Malware Analysis Report

2024-09-09 11:51

Sample ID 240616-j2j38szdrj
Target e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe
SHA256 d57f3b5906195703a450ee933482d736f06b2dff3b45185a2c78eaaa6413caf3
Tags
upx persistence google microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d57f3b5906195703a450ee933482d736f06b2dff3b45185a2c78eaaa6413caf3

Threat Level: Known bad

The file e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx persistence google microsoft phishing product:outlook

Detected microsoft outlook phishing page

Detected google phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 08:09

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 08:09

Reported

2024-06-16 08:12

Platform

win7-20240508-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
N/A 172.16.1.182:1034 tcp
N/A 172.16.1.166:1034 tcp
N/A 192.168.2.11:1034 tcp
N/A 192.168.2.11:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
N/A 192.168.2.18:1034 tcp
N/A 192.168.2.16:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 gzip.org udp
N/A 192.168.2.14:1034 tcp

Files

memory/1700-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1700-4-0x00000000002A0000-0x00000000002A8000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1944-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1700-9-0x00000000002A0000-0x00000000002A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1700-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1944-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1944-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1700-24-0x00000000002A0000-0x00000000002A8000-memory.dmp

memory/1944-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1944-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1944-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1944-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1944-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1700-47-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1944-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1700-52-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1944-53-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1700-54-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1944-55-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1700-59-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1944-60-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1700-64-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1944-65-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1700-66-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1944-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1700-71-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1944-72-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 08:09

Reported

2024-06-16 08:12

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe"

Signatures

Detected google phishing page

phishing google

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e3390264d8240749ace7784ead824fa0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
N/A 172.16.1.182:1034 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
N/A 172.16.1.166:1034 tcp
N/A 192.168.2.11:1034 tcp
N/A 192.168.2.11:1034 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 192.168.2.18:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
NL 142.250.27.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.10.12:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 142.250.187.196:80 www.google.com tcp
NL 23.63.101.171:80 r11.o.lencr.org tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 hachyderm.io udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
US 209.202.254.10:443 search.lycos.com tcp
SG 74.125.200.27:25 alt3.aspmx.l.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 192.168.2.16:1034 tcp
US 8.8.8.8:53 aspmx5.googlemail.com udp
TW 142.250.157.27:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
N/A 192.168.2.14:1034 tcp
US 8.8.8.8:53 udp

Files

memory/3544-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1948-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3544-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1948-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3544-54-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1948-55-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 f0fda438c58c452a6599d3e3d6adbd2b
SHA1 00e6617f7b9c656144e112376cece5ba084a52fa
SHA256 9b98e9819e870b0a92e0b568c1270e35897c162ba2d9ad3bd596887b5a090a6d
SHA512 482d291cd309072a90484509e0fc2337a1f8261022baea71552265006702c2ff939a8e6e223d0c1ca41eac567775d75bdc6a18617097036c9574f9e6024b48d1

C:\Users\Admin\AppData\Local\Temp\tmpF7EB.tmp

MD5 edcdcc820aa5d1e6fc3948dddb0ce813
SHA1 8dbbb0a95f7c85365aaa689f7b8ff4b0187c1d5c
SHA256 19554e5bd472a1113fd59a742081d93ca30d4872f19b90844ee47dc30f1f2ca3
SHA512 ac523df7a6e42cb33c2a3671ecab862ef21989344ece26a5a562ce7fc79ee825108dc860ede479546a258c2ef4a828683d3ff7e2e3a5368fbdd0d7d8c1c72c81

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\R92DYMUA.htm

MD5 6e4fb77a7aac19db74ace1b3d44332b3
SHA1 b8bb4c9265544b7585129d5c3fe77fe4b38e4fdc
SHA256 c851f82111856cf857b0344ad0f7caf4b5b4a228f4825d2566327baabef4fec5
SHA512 74f3eb1522dc1fa8d339738ccdb9b9d5bae91c14dce17d14b495462470b181fb883193a7f78dab4c6293df8f3b90abb85d44239545915e5fd58d3e4a9360c9f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search[3].htm

MD5 5899f03a6746f65cdbec0238962db8f8
SHA1 5c25821b7871019c19a272c6a08517ecbd9be285
SHA256 4987fc246984f0cd1f0827fe916489d0e3af2ae5e503a375590540cbf78bbf57
SHA512 ae1decba9f386628628a0da7e667f6db2f87da9e3db90cb6b98dc8158a8abc32182d88f2fd0dc82792b5263d7e1fa8c49ec092f5457e07c773bff2449e15529e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[3].htm

MD5 e45948572714155b16c4be956a49ea4a
SHA1 bf4ad9282be7a368d2895e8d27e6b6f2d502ed8e
SHA256 c52f578629b64c5d20ad48fba7c5f127c192da23bcbb367f2cee7341a3d52069
SHA512 dc9059e366e9eb4353db08ba47c3937990c141127d153372139143b4c287a903ca0b7028bff9281693b44a853fd8f1e4b5b2b7db58aad9777ee0953abf8760e4

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 7598a49d010b54a485963a698df32735
SHA1 052f72f226feb86f1adaf67b89ae732e49c97a87
SHA256 e894379d793ffcca251a80d5e0f2cd28e6c1df8caaf475451f8543cbb29514fa
SHA512 4f7125bb6d5890fabf21a200860ff31bb9b1f8514b452087d554b764c64e880370be8266e960d8335596f7c112d86941783dcd006fa4aa32ccfd025d61e0d6db

memory/3544-221-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1948-222-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[8].htm

MD5 5c3b3f1f3a199496ba0587c6529987c5
SHA1 6c792280ba49ed29e732d1c5d2d722dda414812c
SHA256 287b9a6335ad3e33f2af44648bfa1d0207b3d6cc72c5f1072f5f45086470fb7a
SHA512 6005976c4ef64ae6295f393ecc0963569bc21cfcdc87fc76a0f55b409b734ddc53f0147953d971ed03ba96a956044e367ac1b34b471e10fbb17095b50be9f0b5

memory/3544-288-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1948-289-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1948-293-0x0000000000400000-0x0000000000408000-memory.dmp