Malware Analysis Report

2024-07-28 08:34

Sample ID 240607-qrty1sgh2t
Target b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe
SHA256 edc5607b5de7d720ca4cdbd33523aba50953f466d1b850a8d40dd8cf922ef5fc
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edc5607b5de7d720ca4cdbd33523aba50953f466d1b850a8d40dd8cf922ef5fc

Threat Level: Known bad

The file b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-07 13:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 13:30

Reported

2024-06-07 13:32

Platform

win7-20240221-en

Max time kernel

130s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe C:\Windows\services.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe C:\Windows\services.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe C:\Windows\services.exe
PID 1524 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
N/A 192.168.2.16:1034 tcp
N/A 172.16.1.166:1034 tcp
N/A 192.168.2.13:1034 tcp
N/A 192.168.2.13:1034 tcp
N/A 10.127.0.3:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.42.9:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.103:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 75.2.70.75:25 alumni.caltech.edu tcp
N/A 192.168.144.131:1034 tcp

Files

memory/1524-2-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1524-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2740-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1524-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2740-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1524-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-47-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-52-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1524-53-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2740-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2740-59-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 864ccbb10bd33795c3a7981f878c4a1a
SHA1 34f1787bfc2ea3a9b4a143321a4a65f68822f5ef
SHA256 5247137b269cbb40da543c4642e1aa4b79793df86a8e1e8aee9f08a7f5e18cf5
SHA512 5abfb3756b7d47a27a4fc07d1f9557e04ddee87d7988da5cce27183f3fce43541ede76879caca0189e850077f461cb2aba51ef18d7a240dab50f791ad2746574

C:\Users\Admin\AppData\Local\Temp\tmp363D.tmp

MD5 959cfd1ce5e83601eb07284f19cbd9cf
SHA1 f7384fd8f72ed3c62c47e9fddad9064a3c8b3b5e
SHA256 e1c3e667f159b7e9c68063726494661252d6b6ba506f2d1101f73224fcae5e9f
SHA512 e15b5ca1410465b37c29e50040c1be901cf7730b917df66d7b072b30636a38d7610fbfb9b9675a213299ca9b4d6ad77a6d916318b32908eb8ba2f0ba782270a3

memory/2740-77-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1524-76-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2740-79-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1524-78-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1524-83-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2740-84-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 13:30

Reported

2024-06-07 13:32

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe C:\Windows\services.exe
PID 2428 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe C:\Windows\services.exe
PID 2428 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b65adc99432eeced45230f730d600db0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 194.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 23.44.234.16:80 tcp
N/A 192.168.2.16:1034 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
N/A 172.16.1.166:1034 tcp
US 8.8.8.8:53 57.250.36.23.in-addr.arpa udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 mail.mailroute.net udp
NL 142.250.102.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.8.34:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.13:1034 tcp
US 8.8.8.8:53 www.altavista.com udp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.yahoo.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 stanford.edu udp
US 8.8.8.8:53 mxa-00000d07.gslb.pphosted.com udp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 67.231.149.169:25 mxa-00000d07.gslb.pphosted.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 96.90.14.23.in-addr.arpa udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 104.17.78.30:25 acm.org tcp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.13:1034 tcp
US 8.8.8.8:53 mxb-00000d07.gslb.pphosted.com udp
US 67.231.157.125:25 mxb-00000d07.gslb.pphosted.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 8.8.8.8:53 mail.gzip.org udp
NL 52.101.73.3:25 outlook-com.olc.protection.outlook.com tcp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 10.127.0.3:1034 tcp
US 8.8.8.8:53 stanford.edu udp
US 171.67.215.200:25 stanford.edu tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
US 8.8.8.8:53 smtp.gzip.org udp
US 8.8.8.8:53 outlook.com udp
US 52.96.223.2:25 outlook.com tcp
N/A 192.168.2.103:1034 tcp
US 8.8.8.8:53 lists.stanford.edu udp
US 8.8.8.8:53 mxa-00000d07.gslb.pphosted.com udp
US 67.231.149.169:25 mxa-00000d07.gslb.pphosted.com tcp
US 8.8.8.8:53 mx.stanford.edu udp
US 8.8.8.8:53 mail.stanford.edu udp
US 171.64.13.8:25 mail.stanford.edu tcp
US 8.8.8.8:53 170.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 mx.cs.stanford.edu udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 mail.cs.stanford.edu udp
FI 142.250.150.27:25 aspmx3.googlemail.com tcp

Files

memory/2428-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1980-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2428-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1980-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1980-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1980-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1980-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1980-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2428-32-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1980-36-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 2fc7d35ab5a9c8850b93a7ddc40a53f8
SHA1 37d67e1ecf367b21b2604fb69f96040bfbfda09b
SHA256 a726b0399cd451617705749e6678d44a74bd072d2b65c0c693c773af668f6f86
SHA512 c61ae30dc02e05519b73debba90c9666e848163ca93d46c3ea92d78326c6cbde5dc98680daa3871d5cc309552498067d6fa858c50b1663b65c45ceb85b817a18

C:\Users\Admin\AppData\Local\Temp\tmpE30A.tmp

MD5 408aeb114cfd1870f20d47865db24d04
SHA1 78d6471c87c4c907b10499706e93920eb30b4c2d
SHA256 7ec4e0d722defe9df97b1bb76e5c51fbaf7524b5a94cb92265df56b6519e0604
SHA512 4257f6e583c203adaa7da95545237f8d5556485e16287dab68e913a2c3973a507f7c76d5a56924a0900cbd8e49f9f8c388596ee5f0e43a2ca4e8162629f1659f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\XP5N96ZQ.htm

MD5 b1800c03a220fba0d03e8922022027ce
SHA1 cc6a52d39762df8cf1011e8e198b523892d35d17
SHA256 a4ae3ed462a95097dfcda8172db0a04c94fb4e60d2dcda1b4b7be562bba9492b
SHA512 9ac0b561cc4058438c19722d531b765515fea353c50a8722f345fdd930339fc117501ea814afd31bb963ee6f69371e981a3ecc0f07602562c058092d2b5eca6a

memory/1980-169-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2428-168-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2428-172-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1980-173-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2428-174-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1980-178-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1980-180-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 278cecec9d036fb8c7f4b519da7edb54
SHA1 7e94f1d3cc16f565c452fbcd9ebd48489bd75855
SHA256 8d3bcdb7ca41e6b74440d78642f916d0871e675dd3c0a0499e2f76485450cbb1
SHA512 d4b1db08c2897fa4c1242c46202a7314ee94d65603405f9bcca90033f50fe2abd395b0fd0a75ff52de2fdc3d9916014a91f7fc2bc1ec1dad0aa74e5380d56deb

memory/2428-201-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1980-202-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2428-205-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1980-206-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 3429146926250c64c96eef4a96d394a1
SHA1 1a3ce32e76cc98278a907b352de3f2f4f075ce3b
SHA256 da800099bd1efc38657f636aa12903457025ff82825791eca9e4c8871ed5c3f9
SHA512 88ad9e30b84184faf23d99e812a3047abbd66e7a5e14fb4495501610db1191e572dee2de337edd2dc7a7b6303b201fe373e64f477190d820dcc8266ebb3aeccb

memory/2428-213-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1980-214-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2428-217-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1980-218-0x0000000000400000-0x0000000000408000-memory.dmp