Malware Analysis Report

2025-01-19 00:30

Sample ID 240507-fby8pada65
Target 695686ec079ecdf887550d1739784420_NEAS
SHA256 43825936362d8cee1c25e949d2bf53a10c91075bbd6c786cc5c068acc26244fb
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43825936362d8cee1c25e949d2bf53a10c91075bbd6c786cc5c068acc26244fb

Threat Level: Known bad

The file 695686ec079ecdf887550d1739784420_NEAS was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 04:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 04:42

Reported

2024-05-07 04:45

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 192.0.0.111:1034 tcp
CA 15.156.65.95:1034 tcp
US 16.100.97.125:1034 tcp
US 16.100.97.125:1034 tcp
IE 159.134.164.32:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.8.44:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 15.28.189.247:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
IN 4.240.78.119:1034 tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 192.168.192.18:1034 tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in.g.apple.com udp
US 17.57.170.2:25 mx-in.g.apple.com tcp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 209.85.203.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp

Files

memory/2380-0-0x0000000000500000-0x000000000050D000-memory.dmp

memory/2380-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-8-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-11-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2324-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2380-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-37-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TVbqjvjs3p.log

MD5 766417872083eb9645b82e91332fc404
SHA1 1736542855f6611c6cfbe8ed47cce87688e25f51
SHA256 4b296c18364b77147433eeeb68fa1230a3b4467ca4014ae1deead7961a949029
SHA512 fcb2b132d4b3836c1a1074d34762f766a755151ea95a4cf6cf1864bed4326f2ea70f17de977d449a97242e0f7d21f2947563813b25b9914785ad23cff54b8073

memory/2324-41-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 c371ca727f7b8e3f0b1c6346fb3f7250
SHA1 49087cbc654058f2818bd91a0d6fe1483fb2f591
SHA256 b6d47cde2670e360e3143a4a39b9693ea600950f810cbeb153a1411a8d69645b
SHA512 c0c4d251f64fb7deb511d6a2ac651379a2982c0a6de9ae9206bcbf8fc5ac4b3b0a06d2994b94b209f3a34f3e67d34278109672a2ed0defdfb818c5dfe6aa6699

C:\Users\Admin\AppData\Local\Temp\tmp625B.tmp

MD5 f58bcb3fae25462bc605c15fcf0b2d12
SHA1 ffaf3663069b130384f40763b13621d7bddc8b9a
SHA256 0ca25e1a2e8b5405fea9e4f74124c13cf24e99cfe5bc9d0a8a839fe2e0ea142d
SHA512 7c65489ca4af449b76f6bcb5a476bf6a5a8655b6ac471a72ae7afecef3fa0535b35fe1be710668542b18b7a355e7034e230d751f2cd037cd07b48f2e5bf1f8ec

memory/2324-58-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-59-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-63-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-68-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-72-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 4725b21130cf053d098e4bc46cb6b420
SHA1 14bb44c3336cad53f835f01d70a4a283a49addf3
SHA256 b775f6bf8c9ca1d03ec650454f46ce2e8cb6bbfd76b185571fe120b2f2c81334
SHA512 57dcaa70d51d8936192149b1a2bceab0cb6637ac1389ee608b0b3781f6593b9aa11375cdb4e9c3a70e2777248f237a789946beb1d19232f2a30fb3224630c427

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 04:42

Reported

2024-05-07 04:45

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\695686ec079ecdf887550d1739784420_NEAS.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 192.0.0.111:1034 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
CA 15.156.65.95:1034 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 16.100.97.125:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 74.125.193.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.19:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 16.100.97.125:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 199.89.1.120:25 mail.mailroute.net tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
IE 159.134.164.32:1034 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.250.153.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.9.22:25 outlook-com.olc.protection.outlook.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 15.28.189.247:1034 tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 hachyderm.io udp
IE 74.125.193.26:25 aspmx.l.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.27.26:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
US 8.8.8.8:53 smtp.gzip.org udp
US 8.8.8.8:53 outlook.com udp
US 52.96.223.2:25 outlook.com tcp
IE 74.125.193.26:25 aspmx.l.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IN 4.240.78.119:1034 tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.16.228:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
NL 142.251.9.26:25 alt3.aspmx.l.google.com tcp
NL 142.250.153.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.cs.stanford.edu udp
US 8.8.8.8:53 mail.cs.stanford.edu udp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 smtp.burtleburtle.net udp
US 65.254.250.102:25 smtp.burtleburtle.net tcp
US 8.8.8.8:53 mx.outlook.com udp
NL 142.251.9.26:25 alt3.aspmx.l.google.com tcp
US 8.8.8.8:53 mail.outlook.com udp
US 8.8.8.8:53 smtp.outlook.com udp
GB 52.97.219.210:25 smtp.outlook.com tcp
N/A 192.168.192.18:1034 tcp

Files

memory/2968-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/4636-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4636-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4636-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4636-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4636-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4636-26-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 9c25b172850f0832a5f8f139944a85e3
SHA1 ee21b225f8f1b13ca4f4cef9f74df3c99bc30880
SHA256 41661b9a2bd31410873542c8baa255654f4c2f584111ee4ef26f16059e895d7b
SHA512 418a581a3b45b9edc2557717eabdb1832fa0fbf286effaedf3709cea7b8d293a83f9a2289e0166c77b170a1ed394c277372a720af92cc876f9766f7937d6a0b2

C:\Users\Admin\AppData\Local\Temp\tmp2E23.tmp

MD5 70263076270ceee2c153e727d0c5d067
SHA1 619c098eb53e59311837db0c3db725182f9b8c2b
SHA256 5dbf7ecf615d698e741fa18ff4d6c1bcac3c563aedc3565cfc4117f52279e9fc
SHA512 bf5bfcb2ea4852197a4cf636df69ca6d573d6e135b884a3e7a8151148d0358fe7ddae8c1a94c4c0ee8b0477ec7cdbcbce10548c0b3b1648ae3e369b9ff7648c9

memory/4636-58-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BB8X2UQ6\search[4].htm

MD5 967dae667325ffceccf2ff3a2ef45e8f
SHA1 863a4b5dfacc280f9d9ca2ed444240c1b54e74ea
SHA256 02f4f0a1dd5f2278e4d54bc139edb2b770a1f186ce2d3f8a272246685726da92
SHA512 a797dcf1708ae8b323a0d9180d4f4dc0da77e4d8050ea8f3d773e18bd37a92a059edbef2c9fcd5dc1e6d828d91ccaf04a65d35ae1d65f9db9c0db239d71f77fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LA4X8NGR\search[4].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\22GDAN8B\TTXI4XXW.htm

MD5 7dfcc31d68cb208381241f1e8fd1321e
SHA1 79581b0486d660f0d55e4b54a2cc31ccad12d50f
SHA256 64f241ba5566dd6a59f3623165ec76679919d2bc0510f802431a9dbaadb1be0c
SHA512 eb811fd6e1f316c7017725f671dd58e10891ed00c80732641dfe3b333edc0faeb886e9b4b607a25bbb4e729e8f90f62e4957a2a85f42ba0347b6445b98801805

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\22GDAN8B\search[6].htm

MD5 fa3be24d68e993a0b1132ea38a1e1504
SHA1 7058d92b38db1cea842075468198b907ea95b417
SHA256 8925f879b35a85bd10272eaa7673ecd7d068710fb3a62f1a7723d2ba8ab68dc6
SHA512 2773f237720c2de65d850ac940561aa8a3e506414cd7fe78a9ed3a98ff460a31687340659c31b002c1acb0e3808183ded20df9f132721fc0858f3fe5432c38dd

memory/4636-230-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jeqauh8.log

MD5 cda80c5ba6a60813528ae2f44efd7123
SHA1 7f29878fd60d49165d8164993e4e7f6bb2abfae2
SHA256 5ba3bf63ef05a1db1ba908097a50c06130f8fb624c8c3d9e3744f76ff2881aa1
SHA512 cee97dd8f26080634c3856367787c79b1ca409ecb909ff736f7b4c43ca9ede651f040613b611d9c234ce59d23693bf219d011f57e8cd9f0e88f2520c2db85834

memory/4636-253-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4636-257-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4636-258-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 67670c157c17d292019e4d002c38f324
SHA1 bfe58bba78e46501ae2205098fa82fa87882c50c
SHA256 73314521a9bf8b12c83b63f0663acfe205d8da45c31d1285bf23c5c93deb0e50
SHA512 20e2fcbef3d3a9088c8365bb66837713e7bae4e44d91ea6c966c5ac0f2f5c578bce40edf5167307509cd3224c5628b0f80cd8f15711fe2dfba226d6d57bf7f3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\22GDAN8B\search[5].htm

MD5 36c026a051ef14443573cd67ef46a73c
SHA1 a19b32d819ac005e261a2bde26d7fc34cd1043db
SHA256 8436add995fef56d5c21115f32ee2ff1754d04d3bed814f6857bcec0e498c44d
SHA512 1c54f285767b396d41497d8f77a5c89eaa344070632787ff830340fcaf9d743dd443200683810413bd3dacdfa5118d7e4df4fbc987ee2dec8bbb04ddba63f5b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BB8X2UQ6\search[5].htm

MD5 c2e09ddd3756ee6e2f2efdf1c75674c8
SHA1 9cb125914b0bbf6f2075493faa7ec7ac74561a8d
SHA256 2a9112d420e80ac4f9ad32f2213f4f0e2ff20202d5dfbdca1073c1f7796accd6
SHA512 b10438717694030333155c558d180d45ff9375f5251a7e36b1d8e644a434a2052bbc6800232572e748b0d8a2180a05464e70bae9cdef8c8b5f55c8031d44067d

memory/4636-304-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 98fa4580110cf808aa57da43cd83b5ad
SHA1 de503d4f1221283e497e65bc95f9317f14a37102
SHA256 8d598955496406ea47504fe524e93375ce89dbe39fd4958f9d00d40fb0ec1187
SHA512 58e312725105ad9df5144b657d5207801a1ce5910370e315792622c5eb9d1624e557192f69bde386df6b60038eb0ec263005a4629ad7c5cd02ccb9334c15c475

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BB8X2UQ6\results[1].htm

MD5 35a826c9d92a048812533924ecc2d036
SHA1 cc2d0c7849ea5f36532958d31a823e95de787d93
SHA256 0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512 fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LA4X8NGR\search[7].htm

MD5 43afd91501a3844c3269d42455ee2f87
SHA1 b1fa8be3641a8438a3ccdb5d0d3c6071855d6ff9
SHA256 f35435f3f0a510bfd87df4263d79b7cecd15abdc62c21e438c327467c7677b1d
SHA512 56a365f5efb26fba08273895cda5a9b66555cd0a249f4ff9696af90e57f9d3d0a45ff50b455948c770151624b35a986b82c4bd8697b16fcdf4b289960823928e

memory/4636-393-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 1183824e5d5383ccd6796357f53bf21f
SHA1 e481f99d033cd4dc9f7604a95f79b82cd3c22b8a
SHA256 64a97d715cfb0bf275f0e6fde6e044426c3dfd02297f905853efd41610d20b8d
SHA512 6ecf2f81445194268c77503c3ab4ed4205d72d05871f0a4cc4b8449e46150915099cc893d861ef9a3bd7e13f78ac9f19e7c10c17531c34fc91c1a2775be30516

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BB8X2UQ6\search[1].htm

MD5 e435d31956be3483bce822395f9514a9
SHA1 0d5b40b5a608ab156fc352c30ff00d30b30bc7d8
SHA256 74d8a9360a85432b18e87d11ece53dfd73bce48c89015ea596d9730c1401e5f0
SHA512 78709517c83d2c4bd5b00b11aa8b1e70dd58c1dd1e3f1012250dee3e7bb11d16d377b2e41370a907670a3a9096e209402562150677a6237869c56f0305ebbe0d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ2TD4H5\searchT1FL9AZE.htm

MD5 18fe429f0af378f4846cc4f28a766cca
SHA1 4d6e6376767e64de0e3519b8995a084c066e0052
SHA256 451db2d30181bdac255f322ba9c18efbfdcf6efa371f0bb65a1a336f32f88648
SHA512 a5c8af45ef98dea98e0a6d62eab3fea945a1e088ba2220e23fd8b536886040c15888d80ccd6fe78bd800b86141e459b32b38f3cb11b8791c83f7a04951d9bc83

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\22GDAN8B\searchRJ9L1RZB.htm

MD5 0356cb23b0eaf32cccedb825ba1db9f1
SHA1 ede310627e554113f792ba3dff6b295009970ad0
SHA256 ec270fe3c607f880d63723d9b4093084d63dfa3a9c145288993765c306c5f8b7
SHA512 f141051d2447ec42b7124c90269afd8b608f2df2eb3a266ac514302aa6f6d1657aab54b14d119df71bf4bc91c350b6dc731885cf55c9595eb715f86c4307f4ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ2TD4H5\searchBWIEZXBQ.htm

MD5 460c19fddaf24d6a069a495e05621eca
SHA1 2e6d06319e84a5bf6c361db7d9ce93f12d84adfc
SHA256 d64861a7693f8628a10fa99d68a757c5749e002ba66b71ba351980d2155bd4c5
SHA512 be7fa1c3eaf94ad75362480d87a29909aadcfac977a22ebbc36066c713d7fc27b4645f5a2dd37df11429da32981fcdc02ab32cfa1e3a8a86eb91f8cb1367c2f7

memory/4636-478-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4636-481-0x0000000000400000-0x0000000000408000-memory.dmp