Malware Analysis Report

2024-07-28 08:34

Sample ID 240606-xavbsabb62
Target ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe
SHA256 9d66d64b71af859c9baa636b2dee2a06b334ff09674c7b128ef9f988500deb46
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d66d64b71af859c9baa636b2dee2a06b334ff09674c7b128ef9f988500deb46

Threat Level: Known bad

The file ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-06 18:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 18:39

Reported

2024-06-06 18:42

Platform

win7-20240215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe C:\Windows\services.exe
PID 2028 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe C:\Windows\services.exe
PID 2028 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe C:\Windows\services.exe
PID 2028 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 192.168.2.102:1034 tcp
N/A 192.168.2.11:1034 tcp
N/A 192.168.2.14:1034 tcp
N/A 192.168.2.9:1034 tcp
N/A 192.168.2.18:1034 tcp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.8.32:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.10:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.17:1034 tcp

Files

memory/2028-0-0x0000000000500000-0x0000000000511000-memory.dmp

memory/1804-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2028-10-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/2028-9-0x00000000001C0000-0x00000000001C8000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1804-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2028-22-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/2028-23-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/1804-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-45-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-46-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-50-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d11ac60533beaf28ca407d99362c45a8
SHA1 38b024ea02021cded4f30f0c2cba06b182679e96
SHA256 42e4d508ae6511eb9708366f2a87a3221090eacb57e5ddac1bfd464c5224d266
SHA512 88fe7e90e427689d4a304b44077dfca25532b98111dfe5b02cf576658c65f86725012b513184b3e06783b8f198e519fc3031028b46ba08e9f597156861ee3cf4

C:\Users\Admin\AppData\Local\Temp\tmpDB32.tmp

MD5 97eba4152afe846b7430f0b55046b2ee
SHA1 25a93dada5edb76b6ddb3f505e95be1b7a2dcec2
SHA256 eef0cc5565c8daded5cb50992a7c93b9defad8235b47f1f2c0fb6ba3f847e5de
SHA512 97f608f6d1d4c4b22f81877e4af1a183aad7e1d3652df6bda6ce62b1be85601ee5f2405b86f9d6bade9f0a25c4b951d7b7d561071c72850d308d35d2a160f44f

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 8bd2d60efc04a94eff1215fae877befe
SHA1 a40f9cf3bf282c91d10999682148c3c6ff6456c9
SHA256 787aff6894ea961417ef15f947e09dab57c74fc122e00362e1c4ea9ba165ebf5
SHA512 10b5ba7197442a7704d1d7631c8ba47b6c68d3a4f3317b28f065907dd3c6450dacb4271403585c5838887290e6cddb9f59360a0411a4f7505b10ede99a053f43

memory/1804-71-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1804-75-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 18:39

Reported

2024-06-06 18:42

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe C:\Windows\services.exe
PID 4420 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe C:\Windows\services.exe
PID 4420 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ca85caebb15a4a2c1bc83d37b55c3120_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 192.168.2.102:1034 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.153:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.153:443 www.bing.com tcp
US 8.8.8.8:53 153.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 192.168.2.11:1034 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 192.168.2.14:1034 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
N/A 192.168.2.9:1034 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 192.168.2.18:1034 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.102.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 search.lycos.com udp
US 52.101.42.10:25 tcp
US 65.254.254.52:25 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 85.187.148.2:25 tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 snai1mai1.com udp
US 8.8.8.8:53 snai1mai1.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 192.168.2.17:1034 tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 hachyderm.io udp
NL 142.250.102.26:25 aspmx.l.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 85.187.148.2:25 tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
N/A 192.168.2.10:1034 tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
SG 74.125.200.27:25 alt3.aspmx.l.google.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 23.63.101.170:80 tcp
IE 212.82.100.137:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 mx.acm.org udp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 65.254.254.52:25 tcp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
NL 52.101.73.25:25 outlook-com.olc.protection.outlook.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.2.17:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp

Files

memory/4420-0-0x0000000000500000-0x0000000000511000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1152-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1152-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-39-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 6a64761dc27b20e5d9137c558163e022
SHA1 70e6c36b68cc9335a345a7cb153b3c53b9accc24
SHA256 d86ee457390db7ebec5a9fd15563d6f0adde45d9b292911419920ff0a61e5d05
SHA512 6cd5c474ce81314a931ca3f4ede2e73764fffab9df1cf5f29a5653b57bfd28cd4dd764493c8e42b462673f9bc5bbb3308d54629eef02f7384d61e3852321309e

C:\Users\Admin\AppData\Local\Temp\tmpCD22.tmp

MD5 8a6825c3c49ebdb1438a190e7f53e86c
SHA1 4c03582009477ffd0e1008d035e87804196a8423
SHA256 3301a4144c89c3f64022fc6678dc6085223f3bd9b98dec0fd5ddfcfccd5f141c
SHA512 c1ebe000edd2e9ce4e35a823a5b6d219e06c13aff7a3615c880c8018d44436c72b2ca7420831d2d24d1513e45b76926db3ccb1faa1634f710e5a7d481915cf0a

memory/1152-94-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0RV7W6KN\search[4].htm

MD5 7673c6133f0cff10b56e8cb5cf0a96b3
SHA1 6592cbec13787918eb2163367e58c867237e1367
SHA256 ae2bd876b8c14e2c0ae1366b567ad222635fdd8984749a45ca4e9ab070539ed6
SHA512 0d9a63a2222ff747ed1c92dfbffbe51cb5fcfd2fd4dc3ed8ae0fd702301d1b61b864c6bb34158461a91500dfafed4393c1e913c721c0264b52456f76890621da

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\search[1].htm

MD5 158f9bca1e64056afc21a8d4f80e34e7
SHA1 ace60a4361021d2383d14eb0b5d1bab5b74c3cb2
SHA256 cc30d2e56284e97c793ad13f8522b9b4e6caca890e8213502c3c110e38c5a642
SHA512 3eb64f0fcfa24e2d5cd55cd8eabc8c222d88126c2907032d99c55636744f6b74b91c2a57d15ee156a095aa168651bcae413df5fb058bad0673a8b6c4d048c7a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\5HEZTM3S.htm

MD5 46aacf50d4fed29eefb50b0c4ddd8d09
SHA1 076b3cf1f86cff1d59656275729af392a88ba9c1
SHA256 7b98cec5472188544b78762c772b26efd03f0f6a4ac5934cf5cbb048d8419bd7
SHA512 6cbd3b1ff34c2ef1b216060d9e333dc5bd675edeb0d3e24c6056d33e1bbb26720541a6f47298d1944241163255355a78eeb54af1bac804a65f1fd33be5fbc6a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0RV7W6KN\search[1].htm

MD5 d48c2a95f2bb58162726b10626ca77c7
SHA1 d19402ca18181798356da56e78e6510ddbd4ced8
SHA256 ea40f5e2825dd606ba176d198668dacc98d284e00c830760b6f82821cbb7e3c1
SHA512 2ff41c20a1092255d5850e331d138984e7c0c3ad03f19f0a8ec0829d97cd4240e1faa0ee4559b529356df5cb8fc44683f0deefdda63974403d2b2e8cc209d18e

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e18f8008575f8451380ed8ce5950225c
SHA1 37937469fa2ba489afbc59a07ec1f4c149c25608
SHA256 87977823063ae36b9225e8c9a41dfad4d435a91effdf8f5fef5a39f4d96c073f
SHA512 cb2049b9a4fde0e053f0d163878bc7db890040b3deb989e5f5b49ba29914b8b72c567f070540421c2b0883a35d46d41478bbc86b4bc8236f0ed100c6e17a4ddb

memory/1152-246-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-265-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-266-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-270-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e888885f55e26a5a551f85bf3f648921
SHA1 e8ce82ecdb69c0158098887f3e054678401cc929
SHA256 750e317aaab2b775b367addcdae1ab4be0e0a6edd5aa7a95e651ba69d8b86f49
SHA512 16306ee1b822a9ac519a532f9fe005046f02a176d96e3bc6a2b1ecbc2c48cc1f4a0af1e2d1c8a129407d63d8d180e2e128767cfdfe81182a8a4c59296577d782

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\default[1].htm

MD5 bcff225d207b6681a01ce639f790b613
SHA1 529dbb5ff6798cabb783b8c10c3e689e2021c521
SHA256 42c0f0033e6d1faa7c7d0a3e9caa3164267aec10d9d6066c1bf52b94c3691303
SHA512 c0bdb69112b649b4160a80cdd56c6105ad0d834ef2278bb53eddc7157ec0f811e36621f76c247bba6b25c9e855b0a51035025378a18b9c9fd1c672ddde7d688d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\results[1].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6