160:1034 | tcp | |
| N/A | 172.16.1.190:1034 | tcp | |
| N/A | 192.168.2.108:1034 | tcp | |
| N/A | 192.168.2.112:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.41.0:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.2.103:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 50.112.124.79:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.2.103:1034 | tcp | |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
Files
memory/2328-8-0x0000000000220000-0x0000000000228000-memory.dmp
memory/2328-9-0x0000000000220000-0x0000000000228000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2328-3-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2680-11-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2328-17-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2680-18-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2328-22-0x0000000000220000-0x0000000000228000-memory.dmp
memory/2680-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2328-25-0x0000000000220000-0x0000000000228000-memory.dmp
memory/2680-30-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2680-32-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2328-36-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2680-37-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2680-42-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 2fc1fe97d77a9a554c84c3fcd10a0484 |
| SHA1 | 5462bd4b37771ed0f8ff70fc35694d643019f7df |
| SHA256 | 7d5e40a15cc1b0ee98e424df1272eba94c2848c4080e4d55ba74281787bcf4a3 |
| SHA512 | 8c915d32cc5af0700669fe2a41c1e36fd49471ee72477d3f199859b7d1883ae7d233fadb877208ce1b1f015fa96635c09298787229a8ff38209bf09ad378d550 |
C:\Users\Admin\AppData\Local\Temp\tmp2D98.tmp
| MD5 | 02eaf5402cb1eb095bfef8de10bf2af2 |
| SHA1 | 98d49905b896840f7cb92693cbfe7c1afb2683bb |
| SHA256 | a81f6de5f1d2cd717ca4f0af92109da0fe956f7e98822ae4f071d3a107b38ed7 |
| SHA512 | c2c739153be651c142ddae4eeb3a01d071f186b5fef29593047493e2e7f17d89b36108b1dc4c8a72436463d09e620d90896ebef98746689c4bffa58ea04c055b |
memory/2328-60-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2680-61-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yrwaaf.log
| MD5 | 2085c88c644541b4094c191bd7d87cfa |
| SHA1 | fc0046648a57bb0087b6572cc8ef25411897a2c2 |
| SHA256 | c219eebd9b956bee691f1e304c940d285ed3a498a3d95e383448f415b5e8be21 |
| SHA512 | 2960c9d831291ee36bf0e6b0bcc829b3c557b60121f29e3029605827545bfbcd0eb55006a6fc7d361ec9e5f174b2fc568c737936d0fd0670a1479151886a3ca6 |
memory/2328-64-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2680-65-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2328-69-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2680-70-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2680-72-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2328-76-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2680-77-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 11:54
Reported
2024-08-07 11:57
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | C:\Windows\services.exe |
| PID 1264 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | C:\Windows\services.exe |
| PID 1264 wrote to memory of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe
"C:\Users\Admin\AppData\Local\Temp\bad35b7db1c9eb691e82051601d01f20N.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 172.16.1.160:1034 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| N/A | 172.16.1.190:1034 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 192.168.2.108:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx4.googlemail.com | udp |
| US | 8.8.8.8:53 | acm.org | udp |
| SG | 74.125.200.27:25 | aspmx4.googlemail.com | tcp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 199.89.1.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 65.254.254.52:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.9.12:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.18.190.74:80 | r11.o.lencr.org | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.190.18.2.in-addr.arpa | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.27.27:25 | aspmx.l.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 192.168.2.112:1034 | tcp | |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| DE | 142.251.9.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.78.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 50.112.124.79:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | alt3.aspmx.l.google.com | udp |
| SG | 74.125.200.26:25 | alt3.aspmx.l.google.com | tcp |
| US | 52.111.227.14:443 | tcp | |
| N/A | 192.168.2.103:1034 | tcp | |
| NL | 142.250.27.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| US | 65.254.254.52:25 | mx.burtleburtle.net | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| US | 8.8.8.8:53 | outlook-com.olc.protection.outlook.com | udp |
| IE | 52.101.68.19:25 | outlook-com.olc.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | alt4.aspmx.l.google.com | udp |
| TW | 142.250.157.27:25 | alt4.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| N/A | 192.168.2.103:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx5.googlemail.com | udp |
| TW | 142.250.157.26:25 | aspmx5.googlemail.com | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mail.burtleburtle.net | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 65.254.250.102:25 | mail.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | smtp.gzip.org | udp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 52.96.111.82:25 | outlook.com | tcp |
| US | 8.8.8.8:53 | hq.acm.org | udp |
| US | 199.89.1.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| FI | 142.250.150.27:25 | alt2.aspmx.l.google.com | tcp |
Files
memory/1264-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/5088-7-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1264-13-0x0000000000500000-0x0000000000510200-memory.dmp
memory/5088-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5088-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1264-23-0x0000000000500000-0x0000000000510200-memory.dmp
memory/5088-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1264-25-0x0000000000500000-0x0000000000510200-memory.dmp
memory/5088-26-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 770f1859ba4e42629970e5efd977ffed |
| SHA1 | 8084339fc2e470b979d85b74efc8d6ad431e16f3 |
| SHA256 | 8c32fb513055da910bec706711a9f79f27107ae29f153953337be23b4061b921 |
| SHA512 | e555ceec949a6dadc8befaef9f907e97adc5bedcf9cedd1408e4cac394ee07013eb0ccbba2ea2b48688e14166c7b030f3f578966687ec924edadea9552c68074 |
C:\Users\Admin\AppData\Local\Temp\tmp46D8.tmp
| MD5 | 9759c3f95e360a8fbed82c3fcfe33f19 |
| SHA1 | 363e6aa68a621fc2712e0011e0a6f35b4a8f4c4e |
| SHA256 | 7c0e98abd68ce7d476d30026c7799a8d7573850f7d7f0f9f8cff8ab4f4330455 |
| SHA512 | 5c7dfe1e2b3a279df223600341481812d739a24e8f0c9142d2d6f8263a89d9597384a597b93210f4db2b03d46c4b871d5f32142b0d100470d9b9f1fc6761c77c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\search[3].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T369AOZZ\1XANIIX1.htm
| MD5 | 436ce7cd48c11a9d38ea8042f9b50d6c |
| SHA1 | 5497256d7bb600231d2b976df2eaeb8658fee631 |
| SHA256 | 7c812c5aff574941201a1856be47f0c4707ea3157f4e712b5acdd5fb4b34fa19 |
| SHA512 | a0cda4beee54709bec37cda27b7da7fc778766e645653538b54c247757353522988405d3441cbe1b0056fe0a047252e59ccbf6f436326deebc5a9802ff8703fa |
memory/1264-162-0x0000000000500000-0x0000000000510200-memory.dmp
memory/5088-163-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1264-174-0x0000000000500000-0x0000000000510200-memory.dmp
memory/5088-175-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5088-177-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yeJh2eeMve.log
| MD5 | 8f77caabaeb4892623425de917c426c8 |
| SHA1 | 13085c5233b159b983b5a8bce1e02ecb501a4858 |
| SHA256 | 68fdfa8490e083b5a4d163a26b226905fb2c4bcce22fb9226b6c3496b5f6de7d |
| SHA512 | ec98a94a5a7ea9d602e6a06ac4bf77c5de9aec8faa2af8a01b8f19ec800b6e566efebf58bccfa204f10f48c53eb6de1d72eedf84684cb6f07bc3e3b20c8ddd8e |
memory/1264-181-0x0000000000500000-0x0000000000510200-memory.dmp
memory/5088-182-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 2183ae820bbdf933b724cc982810bbc0 |
| SHA1 | 31fccf375bcf9ffbc06e1f3e80b149330262e186 |
| SHA256 | d6403639384e00eda7407513e8212241341684add0a84e56ae44533cff5f2d66 |
| SHA512 | bf7be61feb26921b2a70bb8c22d1799e3e9bc0b18d2db230bd4f32d1d045f334690162146b1820cfdfe9964ff6a5b20861fe212e9aba8314dc3ee103fd4c466f |
memory/1264-202-0x0000000000500000-0x0000000000510200-memory.dmp
memory/5088-203-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1264-204-0x0000000000500000-0x0000000000510200-memory.dmp
memory/5088-205-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | cd177892bd4a25cee48159162671e62f |
| SHA1 | 06d7a50e6548ba7f122caf4a5c0244cc93221f75 |
| SHA256 | 7ca9f97964d88c4b75acae6e1751cdecbb250f5f54b381001cce6cce0ace219e |
| SHA512 | a0072db646f975892a721c6f47eb79454ce5ca2d814839d33a1a111990cb71e566bd2eda82301e4019f0a5fc3ad391d3b6bc223d8b67bbefb77b37be7d6a33ef |
memory/1264-215-0x0000000000500000-0x0000000000510200-memory.dmp
memory/5088-216-0x0000000000400000-0x0000000000408000-memory.dmp