Malware Analysis Report

2025-01-19 00:30

Sample ID 240507-agrg5scf38
Target 38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS
SHA256 f44e65486492a9075d9c98af6b98b0bc317b57978992c388d18348aa470a136a
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f44e65486492a9075d9c98af6b98b0bc317b57978992c388d18348aa470a136a

Threat Level: Known bad

The file 38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 00:11

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 00:11

Reported

2024-05-07 00:13

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.213.60.59:1034 tcp
N/A 192.168.2.155:1034 tcp
N/A 192.168.2.157:1034 tcp
N/A 192.168.2.13:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.42.9:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.11:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.11:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
N/A 172.16.1.3:1034 tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-rno.apple.com udp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 74.125.193.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 icloud.com udp
US 8.8.8.8:53 mx02.mail.icloud.com udp
US 17.57.156.30:25 mx02.mail.icloud.com tcp
US 8.8.8.8:53 mac.com udp
US 8.8.8.8:53 mx01.mail.icloud.com udp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 me.com udp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 17.57.156.30:25 mx01.mail.icloud.com tcp
US 17.57.156.30:25 mx01.mail.icloud.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 10.11.161.112:1034 tcp

Files

memory/2924-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2924-4-0x00000000001B0000-0x00000000001B8000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3016-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2924-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3016-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3016-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-23-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/3016-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3016-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-34-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3016-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3016-40-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d2c976ed479f5c76545f3535fe9da6f7
SHA1 b68fb6274c6e758efa760d8b87c1b54952cb5a56
SHA256 6d735d4a70cefa84fd0f13a57c6b0b11840c316afc6bd81452b7d995446478a1
SHA512 bb74e7dc13048a4fdf735f4b26847debd1912f1d132c360c9aaf6cea7c9b8370e1cee1f3fd99dfc63350021719a7216f8ec3951645e2fbe21eb3e589c9fb8827

C:\Users\Admin\AppData\Local\Temp\tmp2655.tmp

MD5 499546de0044b15141a0a04c1aeb7fe4
SHA1 6683591fc29e4ad3527ccfec3d03c270bccd5afd
SHA256 dec65e04d5964b573cc4d5577a113d0afcadfbed90c9fffbfced85aeb77c6d06
SHA512 1a738a78d9879f6c5f6706077f383c07fad6bab9ca88038c5f347fb79de728a3472b811f1e793c3a1c54d522dbdca35edc0af3daf1c6f3974da5c579f4a5dd57

memory/2924-58-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3016-59-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TVbqjvjs3p.log

MD5 be2bbde7219c30740d30d9c9ac07453b
SHA1 fa61fb22def933723f4b3b9ae4c8ba5290f41121
SHA256 ea35938d18f32f88bb7daea4790513b7373cff0188e94ce2b87669c2de9321e7
SHA512 fce9b91085374c4189bed19bef74979148e8feda760acb180e251c3b4a6a3b3e70e2e867cbe6cf2ec48516ac9bc3cc10a252301dd18e413bdbe8ec2f6ef84116

memory/2924-62-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3016-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-67-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3016-68-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3016-70-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-74-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3016-75-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3016-80-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 dad74b4302f73ed8298a80cc9b4bbfa6
SHA1 2ce338ac15a79fa48b2fd8148450ca7ce745957a
SHA256 fc1ceab67a093df371e9b9e5f868c5709db0272f4d506ab6c15d35cd63e3927d
SHA512 06f046bd4d008cc043b484273332a39bdb14aed92a9896cb2ea8d85166f2a36695bafb36df66d93033c0c74af3aad698b5a0ddcb6e4540fc1ed6c8c452033c8a

C:\Users\Admin\AppData\Local\Temp\Cab210F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab21DE.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2202.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35b83c1c4578ad0f071652ee6d7ab9b9
SHA1 2f2409d5b52fe2b282deecb95b98ea32af7f1f6a
SHA256 b4614105059beab8f045f624922859ef7a4772e36710a3a2c56f6b5e1fa31019
SHA512 3ea1406d0c299415a619358b5a56957b665fda287e389274d2419db6fa536f2fa576e04569dea8a9b58c07b1b85a25e609bb7066b7e91c0ff36e91a91fc57dcc

memory/3016-174-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-173-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2baa931d7342b343d8cf39352b02f3f
SHA1 0daf46acd721a0fbb9ab90e1f5131477cb04bef9
SHA256 b03516fd81d79bfa46c140c926596b749ab56e6d7c66d8b6a25a074c6fdb072e
SHA512 8500eee4da92b65a903c189ac2106e08588e5727e2ae5108022782702aac2082c5157d755d8b0701c81b3146ea97d501b9f2281c06928a36ac8342f220a9dd74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d821dd75ded078211cfd8bce11bbb76
SHA1 46cde701aba630a6aa5c980f93379c7e0e285220
SHA256 7d56d2d81d99ccef32457e3aa967dc1878698e6f59b8f88589e4c6074b5fac72
SHA512 a394d8635a674564a050a0e3beabb148cd2016170cae062cc25ef8ca5bc04935c505290e301ef8c5446dd67fb7f42d65af5e50f05b18049e0e7773f28b5f1d99

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\M80QBNB8.htm

MD5 9cd00ff0f8d031bfcf03aa3d2653fc1d
SHA1 3622469139522fea39dd100089ac9d2dc7a7c1a4
SHA256 88d8f1b83634d0d6cd8f3562e50a85b11dd54f6d0bc9573bb228b31b228d3ad6
SHA512 3d3e577b8ff77afdf5926888b47be9a5cf79d709ad332be91361e5bae11e436007943bb1793f17ffb1667de0db8b70d16523e7eab856f1fb11ba0475a188acdc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\QKET21ZX.htm

MD5 dc298a8adca454335899c6775f157bc8
SHA1 b81c4b062873646224e3dd7ee314387468d9b1fe
SHA256 f436c3f32b12652d26eb6e60dd977bfb835f44a033c0847be5805bb237effe67
SHA512 79a9eddebf8e43da8d9ea425dadf6e2ebcd7e70fdc5e083fe91abcf8a64436ddfee232e1ae075862d6d2c81f10a250d3e0ef04c376ae14e64a3c36a79ed96c1a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\KDC5SS74.htm

MD5 9834265502bd82fd1ce0db4e4d285e1c
SHA1 89d786e1dff9120f4fd8397baa9f0beac326f1b0
SHA256 a5cab99eb4ffa7784c3c1c5c2349c28ee3a18047742c33cc5faa5bcb8fa8f5e6
SHA512 bcebe89fd4469e4815956d31f0dc6dbe04143a63ff07f72c615b31ab3d8c363819cc31a77f529a8c7a5b69db29347ef80a0cd42397db3f88f4b459aa1408715e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12d5dafaabbb2304124923bf46969b43
SHA1 430f096547e848c9a449539cb175d81926239f65
SHA256 17631b8952bed83cee8c827966940faaacc5e8228c1e88f53adccf1819c4f414
SHA512 f1b0e0cc75800139f88a7e75143d62086638157e316133368286af84aee55e9ae8c7f12b3be6ef248f064d889f638e3fc1a1ed358adfe68973f66d20bdd7c5ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e756e974efa38cedc01650c4855eefab
SHA1 22a11223d7b014d6944e0e81f2b2aa5423147b70
SHA256 d756ac3b08edbb832740a43c44296c91526ef328b38232322cf02665379ef840
SHA512 26e4f2681fc1a32ea9b422ef15bd85e5b811e9aba827692490f5c8130577b4909db538c23b583339b17e3086d23b5ccf5b4f6407cb2b8749ec3a11741003025c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8659989ec70d53c06822d87844a7b874
SHA1 7885b7ea0f340358173c693a5c32c752db94b573
SHA256 5fce7c376307f301e198efdb628a504eb8de673c92f85f6cb349e16b93af82bb
SHA512 8caa03aa2be5dfc4fa2fca6298c156e80a31dc00207cf61d5b76bffeb26a10cf9ab9f141cb0757e523a9ca9a9c848f094b6753727358dd45c4b888fd4193adc6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 345725175adcccc200b9d97ac3f1d812
SHA1 a61e5d7d5f7706a97ed28cb16d393f40b76f82d7
SHA256 eb44306e2df1c6851f3e828b765dc41927fccf58db4457a9dfbc291c458e570e
SHA512 3464c25999ecde074a8bbb355656b63ff575fcb612d24b7e6b3f8d4ac27020962e173b5b798a1b3bf27dbcc0220f2e710f5d087899546324a7e28c3727bb118a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 497a098a38f19e4b91ef3623b1d699e9
SHA1 1f9839723366d3c0763b3fa881b13fb7b7359f51
SHA256 4dc21eeaf3c06004f9f2874c2c529e142e91026ebbdbeac9fa97da6e42917ce9
SHA512 1019951e8ea6aa0b39f40671d1eab6f3acc5f621ff65ea7f1b1dc596bc541b6ecdb641765b6f1d07a03fe9672fed8efde80301a5a48a0e17736c55cd54d86975

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4e240e65e763ff74be4d48f22c139a8
SHA1 7e2fa816190250b044659ff09c12333063c84669
SHA256 10e40f1e73a081a0d2e532cb12ae1664ef9249a5ba249891af085c8422051cd1
SHA512 d3ac371e271a4084aff538fe502154e26e2e8775ff2d80cffd019c8286340b8181ff7d729bd65923cedcbabfc583574ba00b7636ecdd2a8c3b3d3a6d01a80c3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c57fa6156d5c2fe799fabc93cd25eea8
SHA1 76d08f1deebd011f58e195fa7a31f24ce33e8bb6
SHA256 8cd822c8759d3598979af688c565f463d00d49d4808a78ca8134e35bc11b0a25
SHA512 027e6bfea3a728a0aae961ba83b62631fd90ec67e31bda73ee46f704b9494860c8718236ae3a22986aad543cf0d4ffaec363e4f405ae102bd20cad21edc32613

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 9fd13b317b902d53b40b1cfc787ad23e
SHA1 8030ba3795a37913754e2a636be53bc875aa01d9
SHA256 22e536f471cb2cc855eede8c6f69e71943b13ee16efa7b1988bc2ac503b58b85
SHA512 82e04e0a8ad86bc234af85478bbe810626cdbf59be796a733551bf96e2f7f34845943e135990e283e16a3656a31996827542ad99d91bfb1e8ef5c77721b1065d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e898e4dba08303fcd41384a62635185
SHA1 ab8cb0bb7cb0601d1c5ca4c3d0311a02803d2c1e
SHA256 5f264e67f927b8dd0c9f2b813d0f8e32ff058507369a7620ba23cb8408626d54
SHA512 2dbe1de815c24c85a06d3e0344ce20908ef5b7fc46c62c877842f1325191d9934d480db19d4f164d16d4f7a863e9a7219aface7855ca7f0e21ddc3a4d2ccf44a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2f63a6fb62d09591fb0b7f46cc59dc8
SHA1 186b1ef5e865cff46cf8f22bace296d9bdc4fbdf
SHA256 c19ba3f28909ca7871908e5b02307b5cbcc6ccb5116fef285838bd09400f0fee
SHA512 eb92bb535c2e8d9521be5c597d805bfd84e9bb3e9726013332f6c170b35cd17e4a8925aa6698aa589d8ba0442f154c67bf3b3e5ebe79130d189cb50a438c0a0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d3766a1c321f711dee89bb6ee67c0cf
SHA1 ed8687c3a3877118fe1d6f24e0fd373443cb20f1
SHA256 cbe32da5a4ea3be34d2b70d102978691aad62b2d210bb2664937293d4417bea2
SHA512 763efc13aad8615ee74ab13706e1de068704434339d849d867f12d3c38271b0c9e92a5bdc16676a2e0e7add28a250752016c534555e008f289eee0da13a389e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48841d815f6401cd26242824d11e08c5
SHA1 676102437bc9ead1158fdacbac1fde284ed1ff8f
SHA256 21e64d46ddf926b02a61d06dfb7d4525490ff421a66b83b3432ae3b6d1ee3588
SHA512 b8150dc44711e5a0eca4f1d6d2b991c0ba9993c1840ff81a5ac5ff609a703f369ec0d3662e418d4dfddc87e795738b06dfbb21d62cf8ff3522d813cffaa83be4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f39c210c1bef917d589bf4feda0c62a3
SHA1 3428985e59ec405d937959bdfb4ffcffeb362c58
SHA256 5b5ac7b3ce6fa76bd822ae6c245dd7a6f31faa37313487105905a2a8cc993159
SHA512 344224e3c0ac9dbee20f77683f1c725504ac0b0c5ea0247ead6a88bfd4fe3c4ba8fd098df470a03ffea11f24206acb8c975919baf6f1b539dbc4f49eba6477ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\search[6].htm

MD5 4fbc61fe014846559a3b4f9c3ef48fa0
SHA1 3f1ad8c742504f1676376c47960e0ec69073140e
SHA256 b3b5921c3f39afc86b0c1ca4e5e0d0795457f29cb48a3ddf2e1d667649acbbf9
SHA512 e701d26eb172568b719f62fce2afd7fdbb91596b42714851c0910aaaec73f4cabb2e9d73df6e539ca2eb55b306ae3cd5171acc726558484a9481c85fa5ac7114

memory/2924-1139-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3016-1140-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b96625209e0a568aaa23628b6a82dc7
SHA1 bd494a8cdb0dbada6bb74afa8aee6c6a68fa0fbb
SHA256 74485e5e03f91847877455ee03ac911758671e3bedb3e101e552ed5b36b7a50b
SHA512 adedaa029831d0dd6ad87b22e7c9bca6b49116ed6a1cea777355e4e3e88581da3d6d4c1542a68ea5982ae4eddd889674d3d2e0ae126b4331f0d870052ff32ca8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f652b983c79d0a028ccea313a3d90f1
SHA1 cf406ad974a121d030bfa7f8e1d2e278ba70d9ef
SHA256 2e173abe6d0a0c9455a26e323aa41f1272f50a87a0f1d54b835bd0ec30066e74
SHA512 ace34835628c2293439ce24144738ac171d9a27060d1f2ba88c0cc3dadaf54e65a468f17f29381aa5d4e6b5ccb299f6c1f4293fcebc554986b67cc3956ba55b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 747069c8b28fcb4bb8fb121abbc833a9
SHA1 be5e9f74a5c13a2ffcf8d83c1274ff3069675c85
SHA256 b3d3dddba91949253fcf2bdee0099b13b0339306b83dad6aa908877c5b7a5803
SHA512 3cca8032a30ac0e18a9d6a40b0f98f7b6cd4e8934fab39ec4248069c0edf27d8e3cc4abd1699b4f060e402ce647de139042b2108c6caed03c47a3d6a87e7289b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 00:11

Reported

2024-05-07 00:13

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\38f2ca7e378e7a9f2cd195ca4c243ae0_NEAS.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.213.60.59:1034 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
N/A 192.168.2.155:1034 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
N/A 192.168.2.157:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 172.253.116.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.yahoo.com udp
US 52.101.9.0:25 alumni-caltech-edu.mail.protection.outlook.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 hachyderm.io udp
IE 172.253.116.27:25 aspmx.l.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.2.13:1034 tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 85.187.148.2:25 gzip.org tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
NL 142.251.9.27:25 alt3.aspmx.l.google.com tcp
N/A 192.168.2.11:1034 tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.11.4:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
FI 142.250.150.27:25 alt4.aspmx.l.google.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 192.168.2.11:1034 tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.27.27:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 8.8.8.8:53 smtp.gzip.org udp
US 8.8.8.8:53 snai1mai1.com udp
US 8.8.8.8:53 snai1mai1.com udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 outlook.com udp
US 52.96.223.2:25 outlook.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 lists.stanford.edu udp
US 8.8.8.8:53 mxa-00000d07.gslb.pphosted.com udp
US 67.231.149.169:25 mxa-00000d07.gslb.pphosted.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
NL 142.250.27.27:25 aspmx2.googlemail.com tcp
N/A 172.16.1.3:1034 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
NL 142.250.153.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 mx.cs.stanford.edu udp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
IE 172.253.116.27:25 aspmx.l.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 smtp.burtleburtle.net udp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 65.254.250.102:25 smtp.burtleburtle.net tcp
US 8.8.8.8:53 mx.outlook.com udp
US 8.8.8.8:53 mail.outlook.com udp
US 8.8.8.8:53 smtp.outlook.com udp
IE 212.82.100.137:80 www.altavista.com tcp
GB 40.100.174.2:25 smtp.outlook.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 mxb-00000d07.gslb.pphosted.com udp
US 67.231.157.125:25 mxb-00000d07.gslb.pphosted.com tcp
NL 142.250.153.26:25 alt2.aspmx.l.google.com tcp
N/A 10.11.161.112:1034 tcp

Files

memory/4328-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/728-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4328-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/728-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/728-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4328-25-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-26-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 3a5cf70c7f72d89f61b48263fd41713a
SHA1 8f12331758ab61c80491b196e2ec4c658b7210f0
SHA256 f1cfa9a463a7547d4f9e85f0bf357211f30d9d16baa430cbc1083f7994ab4eca
SHA512 60cf516a56d557770846d8561e61a05cb06560087a19b99860f7c95fb4b0e69a92155e83624e65e11aa6a5a7e8bf44d5b40ad31bb9e98e4ba64a39f3fcd03797

C:\Users\Admin\AppData\Local\Temp\tmpF2DE.tmp

MD5 d83e430e8818afdc049ab7ab0a1e825e
SHA1 bc05e73e0cfd542300e20f8a1f1eef4becc425e0
SHA256 1d0a58ea22f2f0b97302ef012dae51d781379f4425245676d23ab12227a6b992
SHA512 6a0f9377ed28acaf46af2f8bb310476073d44a7eef5cb1c7aeda6f21e3415976d7e3a743818c48d3a49b19e126f83ff39c8ee80d571bef3869d60af3567ee88c

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 2fecc3c2bc9da6fc71a139da718bbc48
SHA1 58a70f89dcafea845a232ff8649c00cc931f07f0
SHA256 0c01a1df375b61b15c06c7bcd724fa92231f786616a938bb705f2f73b176c9f9
SHA512 41642ab188992df972a0adf385671a9a136b10f63f048be25b0e47416c49c85401ed530fbc6f5618356192d892f500aabc834e0feba4221db76f1acd5d5f5369

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3X7K2ORY\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y2LQBQ0P\9JYARWOJ.htm

MD5 1c45b52703bb6a3def2f8ee970033bec
SHA1 fe1c94b762e56f2a671424044b75d3c97ed326b8
SHA256 1ed891fcd41229adfc644c40dcdef3bb0e14ec7bad16ecc14e06945fe23ad5aa
SHA512 c36e9942a490005343bfe5ae5a83be3a763cd224bd89a1ed0abd7eaf95b450bbc7c559908ccf682f9eafd405788a4db75061274b81b658572f7f236087170a04

memory/4328-167-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-168-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4328-171-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-172-0x0000000000400000-0x0000000000408000-memory.dmp

memory/728-174-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cDb5bp2.log

MD5 1d1c36ed5b667df8245e66f34b31ac4a
SHA1 77c3ce8c18a895fac3ab65b3dee0db919016891f
SHA256 f0521d094fe7977b94a6f41a4bfe8bffdbd58e4a65fa15d18903db316342e056
SHA512 a387b0b3647fc688ad433b02b36f79fd2f5e279948e46731d3f3ae7f8cb4162d15bbd6bdc9beae9e10af51cf6ce2201006adb1b0b90280c90662c6dde6a69a58

memory/4328-178-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-179-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 f18775f6382115c22186328067d90014
SHA1 62c2f8decd4fd1f907140f443905d7f62f682ff0
SHA256 5546e7f375ec44f3f1c7ca2a0e50865fc521c288fb3a5e26427c73b24ef58c51
SHA512 7c6769bb472b11149674533fd4d1df2500f21a853c7dd219d7b6eb4de70c07a49be1edc3b6a86bed80e969514e83ae3dcd42fd03855f8ec448ac811f575c128a

memory/4328-196-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-197-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4328-198-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-199-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4328-222-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-223-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e2455858a817754357ec7bad65ae49ff
SHA1 a77a7312bbe8c984f4120f807afb04fb431c482b
SHA256 21ead847bda35c610f175c58b8a89e3536fedf5c62137ca9ac9c3012604eb3b3
SHA512 07e9d8b720b091ed157930cf45ad9090a680dd1a419506a345ad3bc181ac4f6895b120718bfec057905abe359ab479f2811cea745540bdd13742a51ad277a98d

memory/4328-250-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-251-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 c636dd568402f1ba662543a2ac345f98
SHA1 96216133a8df51e363ad2f83743172ec2ba9ecdd
SHA256 6bd2245e86f7b3a511949e7f970c88849ee2a56d4d9e7c3db0efcec8ac23bd46
SHA512 3b0f51eed83d3eaa03c95d9f8a884c34c48f493a1cf96331dc6a8762d3beedd84c456b8cebaf2a0a5a81c3879d73943858cc67e822ae8a0a73627432e5d13858

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y2LQBQ0P\search[7].htm

MD5 b22bf4a0009ada90d593c1d755b4af22
SHA1 28e80b747f4a3ea679e1d1e4649daf50dcf0342e
SHA256 e77960dd486db7372e46a146e62a1286756a486f6ae64972a2a63e0a08be5467
SHA512 6b7ad52c782f53dbce1407bb320db01d9e89dab5600e06cd94da98a15b09d567ea6e366ab691c4272a0cfef55e52bb07b8455f2b0fdf467a38dba062e2d37d8d

memory/4328-291-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-292-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4328-311-0x0000000000500000-0x0000000000510200-memory.dmp

memory/728-312-0x0000000000400000-0x0000000000408000-memory.dmp