Malware Analysis Report

2024-09-09 11:01

Sample ID 240617-h5rf2szdpg
Target 60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe
SHA256 1e2e19101d58e18ff26cff44598009784d15c342b1653e3801dfc33d26223d38
Tags
persistence upx microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e2e19101d58e18ff26cff44598009784d15c342b1653e3801dfc33d26223d38

Threat Level: Known bad

The file 60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence upx microsoft phishing product:outlook

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 07:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 07:19

Reported

2024-06-17 07:22

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.135.189.123:1034 tcp
N/A 10.127.0.3:1034 tcp
N/A 192.168.2.108:1034 tcp
N/A 10.227.85.66:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.8.44:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 10.156.133.4:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 10.218.249.159:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
N/A 10.136.9.81:1034 tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in-hfd.apple.com udp
NL 17.57.165.2:25 mx-in-hfd.apple.com tcp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
SG 74.125.200.26:25 alt3.aspmx.l.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.google.com udp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
DE 172.217.18.3:80 c.pki.goog tcp
DE 172.217.18.3:80 c.pki.goog tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 r11.o.lencr.org udp
BE 23.14.90.91:80 r11.o.lencr.org tcp
US 8.8.8.8:53 o.pki.goog udp
BE 23.14.90.91:80 r11.o.lencr.org tcp
US 8.8.8.8:53 o.pki.goog udp
DE 172.217.18.3:80 o.pki.goog tcp
DE 172.217.18.3:80 o.pki.goog tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 8.8.8.8:53 consent.google.com udp
DE 142.250.185.142:443 consent.google.com tcp
DE 142.250.185.142:443 consent.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:443 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
DE 142.250.185.68:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
DE 142.250.185.68:443 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 email.apple.com udp
US 8.8.8.8:53 mx-in-rno.apple.com udp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 192.168.2.16:1034 tcp
US 8.8.8.8:53 icloud.com udp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 mx01.mail.icloud.com udp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
US 8.8.8.8:53 mac.com udp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
US 17.42.251.62:25 mx01.mail.icloud.com tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp

Files

memory/2156-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2156-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2800-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2156-16-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2800-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2800-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2800-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2800-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2156-33-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2800-34-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2800-39-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 b80e9b7688476c9424f06673df84a506
SHA1 e4884bbe0e16cde2f4012e1b89cb6477a4f52210
SHA256 700d1e1ad25dd13e7cc702ca2d1f136385f44bca2db9346eb7f773fc6d21721e
SHA512 2a5d461b9d975f8aed2008fef8a20278333a630f72210423023feea1c59de207a5c681c7f2a6510f763fa418c696821acd96c0a0b498db081b60cb709efd57f4

C:\Users\Admin\AppData\Local\Temp\tmp20CC.tmp

MD5 af8f2b81a398de89804e2d262eb6584a
SHA1 54401ff154f2509a59f44fc325bb5c430338a130
SHA256 cb52a5ab7719a0209fa9d7270ae5a6dce92feda18c81f34c358d6bb6f88b54b4
SHA512 2d9bd29272ce26674bc23674f84be809df7908ef99ad53ab5aa5c050692ef604fb79b7357c81810f2d2a7f9816368696bd52bef4b90cb40777bea6120d240c32

memory/2156-60-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2800-61-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2156-64-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2800-65-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2156-69-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2800-70-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2800-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2156-76-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2800-77-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2800-82-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e2ce8acdc8856b5f35556cfe9fc04271
SHA1 2f34f5c01ba1e1b6e71df5ae3c701a00e5fff336
SHA256 fbde47ab8bf4405ee9bfb911bbc487e5dba74f3b67bbf8f68dd183f9080a5872
SHA512 f2ad494f54fcdfd8741bb013f946d955bbf4471b5778f9f361d3ace719cd04f18dfbec5ca1ad8b152e0f36013280b62c81480e516fa62ef0f82ed2b2503ca160

C:\Users\Admin\AppData\Local\Temp\Cab1B37.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1C4A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a48ffa416b7ecb7817d6a80e8569718c
SHA1 2911533e3b21f073e07feb785e64afff72f13933
SHA256 d799bf6892082d5efad636598920fffb26378f822e81e89486f94b522d2df30e
SHA512 dbc49ecb319e568a8e576ba22bab1e53ae358ed2aa5ce048a4018f9fbdb644024eeebdd36655ac5ccae5da5178d77298df93f024fe62dbc605c9638438e161cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcc872b16dd571fbdef48e1aa67fc735
SHA1 029adac16f5c34964cf1d912f589719f28e1d03d
SHA256 0f0bc6061f83ab558e0b08ff4220bba0ab3d9347eeabdcfd96a4b22f82a92834
SHA512 07d69e12abad7a66fe28f24c740dc33c96761beabc246680fc5bf7c7bee47fe986ee25701136c523762d8bace4b5d2547fc25ebca5eb158162bd1240d5540ec6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\ZFY0FQAE.htm

MD5 4b6341795f678de3298729506f6be095
SHA1 c894ca0cf13589eda961beafc479e8c201e6b1b6
SHA256 f3dc643f7c0edd75f8503e74b77a65cd9bb7c24390fefd5a81d76bb8255f751e
SHA512 8a3e4736eb07545a25c8e7ab2697c02cb09363416e87f9dba6a5e20b43f1bcbfa73ceeb588e66bcc2100311920b6dc57f4b1d5348ebf99b28269e358c2daa43d

memory/2156-311-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2800-312-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\search[4].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\search[1].htm

MD5 840235fb563274fd1479793ffeb0c26a
SHA1 4a00ac16eca40efb9ca3e799e452c7ec6a5019ad
SHA256 f8a45c969cfa7a55b76aacd036b3c94e19d99edd0bc58e6b38fc1b48c8eda029
SHA512 81a01a7652912b5d2ee66c2da7e7b597a193b5dc6a338230b810197131772f44ca87a2a839f62d559a768ee4a5a1a46ec590738b4cac6d5f1da156a7e6834239

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\search[6].htm

MD5 e8a692e2cf62ce608dcb6a5cf5f5e9b7
SHA1 46fc74e4a406a92c533124253f8688119cff6324
SHA256 9362e4b63bf7d42a24323dd0789875f2b9d7ff628df8829694b4c70a54922864
SHA512 44ac84cecb4086d065f8c4efa4852910391ff4171d572fc8422eed6e88f980d7df4854c4d1082982a2d7328070136d9f67d01fcb168fdbda44695da658f0db84

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\search[4].htm

MD5 37f058350371802b70c528f25b826baa
SHA1 a88425051f1debe17a82ba32d5ed095bc0c563b7
SHA256 c302d87e0bcfa84dc91ac20d75a208f0619e72200d633465dc4beead268f90f1
SHA512 7b552e7c357aec7b884fc8baed6ba411a0544ce086f86347bd477d03bade908179ae98a31a3943d2efd6885ebdf01272ead254edef96f79472933928d42fba1f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\search[8].htm

MD5 68cb3ed8e58e35b7e0cacdec76c9fbf7
SHA1 f5bd709e258cd718db642c9ab3a43615f23a8c9a
SHA256 a67c47532863f35874ea9e70ee1a67ecf62cbb6088b8362df33d1521eccabed2
SHA512 1993721320b9c357c0141b2ab53ac903ea407ff58798e69a24679af3122e27a28a459d30108c7fee3da21dcff9dd2caab0abb010bd37606fb1ce861ad6f2d954

memory/2156-679-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2800-680-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\search[7].htm

MD5 ff6b83a2009830dd5c337a86b35fc392
SHA1 ab0dc71f1c514fa8e645771b69977eb313149322
SHA256 83223fadba86110bb6ddd335d16bd8344925275c6098660b143723c7e11115bf
SHA512 e325ac1ade2347673be6e050e4252be874fe34ec5a2a8259d37ac5e20a0c857c6cdb3543576812afe1edf3404309f06cc5a578e941c346008ec54c9a26078388

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\search[2].htm

MD5 54b79a38e9d39acbd8a621f0bbb7952c
SHA1 1f546f106f043c63155a5ffaf8106d6a455d5cfc
SHA256 cdfc9edec660bf55edcdeaf80335418cd6c2ec869ccb83d0c238442b2a662d07
SHA512 d327c1a107d4d110f54575fe3c331bb7566090374d3a1df7fec15341487e65077cf9df7f8bdcf95bcc2d71c3af1bdfe986819726b999ac441cb8c736bbb43ea3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\search[10].htm

MD5 736ce792666f3bb45b3a7dc60101ed13
SHA1 e20a2fa836ac6c503438ff73dbe8464408effacc
SHA256 709967250ae0a4f4ed3a0f3e22538e547cc126ce386793b23c427bb54679aba3
SHA512 8e6bebc5f7d8cd065ecbc0d919d65487c6b74300d2845732a36acc72e0b9ab86e5129b94f68568696de32928487238dcd3c86cb1e7bbfa9c1cd58354ac85d379

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\search8T9J0891.htm

MD5 73de9b776c0b4c2a849f5c554c4c6552
SHA1 a1e739d357f2fb686cd7c231f5f3fbc3164f62b2
SHA256 f6e6b9b909b12a782262bcec8374c4e2fb30adc98516155e50e3e82b7c213b5a
SHA512 4802cc6092192955361a2f8a8d405928cabb483d563c0ec8f5e6ee0712f305d58bf6768a5af6a154e2f42a8ee80fdea51b0daf80aca6b3285b326102a30cde7d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\default[2].htm

MD5 e0c3b4c8541e5bc3cf19d22ccf8365d6
SHA1 9ac1347e4dbce09ddacc47ff46b9cb15b01fd77d
SHA256 69e3c690688497ac57963720235b9181d6ab79161289aed6bc518f2284e75696
SHA512 3c6a7bb5b195dd5e973d180f051ad4979d37bfaa489e6e22c239a2efc007a203c72732496d0db1324a16344606510cba911af242337bd96da4f9832c9f6552aa

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 7dfce17def4bf62078bd1ecef8c0ab90
SHA1 94d3b4fd3e8c5c53815cb37b68275b3cb83e29c5
SHA256 496e873c0a56ae2edafe9d3a9083ef3d21298bb48a1543f5a57e00ac409c6e9e
SHA512 6c68bf0c03e5a648df733accd58d64d6d42b0064ff6e7c9958b886dd32c5c0a4be57875cd14d9011ef4986b31ba235bbc17993fc28f1a803ad189c454f4eba7d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\results[8].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 07:19

Reported

2024-06-17 07:22

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\60e7423ddd5299306c81dd0df03a2ad0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 10.135.189.123:1034 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
N/A 10.127.0.3:1034 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 192.168.2.108:1034 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 10.227.85.66:1034 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 10.156.133.4:1034 tcp
N/A 10.218.249.159:1034 tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 mail.mailroute.net udp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
SG 74.125.200.27:25 aspmx4.googlemail.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.40.24:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
N/A 10.136.9.81:1034 tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.altavista.com udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 68.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
BE 23.14.90.106:80 r11.o.lencr.org tcp
DE 142.250.185.68:443 www.google.com tcp
DE 142.250.185.68:443 www.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 172.217.18.3:80 c.pki.goog tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 106.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 3.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
DE 172.217.18.3:80 o.pki.goog tcp
US 8.8.8.8:53 consent.google.com udp
DE 142.250.185.142:443 consent.google.com tcp
DE 142.250.185.142:443 consent.google.com tcp
US 8.8.8.8:53 142.185.250.142.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 104.17.78.30:25 acm.org tcp
NL 142.251.9.27:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 209.202.254.10:443 search.lycos.com tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 tcp
US 209.202.254.10:443 tcp

Files

memory/3304-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1668-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3304-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1668-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1668-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1668-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1668-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1668-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1668-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1668-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1668-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1668-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1668-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3304-54-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1668-55-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3304-56-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1668-60-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 b3f798d7b85d723e130d3da135a7bfda
SHA1 3784c2423ee67e825ead448d180ef7597416d42f
SHA256 09198eb46799fa4b4a6424c9b0c9e7b89cdb3501e75ca6df1133e365670e4b8c
SHA512 eb68c22794257c7ff5cd3868687da627b52504a98fa46304e48f6bc2f97d11db17fd6188058784d84614c443f530c36d4b09b481daa915287601a5b7183ac947

C:\Users\Admin\AppData\Local\Temp\tmpDBA4.tmp

MD5 967af88d1b83d7619d36cb8b336fb2cc
SHA1 d285d95661eed8626f61037d8f1f6b9d6486c435
SHA256 81731496544eff9044878ef8ea9203e674045427ad7d4d6e50e7dc4a9b747862
SHA512 09469f6a783f2468047f0475247a3a60979ee25ddaf0f501c1cdd185043d5ec10fd02f472bfef684821c693c55322cd68bec292c790c3b1da433aaf893a929ab

memory/3304-118-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1668-119-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 29ddc32d6940231440e7e3b19f08f9ee
SHA1 747162b02860681e7d4525490639abd76cc6b45c
SHA256 ff99a480ddc74316e606572a711bfdb3feda46ecdc2d6db1082992dc0516fe8b
SHA512 18839ebdd4e0f8a17c05d6910eb46bd0eed8d5af836e0de4e01f3127986035b76b8c6f6dea2f140d03464bf7bacad20834ce13054914a8398b8c6c8c06a4b37e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/3304-176-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1668-232-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[6].htm

MD5 622eac8893ee45d0ded086bc98247bbd
SHA1 04258f0d784960df5be5accff2703f3f2b380544
SHA256 0cf5313b4ab7f47b951a6fde20d201c0e485f479dabb06c562c2889b833d6125
SHA512 226a4d3d31175b56c58c10973b011bcaa0a6613241712247496745b6910c1aad99ebbf8c45405e2e5b04f429a65324e9f2300d63cda895f870056d09bf5d56b8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[8].htm

MD5 ef6ff8475a70c29b4bc46b160621f076
SHA1 70ed175fcf9f5f4f21bc8b25bedb513cd605d077
SHA256 411e78a167d13cad22387435636683f8ec3e5842b742268a723e191b7e965485
SHA512 3bd96b14c1a6e36eef036f7208710c5dc3b32a26ceebf4fa5037c3def03aa6f3a6922a6b908233b1511dd5aafa9b3109a7392d07487dc60400c9ada588b4a17b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[9].htm

MD5 0e4f8106dff788629894c693bf4d8cea
SHA1 1c67feb5bcfecc839f6f5fd0dbb2653d8a35a509
SHA256 7b17190095bcbfa99d4e452db41b30772eebe0d27c516bb92338f73b43a0722f
SHA512 bcecad82a365355dc31b245ff59396711951e2a372345cedb6adbcd461c9f40cdb4306e17a90314c2a925f9db08245fd28c738f289c424867333286d2452e921