Malware Analysis Report

2024-09-09 11:21

Sample ID 240618-md7featbrk
Target 38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe
SHA256 f15ad7a16fcc261b0550f37441b26d953a3cd1b884464dd2bbabefa0a7950e4a
Tags
upx persistence microsoft phishing product:outlook
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f15ad7a16fcc261b0550f37441b26d953a3cd1b884464dd2bbabefa0a7950e4a

Threat Level: Known bad

The file 38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx persistence microsoft phishing product:outlook

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 10:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 10:22

Reported

2024-06-18 10:24

Platform

win7-20240220-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.126.94.178:1034 tcp
N/A 192.168.2.157:1034 tcp
N/A 10.227.85.66:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.11.3:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.5:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 10.179.108.182:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 10.241.35.61:1034 tcp
US 8.8.8.8:53 apple.com udp
US 8.8.8.8:53 mx-in.g.apple.com udp
US 17.57.170.2:25 mx-in.g.apple.com tcp
US 8.8.8.8:53 unicode.org udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 23.63.101.170:80 r11.o.lencr.org tcp
NL 23.63.101.170:80 r11.o.lencr.org tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 email.apple.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 mx-in-rno.apple.com udp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
N/A 192.168.2.111:1034 tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 insideicloud.com udp
US 17.179.253.242:25 mx-in-rno.apple.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 insideicloud.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 icloud.com udp
US 8.8.8.8:53 mx01.mail.icloud.com udp
US 17.56.9.31:25 mx01.mail.icloud.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 17.56.9.31:25 mx01.mail.icloud.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 mac.com udp
US 8.8.8.8:53 mx3.mail.icloud.com udp
US 17.42.251.62:25 mx3.mail.icloud.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 mx-in-mdn.apple.com udp
US 17.32.222.242:25 mx-in-mdn.apple.com tcp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
TW 142.250.157.27:25 alt4.aspmx.l.google.com tcp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 8.8.8.8:53 mx-in-vib.apple.com udp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
N/A 192.168.2.14:1034 tcp
US 17.57.170.2:25 mx-in-vib.apple.com tcp
US 8.8.8.8:53 mx02.mail.icloud.com udp
US 17.57.156.30:25 mx02.mail.icloud.com tcp

Files

memory/2924-2-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2924-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2924-15-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-28-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-33-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-34-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 a321827de456e0462e603f0520ce1d61
SHA1 44fb30b06f998c3c77358305b29777d7911c2769
SHA256 420b0121dc0e85fc2e55c4b35445150e71986d93cbcc634d971e3094a599f614
SHA512 d72f6107c0588a4fc670fa9f68358246d40f9fe59cb83aad718980c2159a7096759895d102aa9c7b340a5bf12cdf7309acaf5edf38d2f83cd4fc32a4541d9b94

C:\Users\Admin\AppData\Local\Temp\tmpCAEF.tmp

MD5 04bf8be67a020ac4faf323953c8a3d9d
SHA1 218e178bb0614e810b3fdd0fa1dfa54fc9a1b3ff
SHA256 ae7172c121fc81c765f7d840d9f01bf9e9a5b0755b7ed5639deff49fcbad4f22
SHA512 0cc4815b2a7249f5acae33ec5bc7e49a660e0f1de1abd2f30e6c29f9fd9ae0230d5f66de626dba9862e37b086b72d30914c69c6d4c4ae4642efdc9e09e270507

memory/2924-51-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-52-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-58-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-59-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-63-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-64-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-65-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-66-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2436-71-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 4599e0e3ff279a08768fe342e5400815
SHA1 aad50e15e79c872692d662435a051a9663166863
SHA256 1433d08f4f9731610eb610c1703df1613047da0275fa5d37767617367d22a26b
SHA512 8eb4a4784bd8c94cbdbb0f8695c3a8d74bef51d1b1c3c73f24951d52fce7ac125eac59c0eb478580260219f49a96d6dfa68452d943161d080979a8485006782f

C:\Users\Admin\AppData\Local\Temp\CabC577.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC67A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58dbeaa163c9f2273631835bc151dfdf
SHA1 acc84686539602ce191d9253adef1f419a9c43f6
SHA256 e6dae40eea516d11a2d74f1e50ec7508f59d8aa8259fb4d1ed30a8dde77ac2a3
SHA512 09cb54524f4249088b349719d3c9d1ed82d2da2cff21627cbb34a1fb8a1ea88bd6b72a746a584b3ebea9378782aceeb3a1fb98b4b120fe551cd2facde1c261ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 739517a798606b4ed58cc09a337efa32
SHA1 4ff81029b8947137f1bdedbf3905519c2bee566c
SHA256 c66e785699cbd38ae99198426e90241034c906d7557d840de6a5b0d0292fce06
SHA512 8961f33397f35c70b1b2a52aa5f2cf3a995b7cc7add242b48d4c8de9782bf1d22fda21feb19173a501e3141dbe2a08d539639e264a5070b7e29747c5f7b68c70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82426d1ef9b2a44350d90f72b10a7cac
SHA1 5e34d0b614f2fa8b2310e7120266098b39ba2202
SHA256 e250d85bbeb5f0e009de5a5041777661dfe6219d5eb87086fe7eee9dcb23e0c8
SHA512 c009e9e5bfc75dcf448f6ced9440471f975fb6b7c14cbb38fcc7defa100fd7b0e4905a940e51c958ae493966f0e01dbeb342a3fc01a03f8e117d825c2350cda4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 568806919f8f2c2e97d52a55507322bd
SHA1 10bacdf3c86c659c3118adc7965f04674f795c76
SHA256 f2ad8f53e0aa5647e2e6c21357fcff08dc0383f49e5b18f69654dcffe918787c
SHA512 13d4848fa170b7496392e45b0cd12024da7598d0ef4a00dca1723f0aea1b35482f29591fa52ebf4bc3b3c4164581689e07102e73a6ef8605eff5b16f92753d1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f922043c24d18fa94c18754cb1a4faab
SHA1 727e5a7dc14b1280c1b88c2746ca276661435fef
SHA256 d454c4b7dc677ae8a65029f5e497ffe1badccdd147dc2598e3f30e4ec9fcc6e6
SHA512 a6b609f05722915e01fa55fe7d1fe1b2a58e694f3267a6dc48da093ff8f8efd8ac8a0056d707187f23d54500016b8dc56d8695657cd4d7d19c918317967d9d32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9043c495230a63de7c34de6c1681fd0
SHA1 9bf7a8f8baeb7b082607c937c951f3a146865b0d
SHA256 c61baf1010ceb88d501a943e807a3c95bd49bac465f0db5eed8171414bff10b6
SHA512 5f6cb0f75e214aac9c23e5d1e4fb44527e31a4405c86d7d12cf0045d84bc06f67d2b24315f737543d64958c6df79180e3d7529b6c8baa0ec20b83f50c58cd411

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\search[2].htm

MD5 207b25a9285e662aeee2d21c29832e17
SHA1 39d27eeed0d982a8bce5b44d3e03ba4d7bbc58ea
SHA256 00f26239c4bb863cf1d88c24883fe290352b80053d51a1f9c6b6fa49ddbf3068
SHA512 a9b66a7b3f813e0210a9d739b9cafad141cf0aa720e984c7d22cd737d40d49d4a332d206579fe4bb7d0c7bf7d9664b63be99b5f551e7380dc0a91fc801f1cb5a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\XM1643LA.htm

MD5 82b3568836ef05fb7af09744be9b6774
SHA1 ebbed16a7a8ebb6f9591d3ead04c937dbaf50a4e
SHA256 8ed4cef260b9c3863331523cfb2dab7a64a4a07af0b4efdfab76c17ef0457627
SHA512 15649fea82c7ddbeb270f7adaa74be925f39ef4229cf311fd45f44074debe92d6c3137a958ab311c00dd9d643627ca5b9b721aa8de0bbb0063e0fe20619854c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 4caa7b08a9d2dd72d799a2c4c116c818
SHA1 ea5fc1adca1da0a89bec9c8b792bcf1072889001
SHA256 aa97f4355ae6c93586888d18c0c982d4bce0d74c53b25dbf11fef91a27c9d079
SHA512 d989bb5aa973e12a7701866b1f79dbe559cd03ce12d25311e4233d4380cf3a805fbe3688c04c809f049dbbb576f8c57864aa216d353c5d0373a08ba03a6f472d

memory/2924-432-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-433-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\search[4].htm

MD5 9c16abb1a8e29993fe0fb221ab66ab09
SHA1 ad5bfc7c2e500c1654bc469280d9447c69604372
SHA256 673b33cf312db490864bdcce5c67110f8a9b13268aeb65b17b353c74b56d6a15
SHA512 a68e0e311f000fca806df19db74312ac9d628dfab0d6e2f9478449e4e18b7f0a7b54f3ac4abc42606f5437071725bd26ebc332e59037e87cd094f58984677ab3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\AQES480A.htm

MD5 5e6530e5284479c771f6e40fa6fcde7b
SHA1 5364df2515744cf897c0109dee72c711eb8c7bf2
SHA256 2ae2e02990bed71bd7b8d007b6214584596c3f7f8e44fb5bdec7d6ee534db546
SHA512 33d3ca768d5c11a457b2c5268f3ecd1b01e6308304f8c6f56b6fede39d454cb3746e7d94c32c5c5b58ae1adcf2757cb5fc714607e3a2838d8e1e454138581e82

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\results[4].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\search[9].htm

MD5 773fa43d3dc9c2b23af19d3b193ccad4
SHA1 d7eaa63e6a29f4ee7e930b64f29b9f54dda8342e
SHA256 06a45250d6989e609725f7cfb5eed1b97de9ee92a123c8f81fd7a73a95e10403
SHA512 dc25e24ff6be8ff91e1fab89a9e8c2c880ec54efda30cc54b60bfa3bc6ea74b630f867a86898599df5e1589a1ae4198013facea676aa68eb93c53ee69a6c7136

memory/2924-580-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-582-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2924-623-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2436-624-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 10:22

Reported

2024-06-18 10:24

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\38898c293b84f1bcb71bc0ff9edb24f0_NeikiAnalytics.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.126.94.178:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
NL 23.62.61.178:443 www.bing.com tcp
NL 23.62.61.178:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 178.61.62.23.in-addr.arpa udp
N/A 192.168.2.157:1034 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 10.227.85.66:1034 tcp
N/A 172.16.1.5:1034 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
N/A 10.179.108.182:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
NL 142.250.102.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.41.3:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 www.altavista.com udp
US 8.8.8.8:53 r11.o.lencr.org udp
IE 212.82.100.137:80 www.altavista.com tcp
NL 23.63.101.177:80 r11.o.lencr.org tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
N/A 10.241.35.61:1034 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
FI 142.250.150.27:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 171.64.64.64:25 cs.stanford.edu tcp
N/A 192.168.2.111:1034 tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
IE 52.101.68.9:25 outlook-com.olc.protection.outlook.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 mx.gzip.org udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.194.15:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
N/A 192.168.2.14:1034 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/5088-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2080-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5088-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2080-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2080-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2080-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2080-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2080-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2080-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2080-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5088-42-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2080-43-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 a0591e2baa18055d995662f879411f46
SHA1 c0fabd0782ae7e139fa7941c98e53165d0cddbe7
SHA256 0796a329a1f07ce41bd65cd7be6e63aa323b9f1479879a921fc8bb0ab3c3c736
SHA512 bb93314d673ebeee98897f673b3bb24a16fdf775e2b0cdee3fbc3f1341b1c84da41da3efc38cce3e1f327e2a042152eda2d65a58730103b72d52e6dc398607c5

C:\Users\Admin\AppData\Local\Temp\tmp9C1C.tmp

MD5 1343a1fe236d04dd2a8c5e815e0ca0a3
SHA1 b3e139bbda5e13a3dade229c1c6ab712a1c9cc30
SHA256 fc2daef6bf9f59617b1dc5e4fd08079c83b66f97d883f5e307fb817d18c19a9d
SHA512 a8d5328c4990f30a6bdedcb0e84f43b906eb007dfbb50dfda197804bb9ceeea61765d141ed876fc3fd1d95026398a2743eb60eec0f24ad16f70db6c1c70b6dd5

memory/5088-98-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2080-99-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\8YKRK72C.htm

MD5 bf0f676125a4c8c82e99360357b38480
SHA1 1051ab21414ab0e83f1bddeead338f8cce1eef4c
SHA256 75cde839e6ed42eb7635489030f7b7323061cb120be2138b3d83d45aa4560be7
SHA512 6bddd6865332e3fd24f213f6c7a2c1ba5be893944973033bc4c3f05db39b743ffa3a4a56aeaf34eafdb35535cd71f1d5d20f70818983f146cb93cec5ec668185

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[4].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\Y6JIBP3J.htm

MD5 33ba515f70457e90b7118e70ff81a0df
SHA1 43f9ca66eaabffcf7376531ee9555c8e23bc172a
SHA256 6f1c2e76792b2288b1ca7481b783cb0be8d510a22eaeb884671e44b05952f07e
SHA512 14e78bc79eb0c43ba603312401eeb78c4c1df76c95bfe7f618e8f9732c31357696784e24b4bf0ba23684a80c2d9894cd6d2e6c410dc0d188f42d3cb6aaf8d6fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[7].htm

MD5 9c06cde9bfda47a1c2f699f82cdef93d
SHA1 2a257ec314a62f14be725f74e7ed0e3bf18c0bff
SHA256 ce108fde434bcce5fd17c0439a282d300a35fce34eb28f28d03303710de9be7e
SHA512 4d140063ce53268402c8508b04c124548a33d818af89f9b67a5ffcb0d24936fc0624f136f3dfacde043ee7c2a2a8ece215f3ce30249f50805732c8b1599eb55a

memory/5088-239-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2080-240-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[9].htm

MD5 08efa65a9f1b415b91510a28fee94d18
SHA1 8473077f24293b6591eba57ce97c694d43c5c670
SHA256 6a5f95881d7b0e5503baa65d60dfb92f9770e0749b05f5341c8bd7c8cf9604a2
SHA512 4607ead1afd6ad185244db96f948386dfa76bff6a28c94a461ea14107d2057aefea13ff3589fae1b135134c87ef94b9b2e089b6f7f9971a12d180b0be2ac98c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[10].htm

MD5 7cc186e446a779b1f5173bfea4eee0ca
SHA1 81e6b4baa7bb590be38d61dc348dc6226882a5d0
SHA256 43e5e33de05879118dc74df4ae1b1ada099c3d758ccf69cfc258b560606ebf45
SHA512 77df9bf9922074327f1eedee4a8b732b20f440613816bef6a5ae894eea6560e2ab4b77a4a53952d087d8f4a973864278ecdd2f008761ebfa3169b994e02d4442

memory/5088-266-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2080-267-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2080-272-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5088-273-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2080-274-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 9c57e61a78466cd3603798f4d51e1085
SHA1 841f422e98d003b5a7baed8dcdc97cdd20cfcb75
SHA256 1f0c8938219f178b281397dbd78ff9e47aaaa8668feac8f1211d9f82e80072bb
SHA512 623e51b6596fa52c133e2468603b506478604ba8e6cfd55eed5708a6c4889940a661f70df496ee832d67f7a3568b837de06b13ef773b78a4755551b0eb84cef4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search2ISZ2D5C.htm

MD5 7e2b0f311a515f80733f0df1f0706cb6
SHA1 022523698a816e3a62c028141f0719a131a2721c
SHA256 6868078fd987ba945b1b3281b21789f8d2329a81db354b39eca7ffcdd7249a7c
SHA512 6ae43e67e2864c9112113c6a8d8ac119e1dafbfebc025ec3bae998c75cfa95b268165a03c04a0735586f914a5446df857a90162436604900ff6eb0f7f99b0829

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 9afe68648f5d1796419c15d5d1c8e6af
SHA1 f678d8eb7efb89f1829033cda9b9db446c101607
SHA256 7d3f523fe0589a3f13f4f9f646be7b437595bc19a67c56e7f5d7f9f04c74ff22
SHA512 41ad2b8e4aa89993b620d26f8d8d169f1c168adf8ae901b35de74e6640c2ab4b79e76baa3f1d21ce6c4ed26f634db104dce2e8ade5dcbfc97e7f4dd171b7cc4e

memory/5088-343-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2080-344-0x0000000000400000-0x0000000000408000-memory.dmp