Malware Analysis Report

2024-07-28 06:55

Sample ID 240614-fdravszarm
Target a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe
SHA256 c0fe535434d35fe6f46103a6a2e76686badfcb74f15b58d27c65689939859a91
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0fe535434d35fe6f46103a6a2e76686badfcb74f15b58d27c65689939859a91

Threat Level: Known bad

The file a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:45

Reported

2024-06-14 04:48

Platform

win7-20240508-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe C:\Windows\services.exe
PID 1548 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe C:\Windows\services.exe
PID 1548 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe C:\Windows\services.exe
PID 1548 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
N/A 172.16.1.182:1034 tcp
N/A 172.16.1.166:1034 tcp
N/A 192.168.2.10:1034 tcp
N/A 192.168.2.10:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
N/A 192.168.2.18:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
N/A 192.168.2.108:1034 tcp

Files

memory/1548-2-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1604-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1548-10-0x0000000000220000-0x0000000000228000-memory.dmp

memory/1548-9-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1548-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1604-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1604-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1548-24-0x0000000000220000-0x0000000000228000-memory.dmp

memory/1548-25-0x0000000000220000-0x0000000000228000-memory.dmp

memory/1604-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1604-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1604-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1604-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1604-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1604-49-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1548-53-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1604-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1548-55-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1604-56-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1548-60-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1604-61-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1548-65-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1604-66-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1548-67-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1604-68-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1604-73-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:45

Reported

2024-06-14 04:48

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe C:\Windows\services.exe
PID 4000 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe C:\Windows\services.exe
PID 4000 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a3141a8eccd1beeb1a5d9ad0f1aef340_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
N/A 172.16.1.182:1034 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 13.107.246.64:443 tcp
N/A 192.168.2.18:1034 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 192.168.2.10:1034 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 mail.mailroute.net udp
SG 74.125.200.26:25 aspmx4.googlemail.com tcp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.8.46:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 23.63.101.170:80 r11.o.lencr.org tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.2.10:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
FI 142.250.150.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
N/A 192.168.2.18:1034 tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 smtp.acm.org udp
NL 142.250.27.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.11.6:25 outlook-com.olc.protection.outlook.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 85.187.148.2:25 mail.gzip.org tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.2.17:1034 tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
NL 142.250.27.27:25 aspmx.l.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 tcp
IE 212.82.100.137:80 tcp
IE 212.82.100.137:443 tcp
GB 142.250.187.196:80 tcp
GB 142.250.187.196:80 tcp
IE 212.82.100.137:80 tcp
IE 212.82.100.137:443 tcp

Files

memory/4000-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3620-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4000-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3620-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3620-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3620-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3620-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3620-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3620-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3620-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4000-42-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3620-43-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 5fdb3f6405fa0ca691e5216ab2908c51
SHA1 6d5a8c0ab160ccaf3b5486e450a9c255bc66c42d
SHA256 079b74d3053880164f9aa7c4469609d3e3f697b43fefdb8b8cf3184a16a420bf
SHA512 d14d7098c2c0109b1ec85267c650688debbf55f6718e25769c92f46a3793b85bef7150e30369d9bf951d37c00c1d5791f707d7af89d327d83098eeaa4b6899e4

C:\Users\Admin\AppData\Local\Temp\tmp34D5.tmp

MD5 578c5bc212e2ded7038ddb0956908569
SHA1 b800de84d33ee53b47f7853274e81f47871e98ff
SHA256 a86762b18d1ead480643737d21b03742dd70c4c9b0a10a58c24a2272adc9526e
SHA512 089bc74caa1f6bb2499da10c5677e5aafc0077634815117c0a878e28eb89e0b4eee1342011a40e7cbcd63d22a5d1bf311645363bf0f35ac41f0a82f624d33c36

memory/4000-114-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/3620-150-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\L99MV9CI.htm

MD5 17ee38f0109e97507986885cbe1cd9e4
SHA1 6d5ba7fa061d6d734410ef7ce7d0e1921273bbdc
SHA256 1982388b61780fa883e70086d42db0cd49d5c9f9236923c6c3742a3b7b4314e0
SHA512 f507aebec79d908462cc16ee5bc7502a895c767d001908a567c142590dc0a49aca32c3ff704b7daba0f2b3bf2d5de7addeaf638dbfed64a5e939bebc3f77860f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[6].htm

MD5 0fb151bfe0194ed0da204592b70a50de
SHA1 e7599464afa27da7174f59fcb78eee9c7507f84b
SHA256 ea35b8e78dc8c8c0f3b18c4c2ae996aa9475450180b2cc082b88c7728e71aab6
SHA512 1458ab6cb9e2bd227f6f15227853e20dc74f736e203d74c9b5edba98050a46f26336cca82e6eb223699509607a337cb07554c979ff400d15dcd28e5eb17c5cad

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[8].htm

MD5 aefb176179ab3a0aecf68a206828c894
SHA1 d8cb0774fcd7d802b7085c24fde63dfb45d89ab8
SHA256 3e6b821ec9ec95d76fcc0411092ed6a5a8ff0df6f3f40fc7fdd3facca657c5b2
SHA512 9ff060ef076a6ecbf91b54b3e51505f529845d8f66d4a2548dcf19b8a98ed96bdafdbdc16ee13123768b88574b8871e086ebddcedaa7713e9737086c4aeef7e5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\default[2].htm

MD5 c15952329e9cd008b41f979b6c76b9a2
SHA1 53c58cc742b5a0273df8d01ba2779a979c1ff967
SHA256 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA512 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[7].htm

MD5 b9adf34b800efcee3aa3396161d4e654
SHA1 541717c5414604f919cc87b73eded55905a4acde
SHA256 1d97d74a7198a0048949484b0470bf888c5024c765742b9282fb39ea94da301a
SHA512 afde1739603daeb07818cd011ad416caa38b3f344fab52f371f203850d8145fd29279cd813e5114b1bf6308ed069296c2f8e58aee2805ac7d2fa911a4af1bc50

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[9].htm

MD5 a0c13a04e416794bec70dad7dbcea5a7
SHA1 dafdb9da22d2399a615f36defcb49fc3fc7a842c
SHA256 46027d28154f9fb520ed1a2ae8dc06648d022bceb5d5345981ee12da830fd239
SHA512 47d9eff9bd585284e07b2dd4d05caea98f1399c9a76d328ad837e75043db18a7252386ee95a8b5d37895a57f9bb710a6dac763a5161ddda4ef3a095cc345353d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\searchPFBJLOQI.htm

MD5 e11bcbf0a25e5643f856346d733fcfa6
SHA1 e1a303f27205e3232c2dc552e88c8e2b40d23295
SHA256 200cdcb32dd6f38d31a70c4f4085399e4752ac774c9c6d04d5a27f9609b3bd8e
SHA512 251acabf2017706b15da921fcfe0fa0b48eb5a50ce9081665b833506f1c584ceaf0869f1c4ed2cd10026ff76fc0b07afb8bebec98e59d71b99bd93f0fdb5f6bb

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 c3bb11aeb77d44d21b43a363d726946f
SHA1 6c3201df3f7a21181f76e49421e253a0ef48a916
SHA256 f1c32d701ebb8eabc962f213b38aaf22fa39e06ed59af65f90fc74dd4017cf52
SHA512 7b536459ddabc73b2710c7ee7e9f2bc01f6752f2804c49d75856f4a35b83fbe6c07640d018aacc40c714efcf475eb912b2be8426f322dc629b3c0e7a12215099

memory/4000-383-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3620-384-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4000-387-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3620-388-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3620-390-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4000-394-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d9b172f3b0fc11bab0424ace11ebf020
SHA1 6b65c391cdeaff9b9f192ee2cb3ad47ffd97ff9a
SHA256 aa0b032869c65e89b7439b186917ef7ade3b3b7fc152663091a119c5992db8c0
SHA512 2d7440da9c88b8c00f6f6ce6184e25dc4586f61f977c0e35cd717dc2dc90cb875b61c0b4a54ec15f721edb7907612351d771cbe66cebe0b7ed7f84c0821169c5

memory/3620-417-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\default[2].htm

MD5 157431349a057954f4227efc1383ecad
SHA1 69ccc939e6b36aa1fabb96ad999540a5ab118c48
SHA256 8553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac
SHA512 6405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[5].htm

MD5 70a51207961670e9d75d7302ceeecca4
SHA1 2b593fa6a02ab44c7c7d2a46e8aac6af05a20dca
SHA256 8a007183eb3c2092b60798f84baf5c29faf6f3eeff149d5534a2339a0b99c315
SHA512 48957dc666b35554c114a5635ecb126296a1eb5ed62d15d7f8985b605522c6c62aef06a0363c443a8b17533acb29e058fd3b785e9bedb10b98939d3ca89cee28

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\searchBFFK6GOZ.htm

MD5 5f0b75928ce59d3d44258fc602ea9cb2
SHA1 f8498850880f1adf62e87c383c7970a3acb6ff98
SHA256 56dd72b5591aa650720516deb80eda393a12f5abe2dc9b9b11c8ef440d8e368d
SHA512 0386b6334f0fbdeec380d2d0205999d572c57dd3d575d890e4cb757f8900b1b1d00398a190add00b5bf7b960f464824368e9c9ef8ee1d4568eefbe1ad7d6fc96

memory/4000-561-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\results[6].htm

MD5 35a826c9d92a048812533924ecc2d036
SHA1 cc2d0c7849ea5f36532958d31a823e95de787d93
SHA256 0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512 fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 db356ce6f586db9014c66b53f45b5859
SHA1 94e2a2ddf00fe37329425deed74c81951e3f1888
SHA256 ff883a9aa2c8bf166f80e5b6b7fa989cc6629e1d286aa0281c2a12a9797e63fe
SHA512 73c1554b2c8135329abef4f5960fb5e112e52e7ecb02918bcf89614fd435f9357752d2ce901d00f92d7c5d3ce2027467b73cba211bdaea59eb2cdcf5db6b88f6

memory/3620-621-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\default[5].htm

MD5 5431b34b55fc2e8dfe8e2e977e26e6b5
SHA1 87cf8feeb854e523871271b6f5634576de3e7c40
SHA256 3d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432
SHA512 6f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c