Malware Analysis Report

2024-09-09 11:08

Sample ID 240617-ntgelayfqd
Target 865030faf454023288341463915f2570_NeikiAnalytics.exe
SHA256 fcd4fc8a0534271a5ceb4c2b9abc85e30ce912f411111e164521f82818d4127a
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcd4fc8a0534271a5ceb4c2b9abc85e30ce912f411111e164521f82818d4127a

Threat Level: Known bad

The file 865030faf454023288341463915f2570_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-17 11:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 11:41

Reported

2024-06-17 11:43

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.135.189.123:1034 tcp
N/A 10.127.0.3:1034 tcp
N/A 172.16.1.2:1034 tcp
N/A 172.16.1.5:1034 tcp
N/A 10.156.133.4:1034 tcp
N/A 172.16.1.116:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.11.3:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.169:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.9:1034 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/2936-1-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2936-10-0x0000000000220000-0x0000000000228000-memory.dmp

memory/3008-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2936-9-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2936-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3008-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3008-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2936-25-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2936-24-0x0000000000220000-0x0000000000228000-memory.dmp

memory/3008-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3008-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3008-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3008-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3008-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3008-49-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2936-53-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3008-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3008-56-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 09a4f5f557f3f169e10da243aa30fd09
SHA1 85fd781de93e138444ec0e396349ed2ee9bcef4b
SHA256 f3462ab101e1c2ee985edb9348b4f11f09c584a46884ab5aa6f58da50e6db4e3
SHA512 5cf1b0415c71d99bdfd58a1c199672c9b06003682516bb5237819f5cecbfe14c246e18c5f5d25af05a50175760c34c4d4e77960a5aeb8d90613ddf9c2e8c6afd

C:\Users\Admin\AppData\Local\Temp\tmpB81B.tmp

MD5 d24564a4fb54fa5f43a95607e3b7b580
SHA1 1568bcab258730521a0c476de7b7dfae265cefe0
SHA256 c4bba967162c6b545a0c867e8895b23b9c49315e3bbee68c143cb2c9de7a4bd1
SHA512 3ab1dc7608bffe2b83327f816c04f81c324fef42a4770ef6044fe700fa96d73f9be3528aae7f81836b959ee80ecb1fc207c0b50ca3fb1cb86926f0282c636d9a

memory/2936-74-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3008-75-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2936-78-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3008-79-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2936-80-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3008-81-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3008-86-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 11:41

Reported

2024-06-17 11:43

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\865030faf454023288341463915f2570_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.135.189.123:1034 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
N/A 10.127.0.3:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.209:443 www.bing.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 209.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
N/A 172.16.1.2:1034 tcp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp
N/A 172.16.1.5:1034 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
N/A 10.156.133.4:1034 tcp
N/A 172.16.1.116:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx5.googlemail.com udp
US 8.8.8.8:53 acm.org udp
TW 142.250.157.26:25 aspmx5.googlemail.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 65.254.254.51:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 gzip.org udp
US 52.101.9.12:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 search.lycos.com udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 www.google.com udp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 68.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
IE 2.18.24.10:80 r11.o.lencr.org tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 10.24.18.2.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
DE 142.250.185.68:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
DE 142.250.185.68:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
N/A 172.16.1.169:1034 tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 acm.org udp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
N/A 192.168.2.9:1034 tcp

Files

memory/4404-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2452-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4404-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2452-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-50-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4404-49-0x0000000000500000-0x0000000000510200-memory.dmp

memory/4404-54-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2452-55-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d360a59b00a53c20b66e1058cc64c670
SHA1 e306d44a6d15bc920bfc4950eb9ddc524e73bc4b
SHA256 2c0812d841409ac5e022f5c6852f39080f81052e2c9b1594339827d24b026dc0
SHA512 8d4b31239dd8833f3a84c089e24cee8e416ca80b4e37328045517a6b9aa24ab22783fe017aed12eb64c863b71710d720d50b613d52acf95e2ea1ee3e3ffd9df7

C:\Users\Admin\AppData\Local\Temp\tmpB128.tmp

MD5 865030faf454023288341463915f2570
SHA1 40c6be1a3dd82dbff782a5b5c1b1b116ea4cf5d9
SHA256 fcd4fc8a0534271a5ceb4c2b9abc85e30ce912f411111e164521f82818d4127a
SHA512 4bcd00b07d511ed9900bfa57b436b7b2a55fda14cf285d307b492f08e8692af33d754cb156dd9fe66125315c2bbf3e212a39b5038e879fbafc11f6a3a4f36d43

C:\Users\Admin\AppData\Local\Temp\tmpB227.tmp

MD5 d2a77dc9a18f1b0e359b4016e5e04e2d
SHA1 c402240ecdf894a143823cb05474516a6ff77ad9
SHA256 22c27855852b325372ea6440c74b922abe7df901fbd690f9f1f05cc52fd0c3ef
SHA512 f93a1b9214d20592b2f4eadad859c3bad8f436cc4ef6e909e8e98460cdbf63a19a2caca6a1240335542b3a1f10eb0f3aeebacb602c410e45368bce3d40baae8f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\ZNCPCFS0.htm

MD5 85f5de03293cb8668fb8bf12de30342d
SHA1 c0aef10ef401032e570c347c80a74356c7c904d8
SHA256 9be29d26189e85548c057ce44b559ac7eed02035a6062573b91e14bb1fd96abf
SHA512 819ebfd0e990dc83b648cafe87c75f93dec37e2f92ca5edee69a3bfd626382ab9f4fa84e59b560ebec26bac4efe899bdb9aa0c43848f498fa6246f78a6cf81cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\M8N333Z9.htm

MD5 2f7a19399fa92ef9aace46d8fdc35da7
SHA1 a6f29514bf601daf077c00bad0672d551ab8b1a9
SHA256 0cc215f8d8aa95f16c91636235d3cbf8f1eaa9ab835fe156730e3dc9a7ad772d
SHA512 4dc58f2d76ac80dc7e11365af1b2acf0e39bd09fc98b842f2348d2c9eeaa134727f0ec010e1dbc52866722110baa3704e10d850c50134d7e28390e63c11ec2e7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\default[1].htm

MD5 c15952329e9cd008b41f979b6c76b9a2
SHA1 53c58cc742b5a0273df8d01ba2779a979c1ff967
SHA256 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA512 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\search[2].htm

MD5 fd1ddbebc7a9226923afe345fe4aeba1
SHA1 0f198b54a38f22050816f880ef6bb63e83f6f7f7
SHA256 c911dbd78d8ef36e8dc47e1f5a3b12f39d2ff42b6f1c329810e9d357903fee84
SHA512 3c4a559f209c003b3412c1e15b891cb36dd2654d1096bebc4bfc09b6eee2e33250c1f06af166a08cb5afaeac252f308aa59ef045fd8886432e6c083201caac8f

memory/4404-287-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2452-288-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 7f638719bd2ec9683c5621f953d1d1f5
SHA1 849072194309b244fe024d47a6d395e19676d29e
SHA256 85dc86477b47d7548ed27e432fda978f5b45aba2f1a38f58e8164f40848134eb
SHA512 bd83d33752ed43b469284c7b7bce1405f363322eda8886d49be76dad8efe33085dd834808657d75404707d940d21fd0aa71deafeef1766ec24a2c393822f123d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\search[9].htm

MD5 10619eb63a18fac0d7b7a6905f7c69bc
SHA1 907dac11101a38deace4ac7d3c2283b1a693197f
SHA256 0face5b0ba62fa1272ca9f4337b87567df85781fa6ccc7482c9609fc81294a96
SHA512 b9adf12b0ec257a39ec10ac8a34e46627801e239df4625142abec8862db18fd3bdb08d3d916ee3d44a32e5c2eb2322face2d155d6cfb9eea39137d5abf61b00b

memory/4404-334-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2452-335-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2452-339-0x0000000000400000-0x0000000000408000-memory.dmp