Malware Analysis Report

2025-08-05 15:50

Sample ID 240529-lg4y1sah47
Target 4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe
SHA256 3345119363bf92bbece133c0efef720ae755b12f2d99e2d927f8346bbee6aa36
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3345119363bf92bbece133c0efef720ae755b12f2d99e2d927f8346bbee6aa36

Threat Level: Shows suspicious behavior

The file 4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 09:31

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 09:31

Reported

2024-05-29 09:33

Platform

win7-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 172.16.1.2:1034 tcp
N/A 192.168.56.172:1034 tcp
N/A 192.168.144.131:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.8.32:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 10.136.9.81:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.3:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 10.93.103.153:1034 tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in.g.apple.com udp
US 17.57.170.2:25 mx-in.g.apple.com tcp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.27.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.73:80 apps.identrust.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 mac.com udp
US 8.8.8.8:53 mx01.mail.icloud.com udp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
US 8.8.8.8:53 icloud.com udp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
US 8.8.8.8:53 email.apple.com udp
US 17.57.170.2:25 mx-in.g.apple.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
FR 172.217.20.196:80 www.google.com tcp
N/A 10.65.120.153:1034 tcp
US 8.8.8.8:53 mx-in-mdn.apple.com udp
US 17.32.222.242:25 mx-in-mdn.apple.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mx02.mail.icloud.com udp
US 8.8.8.8:53 mx02.mail.icloud.com udp
US 17.42.251.62:25 mx02.mail.icloud.com tcp
US 17.57.156.30:25 mx02.mail.icloud.com tcp
US 17.57.156.30:25 mx02.mail.icloud.com tcp
US 8.8.8.8:53 mx-in-rno.apple.com udp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 17.57.156.30:25 mx02.mail.icloud.com tcp
US 17.57.156.30:25 mx02.mail.icloud.com tcp
N/A 10.87.149.58:1034 tcp

Files

memory/3056-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3056-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1244-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3056-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3056-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1244-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1244-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3056-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3056-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1244-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3056-31-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1244-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3056-36-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1244-37-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 0f33375ae1755d7004571c28bf6542fd
SHA1 07d78d52eff7b378610062ca71f9bcc4b98495b7
SHA256 ce5f9e370f3ad86aae6d7e4a409ddc46ef55c1100e6087e517e9aebd68846124
SHA512 d65dfcdd0ea735d951c4b229e64490af5a70b16e19488c3831b11b2a1114702347a40be46aa1a0ce5ec5a2f860b38fd6e2f84cfd16d26d2fdb8e317913adb59e

C:\Users\Admin\AppData\Local\Temp\tmpFDFE.tmp

MD5 a8acf0d32494facc09b845f90c9474db
SHA1 a3d19ea033ca2b149b43eff86a8a6da826d1c868
SHA256 f7da55919bc4307ce14a0c05684a2b0c0666ed70f2dc7085a5d1edeccef588bd
SHA512 57be0f0139c81bb86bab9f851ac1f646925999714286175770c3dde4ebab0fd94874c9bc3ad0e651737514a18b747edde16e35142f31e064e6104e8766fa4991

memory/3056-54-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1244-55-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1244-57-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3056-61-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1244-62-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3056-66-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1244-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3056-68-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1244-69-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1244-74-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 bbd324a7a02928c21232bb7e3749d9a2
SHA1 3d502ac87b124425ad2639475197fbfbdd5b1145
SHA256 2d1798c67dd427d39862bdbefd0691172f488c6d33b4aea2d4951684578bd458
SHA512 8f806f33ffd85ebccb4d69523c25bb38bd6c859c72a92193ea24dcfcc020782dec9ee8da4020926970db95deb76c3033b1ed6cd45ddb8fc68be65d0a0c7d2a99

C:\Users\Admin\AppData\Local\Temp\CabFBA7.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\CabFC16.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFC2A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6799ae74e91c393e93d3d0fc7357df8f
SHA1 297be5526083cc5b4a87281e86c92fca44ee1569
SHA256 5a0be646fc09edb4b843039e79681c19f56c7ea18c76206b6160177e05743e84
SHA512 0ca07860f10344db51b4f6064b65c368fc15df6e974c23f95954545520acdbeca52579861c2505dfe76331a455ec7c643886d87685ed1c5175e8cf0f8afd034f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e36488b2f31c8e2849b527b6f3ff702a
SHA1 3f5b4e91274a35e55b8bbcb5c338a8373dc3d15b
SHA256 8717edeff3d2ff4e36652bd42f26ada95cb4e45a3843e49ea15d2dcda7cd45f4
SHA512 a695001ad9cf50bb8d44d1f2aa6cfba4323cea410f19d0f522908c79e5c497f40f0595834bb1dac90a748408687199c77d8f656748261f4d8be04c0824b854cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d8178f00e1745ecc29bbb06947b7163
SHA1 7f6d13e4d9fb427922cb65006494c2cdee221ea2
SHA256 0d55f605f5c6d79f17c7a1267f762167858dd078721dad673f2daeabf87e8bf5
SHA512 c776565be5a6af14a16c20de86fe45e28afb7a51dfa320d33e61d360a8aadad0c73544246376be0e07632174ad6b2de8e1068648c3bb38c6b924b24caf6b0571

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d349dbc531cfbc18bd308290d9fc7437
SHA1 74923389470b2bc7c9b2c57ca65323af428bf587
SHA256 33fdfe924c9800bcecf08b88a06e677ccf8692ce48d370113441bda004f3f1b9
SHA512 2d33a424688744ff91705dafa1b822e7cea328ac6e2de7f59ed3d62823b5997d8c3e64e9a910f55541eea1f4ce7ca23f2dce9f00d1e59534db5b1ee724315008

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f30a39bb61a03fc9b902a9ffcef2227
SHA1 ae659fbfb9132c2a4755abb82a8658499276a071
SHA256 db631b47989145fc9837e9f09c8eb21bfe0d13c49cd1d43f31929110131e22d2
SHA512 f96c3cf2c2669f2c2504f6a28bf3e4d29a57713fc15c0c3a4beab29f64173baf05c16b6e9c1cd15d98876dc3ee03faa122a36f361141172c6c221aa593a8374d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e4f1029abb1a02c4ace458ade4c8236
SHA1 5f1f9e5fd4771b086809635d5a200d621e16b19c
SHA256 96593c4e2a03a9dd28438530267338d96493e4d064eb96a7fd2fb68c3631f4ba
SHA512 3c8b60cebe5660802f360c655be1f507aa2c13ac3452eb3f6621cc6f10881fa9cb1cf09ec47a91e03e126d8bcf7799fecff69211d844183825ac2ff2eb83847f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8ac5c6aaf266322e81a11aa21f29922
SHA1 9a6cc178d61660e9a64a05aa6dc778374e452b62
SHA256 51dbc6fdb4d7a41b8e5c4487789782a1d82d8e82e04b76a021fbe70c22e64396
SHA512 f316daf1a6d2dc9fd113dc466ca6038caa399219b522b5f4713f8bc95e8f9594d21d635d8507f6bdb13468769760faf76cde3a388689125a200d7d4987b74329

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 478aa449e725687aef58dc3988267769
SHA1 d62125cd9b332790feca4a15d842191ded81d222
SHA256 8d3817dd4e36d73ad3f5d69efc3a38fa55c6162dac9abea0fe991e4fd8b8ae87
SHA512 7b065cc3d9468d84403feba51a3abe2caf3c306988ed6dfae50716ab38547271102e2a879c60a20ca02f3cd4c45f8b59ad4596ee7d3d81389dd8203a1796e8ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76ca4cbae01a9366d17b9cfd1cf29d97
SHA1 355c4554dded7946497d330e30716415fd1fceb4
SHA256 bfccd1943eee70f40dbbed3fda2ba8061a15ff9df3180cd389a6061f17c32481
SHA512 df19dec9fcd94c5466f7fa4c1e53b35bde1c4589a7784eebfb905e9dcccc911514bfc3f5eb66aa63b0168c7a736264282ddbef39e0f11cb336cf9580daf8ba62

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G17BROQF\OO74KZTI.htm

MD5 eb69ff230488e469c0c6b053ec32d99e
SHA1 6695a21bfa2fa6c77f8b8be9fcf2b232c3b7eaf7
SHA256 0ee707827b591a96ac89a48948057bb07d662130b01195a510a1aa0044075622
SHA512 0aa2824ca0be364112b3650d9d25c08090e694555e42c810a2d76ed31a99b753577bc222e1f9d1f93bbd9c12fa600fa94ce5a191aa79044ac960752dbfd3b8f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G17BROQF\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/3056-761-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1244-762-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\search[4].htm

MD5 099fbf737924870293eeec6650f883d3
SHA1 0515a36431f49677e4eb54813e28b5d7419a4c4e
SHA256 a30100d69cce556fd8b71eca23aab63c4ab71b951690c03123cdf54e0afef0ab
SHA512 1987a7d9658a16ba94fbcee889a618823f9a8ef6db79c8b541b35861abb583bb9f0b13540555306921643a96a1aceb1f4f664e51f19db1ced969ae7d20648576

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1c52c24fc2068ed927f8a731017e5e8
SHA1 87167dbe40bce56b3f4feee7644b3de83cbe0d48
SHA256 a0eaaad022854a25bf16b96dae14b54b58d39c4554e39577df9aae3f1c46c7f8
SHA512 4f0b4cea8f23b3b4767cb63e42d2d507c42cefe47fff2391f066f2056c1eb2ece400bbd4a02d6b2c323f5cab18540980613e99a7f861cd81d3973203282b9f70

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 8ce931abaaefde84992f60eb5e97d8e3
SHA1 ad721b44a3da12f42bcabd7a2687cab1d4076e17
SHA256 0f8d7844cbb3ad967a517da2be7dba407e017d56c12abdf9142275648a1a1468
SHA512 702612e81b2826f7b69ade009e699247d2c9daf4fb72d5682aa560f33aef1813658b3cf5794bda3ab54679b0f25988a793d5bb4499fbe232d5189f16581ef98e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\search[6].htm

MD5 756ce355ea30476122f822ec667e0f7e
SHA1 a12491f5827dd632e31634dd0601acafb8c0109e
SHA256 12c1ef40432860b12ce3ecb14a1871017e4cd28fba7de6d81cfd21e5515d9b17
SHA512 3890ef2455e2cf1824dedf94cc4c15be72d775c5433bfdf58ff81b5280ce76f5c7a1ce84b9ddfe02593be364bfca429a277ebb1eed5820abe8a5c6a4add6e122

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b4b10135e4fd4459f88daeeff47b2ce
SHA1 0d2a740a708a811a69e2001a82fbec69c2dee832
SHA256 3e91f20d37c0cb54473ebb4fffad9716dcb5b818c047d759828d60afd698bab3
SHA512 654d2b8ef3b168adaed015d53edd13f94ca62231f4d40d17107ed906ca9a9fcdb7cb9ce0d0904b32b0a1fe91683fac6b01b93870da54e5633186c57f8f9206f1

memory/3056-1494-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1244-1495-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1244-1499-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 09:31

Reported

2024-05-29 09:33

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 172.16.1.2:1034 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 192.168.56.172:1034 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 192.168.144.131:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 mail.mailroute.net udp
NL 142.250.27.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.11.10:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 10.136.9.81:1034 tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:80 www.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
FR 172.217.20.196:80 www.google.com tcp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
FR 172.217.20.196:443 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.251.9.26:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
N/A 172.16.1.3:1034 tcp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 mx.acm.org udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 8.8.8.8:53 smtp.acm.org udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
NL 52.101.73.10:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.10.6:25 alumni-caltech-edu.mail.protection.outlook.com tcp
N/A 10.93.103.153:1034 tcp
US 8.8.8.8:53 pku.edu udp
US 8.8.8.8:53 pku.edu udp
US 8.8.8.8:53 substack.net udp
US 8.8.8.8:53 substack.net udp
US 8.8.8.8:53 substack.net udp
US 8.8.8.8:53 substack.net udp
US 198.51.233.1:25 substack.net tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 8.8.8.8:53 outlook.com udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
US 52.96.111.82:25 outlook.com tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
N/A 10.65.120.153:1034 tcp
US 8.8.8.8:53 mx.substack.net udp
US 8.8.8.8:53 mail.substack.net udp
US 8.8.8.8:53 smtp.substack.net udp
US 8.8.8.8:53 fit.vutbr.cz udp
US 8.8.8.8:53 eva.fit.vutbr.cz udp
CZ 147.229.176.14:25 eva.fit.vutbr.cz tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 mx.cs.stanford.edu udp
US 8.8.8.8:53 mail.cs.stanford.edu udp
FI 142.250.150.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 tweakoz.com udp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 8.8.8.8:53 tweakoz.com udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 tweakoz.com udp
US 8.8.8.8:53 smtp.burtleburtle.net udp
US 8.8.8.8:53 mx.outlook.com udp
US 8.8.8.8:53 suburbia.net udp
US 8.8.8.8:53 mail.outlook.com udp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.outlook.com udp
US 8.8.8.8:53 suburbia.com.au udp
US 65.254.250.102:25 smtp.burtleburtle.net tcp
GB 40.99.148.226:25 smtp.outlook.com tcp
AU 13.55.253.241:25 suburbia.com.au tcp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 u.washington.edu udp
US 8.8.8.8:53 mxa-00641c01.gslb.pphosted.com udp
N/A 10.87.149.58:1034 tcp
US 205.220.165.146:25 mxa-00641c01.gslb.pphosted.com tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/2484-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/760-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2484-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/760-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/760-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/760-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/760-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2484-30-0x0000000000500000-0x0000000000510200-memory.dmp

memory/760-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2484-35-0x0000000000500000-0x0000000000510200-memory.dmp

memory/760-36-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 dbc5ce915775d1d383920850d89e1e00
SHA1 e06fbff4bb14cf00eac6148bb1d29710ee1be8de
SHA256 dc4df41c2437236f85661de21a529339f98f0d9682327332f66edae30eef618d
SHA512 a7f04a736aa2a03cd3cef7a7d05827a21dc72bdea66e705eb7ee5218ab874ea2acc6c4bc3adaedac93d6e8304458a1d5eb5b1ee65fe8d0649f1cf526b7ff4f2d

C:\Users\Admin\AppData\Local\Temp\tmp1980.tmp

MD5 291470cc4cd223bef0cb6c2f5553a8c6
SHA1 6ba651eff180675070c3a83bd066670b43757b89
SHA256 640f9b2df60ebf22676eb97668ef8e7c96d076e7f192bbbff13808b993ce69af
SHA512 e485e487a52577cc3ba52d43e1a44025390006552a399a013b2631c0885425ed8e9ec10e3243efd2059631af4d9fc2684b05ac9aaa1b4715a74682c3f9440d9e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMMYN4JX\K7O9HLV8.htm

MD5 bcda4e3e293d83cea312db334cfa9174
SHA1 782e61433901e91d7cb2ff4546b1d78f21d9ca37
SHA256 b8a07bd6d62df728a63335cfcdc35cef4420ad8132469a479a61bbd6c20d9f25
SHA512 e0a13347b4acdd6ea529603359315b415431151b2fc68f27404a510b3808d1187ca672cd6985e9d0758d78a892a925b952ef35d7fb951ef45f22aa3e665e35e7

memory/760-159-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2484-158-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2484-162-0x0000000000500000-0x0000000000510200-memory.dmp

memory/760-163-0x0000000000400000-0x0000000000408000-memory.dmp

memory/760-168-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2484-169-0x0000000000500000-0x0000000000510200-memory.dmp

memory/760-170-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 61e2ca064b9c54f929bf4bf989b2cd9f
SHA1 f18e6bf0ccd12c10d24f9708467ea9736a8e238a
SHA256 ffe9c8709ad5a8bad17bcf3bf43d755ea1f7473ef5d1bf59f2321f94e2fd5de0
SHA512 9d5c9541043b3592024fa0af21b06498c454c1d78d6c8da7e7137e9b6a6ff24eec32591e2667872f3261dde875efc29bfc634c79831bf01ecd480a1b6dbe088b

memory/2484-207-0x0000000000500000-0x0000000000510200-memory.dmp

memory/760-208-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2484-211-0x0000000000500000-0x0000000000510200-memory.dmp

memory/760-212-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 09583a8678ab2cbb67f12cf7bd0f37b4
SHA1 7d714a44671d448fd9ac66a3e953a1a66cab876a
SHA256 49cca8265a5e347ad99216325e3d8058cb15012b0b54af32e7a9455219cd44c3
SHA512 3cf182a681c6b0c00eb0874510c7a19e3cbce3ee3a8b0ef391e09ea7d79820783a038ab6e1fd92ecb1f54280057a5acb129ddcfc58e46dea4cc719068d825e90

memory/2484-219-0x0000000000500000-0x0000000000510200-memory.dmp

memory/760-220-0x0000000000400000-0x0000000000408000-memory.dmp

memory/760-224-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 6a9c43a1580a421d3386659d165fe97a
SHA1 2b82fd82294bcc1feec7138f768225334e1da8d3
SHA256 948eb9825fa7ebdc5745b841f32376f87c9976099fe47f04162ceb9ba4e60e66
SHA512 cb0b10719390565608be12eca9401017d3b644cb690d8a8b8680fc2a6ad3edc1bc4b603b743573b21bd53243147b2fa1eefa39b40811ca97e1265ce099ed5fd0