Malware Analysis Report

2024-10-19 11:32

Sample ID 240527-ylhykaha95
Target 1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe
SHA256 04079f8509ceb8ec7a73d6234c1a52b732897b977c3e269e6be701017caab202
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04079f8509ceb8ec7a73d6234c1a52b732897b977c3e269e6be701017caab202

Threat Level: Known bad

The file 1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 19:52

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 19:52

Reported

2024-05-27 19:54

Platform

win7-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.53.7.27:1034 tcp
N/A 10.152.243.207:1034 tcp
N/A 10.222.21.129:1034 tcp
N/A 10.37.232.110:1034 tcp
N/A 10.126.94.178:1034 tcp
N/A 10.227.85.66:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 52.101.8.36:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.14:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.10:1034 tcp

Files

memory/2848-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2848-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2904-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2848-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2904-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2848-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-47-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-52-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2848-53-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2904-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2904-59-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e55b194643f65091febe222084f46ef3
SHA1 b29cc9c022549b66c0e10deb308404abc5ffcba7
SHA256 7622cd7978b033a78961e85a6d0d495f4ec23d63b165e916d8471d0c4c93a8d4
SHA512 4ec03be1e412a1a1602eb8c27bfe34f189764acbed78d624fed0bbb467f1731957bb62a0427f49d607d50547f2abefb8a3ab77d14163ef6b387d05960f25c7fb

C:\Users\Admin\AppData\Local\Temp\tmp5CC2.tmp

MD5 160cfe02f239770b700f3f5b5306e9bc
SHA1 edcc6e0ca9b940adc762c525ef17b6be1be1bb1e
SHA256 84031af44183e2a2bc06d2ae2c0d18cc4a5e451da058c29e125af5646ac853b8
SHA512 a77a1a2f90dcc8d48f4e3225745e8916420d08d9891642497210db25599e6867b10bc52aae57fcfa02bf985967e1e5d4290cb0c64f79ec6ededd2f84c1712c5c

memory/2848-79-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2904-80-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2848-81-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2904-82-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2848-86-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2904-87-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 19:52

Reported

2024-05-27 19:54

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1411ec0e42c9e4d38a31a7f4aae94490_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.53.7.27:1034 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 10.152.243.207:1034 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 10.222.21.129:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
BE 108.177.15.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
N/A 10.37.232.110:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.4:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
FR 216.58.215.36:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 36.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 8.8.8.8:53 hachyderm.io udp
BE 108.177.15.26:25 aspmx.l.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.153.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
N/A 10.126.94.178:1034 tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
FI 142.250.150.27:25 alt3.aspmx.l.google.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.251.9.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 mx.acm.org udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
N/A 10.227.85.66:1034 tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 outlook.com udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.41.20:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
SG 74.125.200.27:25 alt4.aspmx.l.google.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.250.153.26:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
N/A 192.168.2.14:1034 tcp
US 8.8.8.8:53 smtp.gzip.org udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.42.4:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 outlook.com udp
US 52.96.222.226:25 outlook.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
NL 142.250.153.27:25 alt1.aspmx.l.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
BE 108.177.15.26:25 aspmx.l.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
FR 216.58.215.36:80 www.google.com tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
N/A 192.168.2.10:1034 tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 mx.outlook.com udp
US 8.8.8.8:53 mail.outlook.com udp
US 8.8.8.8:53 smtp.outlook.com udp
FR 216.58.215.36:80 www.google.com tcp
GB 52.97.146.178:25 smtp.outlook.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
NL 142.251.9.26:25 aspmx3.googlemail.com tcp
FR 216.58.215.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 216.58.215.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp

Files

memory/1076-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1232-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1076-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1232-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1232-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1232-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1076-30-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1076-35-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-36-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 7d37aa77285011cde7d50d7c582ac45f
SHA1 caab15ee78828a92bc2e87af9b6b595536dc7a02
SHA256 29b0ad619a8bd5f1628ed230bc11598b6eabadf72d44dae9d966c1dbe1869fb0
SHA512 eb1ba2581ea898249c9c7234494fc69e87d708b8d777b68338d43d868b42be183a244eed0694fd95798dd9a323149e93dd59878eaf4fb9ffa7c1e047dfe3224a

C:\Users\Admin\AppData\Local\Temp\tmp2F89.tmp

MD5 7bb1810495621e7022f6e9982a037005
SHA1 d69b829fd10ac8319c193b824fcd2c7609f0cf05
SHA256 4f227d89e59738f26ef689944545a774143ec6039edfdb47c9b557ffe3db5940
SHA512 84bc9eca5fac99f5fc536885cbaf84d84f7befec8e4890ddeabd7ba93c4f5bb6ab52d6ea57edc3695cfe618038a4013c1ae53ed0726646a82eef75ddd0c4c3c9

memory/1076-134-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-135-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1076-138-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-139-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1232-144-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1076-145-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-146-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 367940318828c765a57cd92276c0aa51
SHA1 de0da0d932b7acd072b59ddf365d4a98e7e1036a
SHA256 c8c85b1a7dde1be6fa69a2e56f1e6ae8d4d7779b24c2cbe9b51e5e6f82ec181a
SHA512 0f76f969922da5b552653fc742f45bd0dbf55b5ef7625da9f8ef77cc191af7d489ed663ef4f2752d2eed2547cdfdb2c6c28e41cbe812615fa0704ea3fe5889c7

memory/1076-170-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-171-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1076-174-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-175-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 89f66fbe3a6789774685c357c974ae2f
SHA1 2f21f78fec7d4779f46cc78121d4282817096b13
SHA256 3e59736f201e16aa917d1a4d2457d3669de83805504a964173e4268ab1a1ea65
SHA512 982555c4ef29f99a73082207bfb4ca2ecce97e522979e09c24e9389202e7424a896616b00655f2412244992a8b2bf1c126818ac3b51816c78b196435bfb5247d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\LIRBM7JP.htm

MD5 e6fff0d7f80d6e0e0fe4a3cd9762f2dc
SHA1 6ccd893fd8a1bac5bf752eb179c90338d428a356
SHA256 29683df577541b703a94e15104ccd5d4f29509c2337de952fef80ce01e57ca1e
SHA512 b2ff05227a8e2af0f320d91c10841022c32ec28b7c7aaf5ffdc38c365291302029a0c5d0e1dc2c28dd6632fd39fe4190fa553e33fbee1f79265e5d4f1033d71b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/1076-234-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-235-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\results[3].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FEHPE754\search[7].htm

MD5 2c2b7755d5278708fae4363ec71b422f
SHA1 b02f002d559c3752de891d2b2637778959b2ee33
SHA256 fc65f6bc56fb9ef616dcf04bf0d13d865b92404388a51f63f439f3976cc16274
SHA512 07a3a0793b4b6e2d2c596324609a8ce9483b5e47328fb931a794b23cad925d15f5165b45aef58a2bb683c7abaf614793d0937d9bd325c52894a3e2a1aee6eb87

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\results[4].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 6d290953927f1b3a12f3dfb6e56fe1a2
SHA1 fa1bca9b8f90e6c3990e679303a374428d089693
SHA256 f6e02acb3d26690af7f8be0fde7f677c9f22ec63b04a3c9a3f317bcb9becaec4
SHA512 041d03b52fff107bfba4588676e3d041de30a473f91ffc7abcd4864b3e088dc9a3a7c4edc615d8344668d6e57240626837f91238b4083986967c9f526ffa0adb

memory/1076-409-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1232-410-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\default[1].htm

MD5 c15952329e9cd008b41f979b6c76b9a2
SHA1 53c58cc742b5a0273df8d01ba2779a979c1ff967
SHA256 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA512 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FEHPE754\search[5].htm

MD5 cf5c1630a4fc78f81330ccc82995ca9a
SHA1 a6956d85628bef532335dad530f5f9504986f59a
SHA256 47c6dbe6521764f77bbfd99673ee5833ce627a3bb73adc2cd8bedfcf03cef87f
SHA512 89057d935c8fab4289a8f904cb8a57e0eb20fc04cc91b2b475ed19be75dea97e573da6b7d058f7d3944725abfb3e68a00307b27eb760d8f539a44f5770d2ec58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\search[5].htm

MD5 143de66668410b1376bdfc084092ead9
SHA1 62faa0221cadb77018262a357521a794a0ac6a8f
SHA256 9606357f01948f3bd05af0d22291dcfbc51df19fab90182bcf8584b211d66579
SHA512 c59e9b6adc50a7cb25b88dbcfcae470392bd8d3da1f547ab90926a9e1972a02f71243589b1a1836156eb50175cb0f31a25f19d847c64cf61b49a07f57dea55c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\searchA3J2QXZ7.htm

MD5 6665bca008b000e01bae6bafa190fbd1
SHA1 432fe7841d298db53cb058e9dcb5b45079caf4c0
SHA256 f14c083b7b5dc2c6fcfeb6fc0122ebcb441359aa4f7014995845f36169c21a49
SHA512 334f7c91bcde59d4c3abf272a55b2aa0d196e0f3d9512d3fd147e0e18ff1e6f1ec0fa7a5bf2b81083f2d3f629211685dbc512d6f05f97db0dfe454c98a9089ba

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\search[5].htm

MD5 b202f2dd11cd3c2ac0ed84ca0e8d9fba
SHA1 2bd7745bc481c2cf1bf3cd3a137d15f1a8ab44f9
SHA256 c05cf2b0d7d3cea0f31871e9de3221b4e2d61f371b4a2d8a985e1ca37e681673
SHA512 32db43359b8bc2f859eddae936ff011de9c8407c21e566532b4f25894d00413e500e5f3cc7e0b533c9dcc70c11f274f594105369ce060c4b705c8b866f59bad8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FEHPE754\default[5].htm

MD5 d7c7d9a22116debe181b010d460c4449
SHA1 0ffe4c171565d8d152bba5444abcfe4c3bda1a0f
SHA256 bdb7ac94dc916af2d7784a5c147167ce13e49d12baa9b8f3cccaf33e29419a7c
SHA512 0fce80c4e1d764c4ecd93f763b43459f76909893992069225559aa43d92991e436263e43a14ecd080d0452ef0aec3c1742807f88b3d7badb6a5f78ec13a9efc8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\searchF4YL24DA.htm

MD5 c918efd2fdb5b3a122fc06d0a6a43388
SHA1 91300b9c7e4abd2b4cb93f681224e91fc4bcea18
SHA256 65ca9ca9557b3f0475f3dc373e460424934063eae678b269e3a069fac4e9c865
SHA512 0a1ff3134d8e8308ebbc580e8a4cecd3ed1ccfc24e757c077405a5e23dc843a5b2564147fef9d3a93b5f07043a68a4bb8ab450dea6babcc91cffd16c0207f22b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\search96LL96CU.htm

MD5 30afd3a21202f747d06ea77fb0ecc000
SHA1 92e2dc54e0ca82f05a6c7db4afbd5017b55456e1
SHA256 c5b5896c9b386b39cf4b509e8af23c5730fa3ffaf93cc4184ac4315f2ad480c7
SHA512 b311407182863ac40d83cc0eaae67180f2a2d06a095bed3d6dd0a44745001579b7aaa7539668082a069145501435878841659876804d621bf66a324cc80c2716

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\search[9].htm

MD5 11cf547beb185aac741c42309d35e04c
SHA1 c1f84bf6681653567d75841d4dbf25b3fb370cd7
SHA256 5fe2a9a0738eeee9924f2426e5959f75835e968761826daa6bb67fcf14a15382
SHA512 6c9b05460f53a5013bf853286534841cf7bc55402fcf5c81d4ef886266b07b9ecdc2ab8b76e3ed35fd0bbc5814dda241df9fc23bc0d1e4c7ab734bca3a8d3e59