Malware Analysis Report

2024-07-28 10:40

Sample ID 240616-ha3wlaxbpm
Target dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe
SHA256 cbb807c5d7290a6a00bd202d19f3649da536965132925c720fb8ac6ce8327396
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbb807c5d7290a6a00bd202d19f3649da536965132925c720fb8ac6ce8327396

Threat Level: Known bad

The file dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 06:32

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 06:32

Reported

2024-06-16 06:35

Platform

win7-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe C:\Windows\services.exe
PID 2652 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe C:\Windows\services.exe
PID 2652 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe C:\Windows\services.exe
PID 2652 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.213.60.59:1034 tcp
N/A 10.241.35.61:1034 tcp
N/A 10.128.8.216:1034 tcp
N/A 172.16.1.4:1034 tcp
N/A 172.20.0.15:1034 tcp
N/A 10.152.243.207:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.42.4:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.144.131:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.5:1034 tcp

Files

memory/2652-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2388-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2652-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2652-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2652-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2388-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2652-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2652-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-49-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-56-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2652-60-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2388-61-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2388-66-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 ab5e07ae1312a03ceececf9c10cb8f29
SHA1 6e0841d82f5f0bd42e0f1fab4a30ba617ae5162d
SHA256 244fdf7a47fad9ee0a02899631dd42f5dff5be414ef82c122bc84fbcbe26d488
SHA512 4a4c49c33cf05b685b44fbd13759db101ac6c53ffd7a24f58e1ed285a4071e1738772a607baf7036fd82e2e2b32caa29b6e3e3f6d76d3159337fb9e78cd6bf31

C:\Users\Admin\AppData\Local\Temp\tmpF7F9.tmp

MD5 68d0cf97aafa4cfa7ff7525cb7ba66ea
SHA1 6238e36f13d5ce79b95ef3aa8042cd1cb2467a9f
SHA256 9afdb914f12834eb48fff90e5c2fef26b4f73cfb0925c0f7b5a22815f95aa9dc
SHA512 5d6026b8035ecda4feaff886f5ad63e7c4649660428b773d7d79ef2e468759b92c0240746c6a0023e14dd4373ae61006db58a95984e443aea46251a9daba5cad

memory/2652-84-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2388-85-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2652-88-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2388-89-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 06:32

Reported

2024-06-16 06:35

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4964 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe C:\Windows\services.exe
PID 4964 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe C:\Windows\services.exe
PID 4964 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\dd31947a86f413e738813cdb97932130_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
N/A 10.213.60.59:1034 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 10.241.35.61:1034 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 192.168.2.114:1034 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
N/A 192.168.2.13:1034 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 10.144.22.105:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 aspmx3.googlemail.com udp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 199.89.1.120:25 mail.mailroute.net tcp
FI 142.250.150.26:25 aspmx3.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 85.187.148.2:25 gzip.org tcp
N/A 10.0.2.15:1034 tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 www.altavista.com udp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
BE 2.17.107.153:80 r11.o.lencr.org tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 153.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 8.8.8.8:53 acm.org udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 104.17.78.30:25 acm.org tcp
SG 74.125.200.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 85.187.148.2:25 gzip.org tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.2.107:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp

Files

memory/4964-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/5084-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4964-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/5084-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5084-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5084-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5084-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5084-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5084-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5084-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5084-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5084-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4964-49-0x0000000000500000-0x0000000000510200-memory.dmp

memory/5084-50-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d4a304c8403791418cbaf2735f6cbf0d
SHA1 21e92b4eeda116ac158e7732f84592f48ee54881
SHA256 2f2e9d2960ea8e1813b1aa4af42a78ab4e23981c5945872975a3580998db55c4
SHA512 c114572014e1a1934815987be18cef2d0a03e13be679e52f9192352dde5710d92d83944a0cc3e1c7b513e4840459bd42f59e19a1d627f64004e706800afed72f

C:\Users\Admin\AppData\Local\Temp\tmpA11A.tmp

MD5 c3cc1621f7783dda23ef0785759fc9e3
SHA1 fefab4e376b822f7ec4452f118624baddc071474
SHA256 7652e555406f7e113eeab190e5c5aef455593366e587b2de22f08916ade9f48d
SHA512 ec07a47c5305db683b15eeafd0bdd0b02ae20e0d51133137f35e799750c79a006bfa492da2a5e216dfd9a016431f2aad26af4bfa8ad0ca21293695500847d0a6

memory/4964-94-0x0000000000500000-0x0000000000510200-memory.dmp

memory/5084-111-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4964-112-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e525f3fabc51245ece10633c903d9a87
SHA1 155bfe1b297be118455cd3dada579f6d3b9e208f
SHA256 d89cbcf49cfad0cf24a84c465e1c0c00821e57335a8d8c1a48eeba333e7e471e
SHA512 169b6f19595a2a2de14ce16182a67dea1959b7047170c7d1fe64793a192f545c93fe94acb093cf9ac69713d914695d86f017f4ea8e6fb694d24bdd27164eb81d

memory/5084-125-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[1].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\results[7].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

memory/4964-228-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[9].htm

MD5 e25234e82b9cfdee671a5c7c2d016862
SHA1 4246934e97441dd4360999e5e0eb0ec07406408b
SHA256 2228199b52bfddf72ac02263468d3b71b980169c85b9dacd71db1505dcf4636e
SHA512 ea4f8593d47d472164d1469aca4a16a4e113ff5a0aa2258ab199ec035ee803f82eb30d452989a7f38e1624ec1999ffd64ad96670ace4c8921d5140a90e2b5e99

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[8].htm

MD5 d8793c6fe416b7ee7b8fb4ef1fb88b20
SHA1 aa3a46919eaaa2fa5ab15fff226e2fe9b821b47b
SHA256 2b044d19f24e75e9f7b488a5e849083d580e1d10d4f9e5bc37442216457be7ba
SHA512 275d5b795afb19d128e36a7b4ab1d6f964ceffa4cfd89afc6bc83cd6e924f66c9313700a6dd7cc5ce7403211723bf347f5d8d93e45d3a0594647a95d6d387742

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search0H7VDE41.htm

MD5 543b081a4ab45aff2f9c6c4fa4febb19
SHA1 be8c676cb93fde36fe594f785d10614c4d97c58b
SHA256 7875ed90276f103296b77dbb57b475b2d2295b34677bc8bc5f11d226e37ea5b7
SHA512 b0b39c0fba8f3b0b6dd3d3e8d9c3d6ecdf7c86d7b70869dec148f87950876426459a4da7fbfe92504f9312368eafbcdf209d0b14421e7a0c0f1c8b93f1ad6cd5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\searchDZ9GCT4A.htm

MD5 38adf4756a19dca58384a6e7f0eea0b5
SHA1 03f18ed5eb2aa1bc188a157e55747a94dfc5aebe
SHA256 ddc0393faa86fd3818240fa53795e4a859f38909d132228aebbfcbfb542450a0
SHA512 c852b02af172db0fba9e8a8b79485acf8593b94e559cc71fb1023de0ed7205172d64faa1057a667688895825e6fbfbdcaa61f5c7f8e49effc0522365d3350e89

memory/5084-345-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4964-350-0x0000000000500000-0x0000000000510200-memory.dmp

memory/5084-354-0x0000000000400000-0x0000000000408000-memory.dmp