Malware Analysis Report

2024-12-07 02:49

Sample ID 241110-kx2cdswren
Target 166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN
SHA256 166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429c
Tags
upx mydoom discovery persistence worm microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429c

Threat Level: Known bad

The file 166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN was found to be: Known bad.

Malicious Activity Summary

upx mydoom discovery persistence worm microsoft phishing product:outlook

Detects MyDoom family

Mydoom family

Detected microsoft outlook phishing page

MyDoom

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 08:59

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 08:59

Reported

2024-11-10 09:01

Platform

win7-20241010-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe

"C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.156.133.4:1034 tcp
N/A 10.127.0.6:1034 tcp
N/A 10.152.243.207:1034 tcp
N/A 192.168.2.11:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.4:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 10.202.221.84:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 204.13.239.180:25 alumni.caltech.edu tcp
N/A 10.202.221.84:1034 tcp

Files

memory/2488-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2488-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2488-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2488-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2488-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2180-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2180-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2180-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2180-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2180-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2180-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2180-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2488-43-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2180-44-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sjN4knybix.log

MD5 47e00c14e08c26e7c0354b7ab47c111f
SHA1 78076113e75f831ec75b9dcadf2574ac04def0fa
SHA256 d99f3c5ffc405a3f10357839202b584d5e36507fddd8f686dff9ec93ee2c046e
SHA512 043de6451df50d9e2b96035903c56d966c629c9479de49ce9f78435f07df27d2d4f864bcf25e804567881b0f3e564070bb1ba332826de71dc7db19235c1b6052

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 73790ccf02700e60848707a58eaf20b8
SHA1 961b36ca5380fca17ce5dddb01ea73a40f779fae
SHA256 954c744bfb1307684ca30697d3238159331479388b9e8f63f41675441c6eb687
SHA512 795d9fd0b878b419c98414549af5f2437a05a1b8393243f3345bd42676a426650fdc722cffbb980170c471b4fb4a9b3bfd22510e5cb615fca70343e097e3d8fe

C:\Users\Admin\AppData\Local\Temp\tmpB3C7.tmp

MD5 c5c9b2a8915884a93937f42400d2b2ea
SHA1 7e6ae3fe2f8a93f90578c1db8ee960c7200ff253
SHA256 f2094c2b85f494c059e85daabfa0eab63b074205ac6c3987a1d058618f0b70b8
SHA512 bd9b4062de13015befd3b22f00c7bbfa24e457f8a6f2208574283de0d6258e7412f0b9bf9cb74c84f64a3097966441b09ca3e9777680624f74a9895f9c5455a7

memory/2488-65-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2180-66-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2488-69-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2180-70-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2488-71-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2180-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2180-77-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 08:59

Reported

2024-11-10 09:01

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Mydoom family

mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe

"C:\Users\Admin\AppData\Local\Temp\166a982b7cb96bd9e9b4528126d889bce2b7f13eaf702ebea1db68835ba4429cN.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.156.133.4:1034 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 10.127.0.6:1034 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
N/A 10.152.243.207:1034 tcp
N/A 192.168.2.11:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
FI 142.250.150.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.4:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.227:80 c.pki.goog tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.180.4:80 www.google.com tcp
US 8.8.8.8:53 consent.google.com udp
GB 172.217.16.238:443 consent.google.com tcp
GB 172.217.16.238:443 consent.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.180.4:443 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 142.250.180.4:80 www.google.com tcp
GB 2.23.210.82:80 r11.o.lencr.org tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.180.4:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.180.4:443 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.180.4:443 www.google.com tcp
N/A 10.202.221.84:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.180.4:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
TW 142.250.157.26:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 10.202.221.84:1034 tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 108.177.119.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp.acm.org udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 52.101.41.23:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 mx.gzip.org udp
GB 142.250.180.4:80 www.google.com tcp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 209.202.254.10:80 search.lycos.com tcp
US 85.187.148.2:25 mail.gzip.org tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.180.4:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.180.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.180.4:80 tcp
IE 212.82.100.137:80 tcp

Files

memory/1672-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/4860-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1672-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4860-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4860-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4860-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4860-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4860-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4860-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4860-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1672-39-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4860-40-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Q8uxo.log

MD5 45f9e3477f139357488142fd6d40a610
SHA1 2fb20a6a24500af8a73c0bc4ad09b7be81040625
SHA256 593547ba0229cbc52e1fdaf2b3a2d7b981c73807f45b1355bac6c04f5f6a8201
SHA512 bdf7e5852c2b9bf8b28e03fc7eb5517693bea1f9a05e104ab5d8287fb24e00f961db481625ab902c9f434953e5e01c914399b061071d90bbdfed2cbf713adba6

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d2123451d4d682f1968bdd240dbdc4f2
SHA1 b9d06774d2348ab26e1d7192e2ae2ac98072a170
SHA256 824c1b94f2b99bffab98dfb310f7fc93d38c5e58576852565a69421573327915
SHA512 52edb56899cd55b245937a692ce3ef32421aae07cdf595396613afb60afc339a979573c1f9b5b1620d77c4f23a55fe1bbc4949dafb1bc8504f34f1fd97737ce2

C:\Users\Admin\AppData\Local\Temp\tmpEF5E.tmp

MD5 365e5640bff5c28413d45a9d77397506
SHA1 0b4337f6d1ae9621d7e6d78de23ef1512934c210
SHA256 020778f70b82c575d50a329b95376c13b66b907274aef9e8add173e17729c537
SHA512 cffdcad978eb5808af291fe289f5594bb2e3a799a62c813cd18be8f2e5e17cd7a030e3013b9f35d862ffa7cad25a6c80e14c9089a9b4466d4d2911f4a57c8c02

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\321WJBEQ\C037JC3O.htm

MD5 33a83a75a10a56e634c664bdc03cff75
SHA1 646f1d7a78198719b65bf5f4324985ab2e899b64
SHA256 fbeb10f4fc36f4d4b04a56265c4be9e6a5161ab53cfc1394f20b39b4723b024f
SHA512 9192d033e9025e27d7bd2795bd86359ff2ffd223053cc955884f40a0596ecc5bffbff8d7550145d5c474f8c46bf5d39f3378fd9918067b500c7f87aafeabd66b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\search[3].htm

MD5 c5f89d5652b5e97d1f70c79b71878b1b
SHA1 0218c2e26cd99f533c64364f75396f31404b8189
SHA256 5d589a7c8fa728cb5aaaa1887bf6538702f9b3f675dd6799cb2c10adcae63beb
SHA512 8d11234c5046686f39de024cdd9ae4232adde9245831965ddabe8006ca18743408a8afd448200dd0605540ab0d9207d1ae9c12bbf02783d229f94db7c0689df7

memory/4860-244-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1672-243-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GRYMSCZU\search[2].htm

MD5 19c669419c22802a3068367a9d2a0650
SHA1 861174e937beb64ce45a9cfb886eb8a5a3a935b4
SHA256 6099c030b2291d7e42b0187e4e7a771485c4c2882a94f4bd2232bbfa347180da
SHA512 ac8861cabb5423cde78da460589aa3ce4d312b30bc7dfcc74a419d1cd76e3c2dfa7b137a867f662d1380fe4d4fd7cfa2c1b5699f8282f6e81315c5541c5bc4bc

memory/1672-366-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4860-367-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4860-369-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1672-373-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4860-374-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 9d92fb75393b043f2f7a278ebd4ae8f3
SHA1 b068d23486f5296a7f9bc5e9663a9c22f9b8fc0e
SHA256 1cf8a8e9a0e042150d8ac8757ff159d7ec576bc0f3b565a33a855b6082ebe557
SHA512 14848d77655a48f2afeb51041c51761df966a9ebb82eedbf597901611124c4333be0917a6d59b7ddede39b334aa8793d16197d402d599f249dd0039681a9e25c