Analysis Overview
SHA256
f44e65486492a9075d9c98af6b98b0bc317b57978992c388d18348aa470a136a
Threat Level: Known bad
The file 38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
UPX packed file
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Modifies system certificate store
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-07 00:11
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 00:11
Reported
2024-05-07 00:13
Platform
win7-20240221-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2924 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | C:\Windows\services.exe |
| PID 2924 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | C:\Windows\services.exe |
| PID 2924 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | C:\Windows\services.exe |
| PID 2924 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.213.60.59:1034 | tcp | |
| N/A | 192.168.2.155:1034 | tcp | |
| N/A | 192.168.2.157:1034 | tcp | |
| N/A | 192.168.2.13:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.42.9:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.2.11:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.2.11:1034 | tcp | |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| N/A | 172.16.1.3:1034 | tcp | |
| US | 8.8.8.8:53 | apple.com | udp |
| US | 8.8.8.8:53 | mx-in-rno.apple.com | udp |
| US | 17.179.253.242:25 | mx-in-rno.apple.com | tcp |
| US | 8.8.8.8:53 | unicode.org | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| IE | 74.125.193.26:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | icloud.com | udp |
| US | 8.8.8.8:53 | mx02.mail.icloud.com | udp |
| US | 17.57.156.30:25 | mx02.mail.icloud.com | tcp |
| US | 8.8.8.8:53 | mac.com | udp |
| US | 8.8.8.8:53 | mx01.mail.icloud.com | udp |
| US | 17.42.251.62:25 | mx01.mail.icloud.com | tcp |
| US | 17.42.251.62:25 | mx01.mail.icloud.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | me.com | udp |
| US | 17.42.251.62:25 | mx01.mail.icloud.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 17.57.156.30:25 | mx01.mail.icloud.com | tcp |
| US | 17.57.156.30:25 | mx01.mail.icloud.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| N/A | 10.11.161.112:1034 | tcp |
Files
memory/2924-0-0x0000000000500000-0x0000000000510200-memory.dmp
memory/2924-4-0x00000000001B0000-0x00000000001B8000-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/3016-10-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2924-16-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3016-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3016-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2924-23-0x00000000001B0000-0x00000000001B8000-memory.dmp
memory/3016-28-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3016-30-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2924-34-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3016-35-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3016-40-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d2c976ed479f5c76545f3535fe9da6f7 |
| SHA1 | b68fb6274c6e758efa760d8b87c1b54952cb5a56 |
| SHA256 | 6d735d4a70cefa84fd0f13a57c6b0b11840c316afc6bd81452b7d995446478a1 |
| SHA512 | bb74e7dc13048a4fdf735f4b26847debd1912f1d132c360c9aaf6cea7c9b8370e1cee1f3fd99dfc63350021719a7216f8ec3951645e2fbe21eb3e589c9fb8827 |
C:\Users\Admin\AppData\Local\Temp\tmp2655.tmp
| MD5 | 499546de0044b15141a0a04c1aeb7fe4 |
| SHA1 | 6683591fc29e4ad3527ccfec3d03c270bccd5afd |
| SHA256 | dec65e04d5964b573cc4d5577a113d0afcadfbed90c9fffbfced85aeb77c6d06 |
| SHA512 | 1a738a78d9879f6c5f6706077f383c07fad6bab9ca88038c5f347fb79de728a3472b811f1e793c3a1c54d522dbdca35edc0af3daf1c6f3974da5c579f4a5dd57 |
memory/2924-58-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3016-59-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TVbqjvjs3p.log
| MD5 | be2bbde7219c30740d30d9c9ac07453b |
| SHA1 | fa61fb22def933723f4b3b9ae4c8ba5290f41121 |
| SHA256 | ea35938d18f32f88bb7daea4790513b7373cff0188e94ce2b87669c2de9321e7 |
| SHA512 | fce9b91085374c4189bed19bef74979148e8feda760acb180e251c3b4a6a3b3e70e2e867cbe6cf2ec48516ac9bc3cc10a252301dd18e413bdbe8ec2f6ef84116 |
memory/2924-62-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3016-63-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2924-67-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3016-68-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3016-70-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2924-74-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3016-75-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3016-80-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | dad74b4302f73ed8298a80cc9b4bbfa6 |
| SHA1 | 2ce338ac15a79fa48b2fd8148450ca7ce745957a |
| SHA256 | fc1ceab67a093df371e9b9e5f868c5709db0272f4d506ab6c15d35cd63e3927d |
| SHA512 | 06f046bd4d008cc043b484273332a39bdb14aed92a9896cb2ea8d85166f2a36695bafb36df66d93033c0c74af3aad698b5a0ddcb6e4540fc1ed6c8c452033c8a |
C:\Users\Admin\AppData\Local\Temp\Cab210F.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Cab21DE.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar2202.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35b83c1c4578ad0f071652ee6d7ab9b9 |
| SHA1 | 2f2409d5b52fe2b282deecb95b98ea32af7f1f6a |
| SHA256 | b4614105059beab8f045f624922859ef7a4772e36710a3a2c56f6b5e1fa31019 |
| SHA512 | 3ea1406d0c299415a619358b5a56957b665fda287e389274d2419db6fa536f2fa576e04569dea8a9b58c07b1b85a25e609bb7066b7e91c0ff36e91a91fc57dcc |
memory/3016-174-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2924-173-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2baa931d7342b343d8cf39352b02f3f |
| SHA1 | 0daf46acd721a0fbb9ab90e1f5131477cb04bef9 |
| SHA256 | b03516fd81d79bfa46c140c926596b749ab56e6d7c66d8b6a25a074c6fdb072e |
| SHA512 | 8500eee4da92b65a903c189ac2106e08588e5727e2ae5108022782702aac2082c5157d755d8b0701c81b3146ea97d501b9f2281c06928a36ac8342f220a9dd74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d821dd75ded078211cfd8bce11bbb76 |
| SHA1 | 46cde701aba630a6aa5c980f93379c7e0e285220 |
| SHA256 | 7d56d2d81d99ccef32457e3aa967dc1878698e6f59b8f88589e4c6074b5fac72 |
| SHA512 | a394d8635a674564a050a0e3beabb148cd2016170cae062cc25ef8ca5bc04935c505290e301ef8c5446dd67fb7f42d65af5e50f05b18049e0e7773f28b5f1d99 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\M80QBNB8.htm
| MD5 | 9cd00ff0f8d031bfcf03aa3d2653fc1d |
| SHA1 | 3622469139522fea39dd100089ac9d2dc7a7c1a4 |
| SHA256 | 88d8f1b83634d0d6cd8f3562e50a85b11dd54f6d0bc9573bb228b31b228d3ad6 |
| SHA512 | 3d3e577b8ff77afdf5926888b47be9a5cf79d709ad332be91361e5bae11e436007943bb1793f17ffb1667de0db8b70d16523e7eab856f1fb11ba0475a188acdc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\QKET21ZX.htm
| MD5 | dc298a8adca454335899c6775f157bc8 |
| SHA1 | b81c4b062873646224e3dd7ee314387468d9b1fe |
| SHA256 | f436c3f32b12652d26eb6e60dd977bfb835f44a033c0847be5805bb237effe67 |
| SHA512 | 79a9eddebf8e43da8d9ea425dadf6e2ebcd7e70fdc5e083fe91abcf8a64436ddfee232e1ae075862d6d2c81f10a250d3e0ef04c376ae14e64a3c36a79ed96c1a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\KDC5SS74.htm
| MD5 | 9834265502bd82fd1ce0db4e4d285e1c |
| SHA1 | 89d786e1dff9120f4fd8397baa9f0beac326f1b0 |
| SHA256 | a5cab99eb4ffa7784c3c1c5c2349c28ee3a18047742c33cc5faa5bcb8fa8f5e6 |
| SHA512 | bcebe89fd4469e4815956d31f0dc6dbe04143a63ff07f72c615b31ab3d8c363819cc31a77f529a8c7a5b69db29347ef80a0cd42397db3f88f4b459aa1408715e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 12d5dafaabbb2304124923bf46969b43 |
| SHA1 | 430f096547e848c9a449539cb175d81926239f65 |
| SHA256 | 17631b8952bed83cee8c827966940faaacc5e8228c1e88f53adccf1819c4f414 |
| SHA512 | f1b0e0cc75800139f88a7e75143d62086638157e316133368286af84aee55e9ae8c7f12b3be6ef248f064d889f638e3fc1a1ed358adfe68973f66d20bdd7c5ae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e756e974efa38cedc01650c4855eefab |
| SHA1 | 22a11223d7b014d6944e0e81f2b2aa5423147b70 |
| SHA256 | d756ac3b08edbb832740a43c44296c91526ef328b38232322cf02665379ef840 |
| SHA512 | 26e4f2681fc1a32ea9b422ef15bd85e5b811e9aba827692490f5c8130577b4909db538c23b583339b17e3086d23b5ccf5b4f6407cb2b8749ec3a11741003025c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8659989ec70d53c06822d87844a7b874 |
| SHA1 | 7885b7ea0f340358173c693a5c32c752db94b573 |
| SHA256 | 5fce7c376307f301e198efdb628a504eb8de673c92f85f6cb349e16b93af82bb |
| SHA512 | 8caa03aa2be5dfc4fa2fca6298c156e80a31dc00207cf61d5b76bffeb26a10cf9ab9f141cb0757e523a9ca9a9c848f094b6753727358dd45c4b888fd4193adc6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\search[1].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 345725175adcccc200b9d97ac3f1d812 |
| SHA1 | a61e5d7d5f7706a97ed28cb16d393f40b76f82d7 |
| SHA256 | eb44306e2df1c6851f3e828b765dc41927fccf58db4457a9dfbc291c458e570e |
| SHA512 | 3464c25999ecde074a8bbb355656b63ff575fcb612d24b7e6b3f8d4ac27020962e173b5b798a1b3bf27dbcc0220f2e710f5d087899546324a7e28c3727bb118a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 497a098a38f19e4b91ef3623b1d699e9 |
| SHA1 | 1f9839723366d3c0763b3fa881b13fb7b7359f51 |
| SHA256 | 4dc21eeaf3c06004f9f2874c2c529e142e91026ebbdbeac9fa97da6e42917ce9 |
| SHA512 | 1019951e8ea6aa0b39f40671d1eab6f3acc5f621ff65ea7f1b1dc596bc541b6ecdb641765b6f1d07a03fe9672fed8efde80301a5a48a0e17736c55cd54d86975 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e4e240e65e763ff74be4d48f22c139a8 |
| SHA1 | 7e2fa816190250b044659ff09c12333063c84669 |
| SHA256 | 10e40f1e73a081a0d2e532cb12ae1664ef9249a5ba249891af085c8422051cd1 |
| SHA512 | d3ac371e271a4084aff538fe502154e26e2e8775ff2d80cffd019c8286340b8181ff7d729bd65923cedcbabfc583574ba00b7636ecdd2a8c3b3d3a6d01a80c3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c57fa6156d5c2fe799fabc93cd25eea8 |
| SHA1 | 76d08f1deebd011f58e195fa7a31f24ce33e8bb6 |
| SHA256 | 8cd822c8759d3598979af688c565f463d00d49d4808a78ca8134e35bc11b0a25 |
| SHA512 | 027e6bfea3a728a0aae961ba83b62631fd90ec67e31bda73ee46f704b9494860c8718236ae3a22986aad543cf0d4ffaec363e4f405ae102bd20cad21edc32613 |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 9fd13b317b902d53b40b1cfc787ad23e |
| SHA1 | 8030ba3795a37913754e2a636be53bc875aa01d9 |
| SHA256 | 22e536f471cb2cc855eede8c6f69e71943b13ee16efa7b1988bc2ac503b58b85 |
| SHA512 | 82e04e0a8ad86bc234af85478bbe810626cdbf59be796a733551bf96e2f7f34845943e135990e283e16a3656a31996827542ad99d91bfb1e8ef5c77721b1065d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e898e4dba08303fcd41384a62635185 |
| SHA1 | ab8cb0bb7cb0601d1c5ca4c3d0311a02803d2c1e |
| SHA256 | 5f264e67f927b8dd0c9f2b813d0f8e32ff058507369a7620ba23cb8408626d54 |
| SHA512 | 2dbe1de815c24c85a06d3e0344ce20908ef5b7fc46c62c877842f1325191d9934d480db19d4f164d16d4f7a863e9a7219aface7855ca7f0e21ddc3a4d2ccf44a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d2f63a6fb62d09591fb0b7f46cc59dc8 |
| SHA1 | 186b1ef5e865cff46cf8f22bace296d9bdc4fbdf |
| SHA256 | c19ba3f28909ca7871908e5b02307b5cbcc6ccb5116fef285838bd09400f0fee |
| SHA512 | eb92bb535c2e8d9521be5c597d805bfd84e9bb3e9726013332f6c170b35cd17e4a8925aa6698aa589d8ba0442f154c67bf3b3e5ebe79130d189cb50a438c0a0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d3766a1c321f711dee89bb6ee67c0cf |
| SHA1 | ed8687c3a3877118fe1d6f24e0fd373443cb20f1 |
| SHA256 | cbe32da5a4ea3be34d2b70d102978691aad62b2d210bb2664937293d4417bea2 |
| SHA512 | 763efc13aad8615ee74ab13706e1de068704434339d849d867f12d3c38271b0c9e92a5bdc16676a2e0e7add28a250752016c534555e008f289eee0da13a389e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48841d815f6401cd26242824d11e08c5 |
| SHA1 | 676102437bc9ead1158fdacbac1fde284ed1ff8f |
| SHA256 | 21e64d46ddf926b02a61d06dfb7d4525490ff421a66b83b3432ae3b6d1ee3588 |
| SHA512 | b8150dc44711e5a0eca4f1d6d2b991c0ba9993c1840ff81a5ac5ff609a703f369ec0d3662e418d4dfddc87e795738b06dfbb21d62cf8ff3522d813cffaa83be4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f39c210c1bef917d589bf4feda0c62a3 |
| SHA1 | 3428985e59ec405d937959bdfb4ffcffeb362c58 |
| SHA256 | 5b5ac7b3ce6fa76bd822ae6c245dd7a6f31faa37313487105905a2a8cc993159 |
| SHA512 | 344224e3c0ac9dbee20f77683f1c725504ac0b0c5ea0247ead6a88bfd4fe3c4ba8fd098df470a03ffea11f24206acb8c975919baf6f1b539dbc4f49eba6477ce |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\search[6].htm
| MD5 | 4fbc61fe014846559a3b4f9c3ef48fa0 |
| SHA1 | 3f1ad8c742504f1676376c47960e0ec69073140e |
| SHA256 | b3b5921c3f39afc86b0c1ca4e5e0d0795457f29cb48a3ddf2e1d667649acbbf9 |
| SHA512 | e701d26eb172568b719f62fce2afd7fdbb91596b42714851c0910aaaec73f4cabb2e9d73df6e539ca2eb55b306ae3cd5171acc726558484a9481c85fa5ac7114 |
memory/2924-1139-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3016-1140-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\results[2].htm
| MD5 | 211da0345fa466aa8dbde830c83c19f8 |
| SHA1 | 779ece4d54a099274b2814a9780000ba49af1b81 |
| SHA256 | aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5 |
| SHA512 | 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b96625209e0a568aaa23628b6a82dc7 |
| SHA1 | bd494a8cdb0dbada6bb74afa8aee6c6a68fa0fbb |
| SHA256 | 74485e5e03f91847877455ee03ac911758671e3bedb3e101e552ed5b36b7a50b |
| SHA512 | adedaa029831d0dd6ad87b22e7c9bca6b49116ed6a1cea777355e4e3e88581da3d6d4c1542a68ea5982ae4eddd889674d3d2e0ae126b4331f0d870052ff32ca8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f652b983c79d0a028ccea313a3d90f1 |
| SHA1 | cf406ad974a121d030bfa7f8e1d2e278ba70d9ef |
| SHA256 | 2e173abe6d0a0c9455a26e323aa41f1272f50a87a0f1d54b835bd0ec30066e74 |
| SHA512 | ace34835628c2293439ce24144738ac171d9a27060d1f2ba88c0cc3dadaf54e65a468f17f29381aa5d4e6b5ccb299f6c1f4293fcebc554986b67cc3956ba55b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 747069c8b28fcb4bb8fb121abbc833a9 |
| SHA1 | be5e9f74a5c13a2ffcf8d83c1274ff3069675c85 |
| SHA256 | b3d3dddba91949253fcf2bdee0099b13b0339306b83dad6aa908877c5b7a5803 |
| SHA512 | 3cca8032a30ac0e18a9d6a40b0f98f7b6cd4e8934fab39ec4248069c0edf27d8e3cc4abd1699b4f060e402ce647de139042b2108c6caed03c47a3d6a87e7289b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 00:11
Reported
2024-05-07 00:13
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4328 wrote to memory of 728 | N/A | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | C:\Windows\services.exe |
| PID 4328 wrote to memory of 728 | N/A | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | C:\Windows\services.exe |
| PID 4328 wrote to memory of 728 | N/A | C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.213.60.59:1034 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| N/A | 192.168.2.155:1034 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| N/A | 192.168.2.157:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| IE | 172.253.116.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 199.89.1.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| US | 52.101.9.0:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| IE | 172.253.116.27:25 | aspmx.l.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| N/A | 192.168.2.13:1034 | tcp | |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| NL | 142.250.27.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.78.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alt3.aspmx.l.google.com | udp |
| NL | 142.251.9.27:25 | alt3.aspmx.l.google.com | tcp |
| N/A | 192.168.2.11:1034 | tcp | |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| NL | 142.250.153.26:25 | alt2.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 8.8.8.8:53 | outlook-com.olc.protection.outlook.com | udp |
| US | 52.101.11.4:25 | outlook-com.olc.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | alt4.aspmx.l.google.com | udp |
| FI | 142.250.150.27:25 | alt4.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.2.11:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx2.googlemail.com | udp |
| NL | 142.250.27.27:25 | aspmx2.googlemail.com | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | mail.burtleburtle.net | udp |
| US | 8.8.8.8:53 | smtp.gzip.org | udp |
| US | 8.8.8.8:53 | snai1mai1.com | udp |
| US | 8.8.8.8:53 | snai1mai1.com | udp |
| US | 65.254.250.102:25 | mail.burtleburtle.net | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 52.96.223.2:25 | outlook.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | lists.stanford.edu | udp |
| US | 8.8.8.8:53 | mxa-00000d07.gslb.pphosted.com | udp |
| US | 67.231.149.169:25 | mxa-00000d07.gslb.pphosted.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| NL | 142.250.27.27:25 | aspmx2.googlemail.com | tcp |
| N/A | 172.16.1.3:1034 | tcp | |
| US | 8.8.8.8:53 | aspmx3.googlemail.com | udp |
| NL | 142.250.153.27:25 | aspmx3.googlemail.com | tcp |
| US | 8.8.8.8:53 | mx.cs.stanford.edu | udp |
| US | 171.64.64.160:25 | mail.cs.stanford.edu | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| IE | 172.253.116.27:25 | aspmx.l.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | smtp.burtleburtle.net | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 65.254.250.102:25 | smtp.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | mx.outlook.com | udp |
| US | 8.8.8.8:53 | mail.outlook.com | udp |
| US | 8.8.8.8:53 | smtp.outlook.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 40.100.174.2:25 | smtp.outlook.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | mxb-00000d07.gslb.pphosted.com | udp |
| US | 67.231.157.125:25 | mxb-00000d07.gslb.pphosted.com | tcp |
| NL | 142.250.153.26:25 | alt2.aspmx.l.google.com | tcp |
| N/A | 10.11.161.112:1034 | tcp |
Files
memory/4328-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/728-6-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4328-13-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/728-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/728-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4328-25-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-26-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 3a5cf70c7f72d89f61b48263fd41713a |
| SHA1 | 8f12331758ab61c80491b196e2ec4c658b7210f0 |
| SHA256 | f1cfa9a463a7547d4f9e85f0bf357211f30d9d16baa430cbc1083f7994ab4eca |
| SHA512 | 60cf516a56d557770846d8561e61a05cb06560087a19b99860f7c95fb4b0e69a92155e83624e65e11aa6a5a7e8bf44d5b40ad31bb9e98e4ba64a39f3fcd03797 |
C:\Users\Admin\AppData\Local\Temp\tmpF2DE.tmp
| MD5 | d83e430e8818afdc049ab7ab0a1e825e |
| SHA1 | bc05e73e0cfd542300e20f8a1f1eef4becc425e0 |
| SHA256 | 1d0a58ea22f2f0b97302ef012dae51d781379f4425245676d23ab12227a6b992 |
| SHA512 | 6a0f9377ed28acaf46af2f8bb310476073d44a7eef5cb1c7aeda6f21e3415976d7e3a743818c48d3a49b19e126f83ff39c8ee80d571bef3869d60af3567ee88c |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 2fecc3c2bc9da6fc71a139da718bbc48 |
| SHA1 | 58a70f89dcafea845a232ff8649c00cc931f07f0 |
| SHA256 | 0c01a1df375b61b15c06c7bcd724fa92231f786616a938bb705f2f73b176c9f9 |
| SHA512 | 41642ab188992df972a0adf385671a9a136b10f63f048be25b0e47416c49c85401ed530fbc6f5618356192d892f500aabc834e0feba4221db76f1acd5d5f5369 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3X7K2ORY\search[2].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y2LQBQ0P\9JYARWOJ.htm
| MD5 | 1c45b52703bb6a3def2f8ee970033bec |
| SHA1 | fe1c94b762e56f2a671424044b75d3c97ed326b8 |
| SHA256 | 1ed891fcd41229adfc644c40dcdef3bb0e14ec7bad16ecc14e06945fe23ad5aa |
| SHA512 | c36e9942a490005343bfe5ae5a83be3a763cd224bd89a1ed0abd7eaf95b450bbc7c559908ccf682f9eafd405788a4db75061274b81b658572f7f236087170a04 |
memory/4328-167-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-168-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4328-171-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-172-0x0000000000400000-0x0000000000408000-memory.dmp
memory/728-174-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cDb5bp2.log
| MD5 | 1d1c36ed5b667df8245e66f34b31ac4a |
| SHA1 | 77c3ce8c18a895fac3ab65b3dee0db919016891f |
| SHA256 | f0521d094fe7977b94a6f41a4bfe8bffdbd58e4a65fa15d18903db316342e056 |
| SHA512 | a387b0b3647fc688ad433b02b36f79fd2f5e279948e46731d3f3ae7f8cb4162d15bbd6bdc9beae9e10af51cf6ce2201006adb1b0b90280c90662c6dde6a69a58 |
memory/4328-178-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-179-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | f18775f6382115c22186328067d90014 |
| SHA1 | 62c2f8decd4fd1f907140f443905d7f62f682ff0 |
| SHA256 | 5546e7f375ec44f3f1c7ca2a0e50865fc521c288fb3a5e26427c73b24ef58c51 |
| SHA512 | 7c6769bb472b11149674533fd4d1df2500f21a853c7dd219d7b6eb4de70c07a49be1edc3b6a86bed80e969514e83ae3dcd42fd03855f8ec448ac811f575c128a |
memory/4328-196-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-197-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4328-198-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-199-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4328-222-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-223-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | e2455858a817754357ec7bad65ae49ff |
| SHA1 | a77a7312bbe8c984f4120f807afb04fb431c482b |
| SHA256 | 21ead847bda35c610f175c58b8a89e3536fedf5c62137ca9ac9c3012604eb3b3 |
| SHA512 | 07e9d8b720b091ed157930cf45ad9090a680dd1a419506a345ad3bc181ac4f6895b120718bfec057905abe359ab479f2811cea745540bdd13742a51ad277a98d |
memory/4328-250-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-251-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | c636dd568402f1ba662543a2ac345f98 |
| SHA1 | 96216133a8df51e363ad2f83743172ec2ba9ecdd |
| SHA256 | 6bd2245e86f7b3a511949e7f970c88849ee2a56d4d9e7c3db0efcec8ac23bd46 |
| SHA512 | 3b0f51eed83d3eaa03c95d9f8a884c34c48f493a1cf96331dc6a8762d3beedd84c456b8cebaf2a0a5a81c3879d73943858cc67e822ae8a0a73627432e5d13858 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y2LQBQ0P\search[7].htm
| MD5 | b22bf4a0009ada90d593c1d755b4af22 |
| SHA1 | 28e80b747f4a3ea679e1d1e4649daf50dcf0342e |
| SHA256 | e77960dd486db7372e46a146e62a1286756a486f6ae64972a2a63e0a08be5467 |
| SHA512 | 6b7ad52c782f53dbce1407bb320db01d9e89dab5600e06cd94da98a15b09d567ea6e366ab691c4272a0cfef55e52bb07b8455f2b0fdf467a38dba062e2d37d8d |
memory/4328-291-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-292-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4328-311-0x0000000000500000-0x0000000000510200-memory.dmp
memory/728-312-0x0000000000400000-0x0000000000408000-memory.dmp