Malware Analysis Report

2025-01-19 07:06

Sample ID 240625-3jwtvszhpd
Target 243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe
SHA256 243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a

Threat Level: Known bad

The file 243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 23:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 23:33

Reported

2024-06-25 23:35

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px4B03.tmp C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{49D23CB9-334B-11EF-BCA5-F2AC8AF4D319} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425520271" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 440 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe
PID 440 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe
PID 440 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe
PID 1580 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1580 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1580 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4332 wrote to memory of 2260 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4332 wrote to memory of 2260 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2260 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2260 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2260 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe

C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
N/A 127.0.0.1:56753 tcp

Files

memory/440-0-0x0000000000400000-0x00000000006A0000-memory.dmp

memory/1580-5-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1580-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1580-9-0x0000000000550000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\0a319eb1d56bb802d29db7b0882b0d4b\perl58.dll

MD5 0a319eb1d56bb802d29db7b0882b0d4b
SHA1 538b7d475d5a068b98afc6a98bef349d72b16d0f
SHA256 37c38a5e0d85cb10ff6f68829bc848b27f312e7d95d4c8edcc0fb85366477b7f
SHA512 e6b0f96b58da2e80ca729cb84489b1716e231ddeef66939c1762afc6b5d3914bfd6727041fc170e2f9964edb0b53bd3b4a8ef2fbb81289984898bd703b617ad8

memory/4332-34-0x0000000000560000-0x0000000000561000-memory.dmp

memory/4332-35-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4332-76-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\b12199ec1810c8921c6f3e4fde40ff2b\Event.dll

MD5 b12199ec1810c8921c6f3e4fde40ff2b
SHA1 530a1ccd39de785771c30aa175ab94a3f085c21a
SHA256 4f4bba152d16c05824ff1ebe4d8b2b52365ac745b45ef2b7ded13fbf1bf4a8c7
SHA512 af244a32e39686f8876400963c33a0a297c797fd80b3b3a535de6abdd9584b5cc3fdd7b2934e636392bc8fd5d9fe81e4b9bc25b642b4f58646e341de72f19a6c

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\1996b48458b3fe66c7ff11cb53f23c43\Encode.dll

MD5 1996b48458b3fe66c7ff11cb53f23c43
SHA1 035d8b86c68e80537ade315ebac842643472cb0e
SHA256 9014060197b24a96bfa08cae7780b948bd4df1c73a1197de3a11f2ddaa2eaca9
SHA512 b6afdd010ef8a5709bd79c43519088688a56cb5838875f26039abb583b6f67db8fafaf1f0b2a1589e00a101c981b48b5438ce821686bbfc0e4f7ec37b5e1f181

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\611242ee7a1c406283edfb1ce2f9dcf1\Tk.dll

MD5 611242ee7a1c406283edfb1ce2f9dcf1
SHA1 762444790231dc08b6dabb474ed5f0dc782d65a8
SHA256 f790ef2dac6b4cd4d706c4b86dff137de24560077cb060f1da0b64d3278cabf0
SHA512 fe96cbeec3fe6ff40632d7c080285cbde2c3d5398ef32bf0a44d0bf80c2aad4365a674970ce81a0be5c62dfaa489f6d891d196028ab165ed885c430da6b5f197

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\1ea70e44b6d1df8254c514cde11a5f3b\Cwd.dll

MD5 1ea70e44b6d1df8254c514cde11a5f3b
SHA1 d387b307c569112074980f6140e2aee57c223655
SHA256 c4b1bc9a677e960db4b5182c5917adbdcae14e177f5734b2ea77d2e7726995f3
SHA512 04ddfabbd07b0e33f9134c8d6e419f9d3e0f1546df10d70a2c77ae48799e6ae5ffdc6df78a8c1e43f02bd12d615d2916bf0809c21e5ab3a6bdb4542faaf439fc

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\14d6b35664bf47c1984722da0acaa7bb\Unicode.dll

MD5 14d6b35664bf47c1984722da0acaa7bb
SHA1 59eb0f4cba1514d44148588e485398667bb5f775
SHA256 b370379b86f6dce6873fb170a6385fcac87f3fda0aa8f9caeecaaa4bc330f84d
SHA512 9583759c2e7604662ff9444094fc332219d53ebd9aab205dbd66fd11203adfd71d4007676f2841a7a7f7a5835766d5bef4a90825cc772147d500580cb5d2b462

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\84f764ccae4d5d7b117c169a67858331\Entry.dll

MD5 84f764ccae4d5d7b117c169a67858331
SHA1 be7d2889ca6648a6e91132d3a824e9a5ebcc2781
SHA256 e7a7da5efd0334c2c591e35147b35df3dcae26d9a30a0a7d5deca559f6ba941d
SHA512 e1a9d53a899312ad1b4e6c4841364ba7bb07f7d3644088912147f41fa2e65730bd17c992f1b84ac2c917e3acd3df1612b9341138e8f48cbd189e582f1ba1e16a

memory/440-112-0x0000000002FE0000-0x0000000002FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\5457f9191e7a7dbd7ae41defd02457e6\encoding.dll

MD5 5457f9191e7a7dbd7ae41defd02457e6
SHA1 141f08e8d14f4e21a15f5808bc55b37168e84571
SHA256 970c5dcbefa446f8f35b58470e1cb5984ae987de409390a6b6c1b40a85e3b588
SHA512 03ef6c85a1503af4fe8371fcd98aafa99328545adb1280c6cde33296ddf538b20dd37bdfb2fa6b81681c168e170171effe5143bb0e57c51a4c483dd9d87a5bea

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\75f29543113df21eb90d1aefa0207222\Socket.dll

MD5 75f29543113df21eb90d1aefa0207222
SHA1 48a224022b8a9c0a35e703adf26f87929395e6ee
SHA256 6a36a40cd624891dfea7131b62c5ee6fcb4cf5d3ba4022cc47a58486dd17b111
SHA512 39689701e0c051020285c76335c6164b57541a3c35d15048ce4606496fca3f237925a29489992181f61dc05beddb6f78114a759efcfebdd970aa94ed0a2c0e87

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\13ddf9b2dce1fd240486bf7f9f8cb21e\API.dll

MD5 13ddf9b2dce1fd240486bf7f9f8cb21e
SHA1 6c870fe5075963d7e43197ec154bf00523d0fa5a
SHA256 dff275458c470e66ad5c6e76def73dda394a1a3624f794da78f07c6257b876c2
SHA512 e003c752456679793fb658dbe57b23016bec6f9fdf80a4c7174e03c842133889aa9da16558c24606c885a213477e6bdbc8d32acecdb7a7925bdc10340f882425

C:\Users\Admin\AppData\Local\Temp\pdk-Admin\9e63828c53d7cd2b1bf30ffbce951400\CN.dll

MD5 9e63828c53d7cd2b1bf30ffbce951400
SHA1 5984f6aad00b4cb52c58be7e9a3d63c653b9a10f
SHA256 b7ada205047d833c3d5e4fe8ee34de18260c5ab05b34fd0e16dc154a4769520b
SHA512 d53de2f37473db8538da3db37d3de19742a59171ce6bcd4b3f90ffd6f37d534c090cb6dbf620b3e01619ef58ef8dd835fa812cb9e94b84b1f007d14df21eb6f7

memory/440-97-0x0000000003070000-0x0000000003103000-memory.dmp

memory/440-195-0x0000000000400000-0x00000000006A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 23:33

Reported

2024-06-25 23:35

Platform

win7-20240221-en

Max time kernel

134s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px1E5A.tmp C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49331901-334B-11EF-B1CF-5A791E92BC44} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425520259" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe
PID 2156 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe
PID 2156 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe
PID 2156 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe
PID 300 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 300 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 300 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 300 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2632 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2632 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2632 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2632 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2628 wrote to memory of 1184 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2628 wrote to memory of 1184 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2628 wrote to memory of 1184 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2628 wrote to memory of 1184 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe

C:\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
N/A 127.0.0.1:56753 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\243824359fb624a558cb8fa4648f1f3d3fa9385b2a83b608fef4175bc1c3ff9a_NeikiAnalyticsSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

\Users\Admin\AppData\Local\Temp\pdk-Admin\b12199ec1810c8921c6f3e4fde40ff2b\Event.dll

MD5 b12199ec1810c8921c6f3e4fde40ff2b
SHA1 530a1ccd39de785771c30aa175ab94a3f085c21a
SHA256 4f4bba152d16c05824ff1ebe4d8b2b52365ac745b45ef2b7ded13fbf1bf4a8c7
SHA512 af244a32e39686f8876400963c33a0a297c797fd80b3b3a535de6abdd9584b5cc3fdd7b2934e636392bc8fd5d9fe81e4b9bc25b642b4f58646e341de72f19a6c

memory/300-60-0x0000000000230000-0x000000000023F000-memory.dmp

memory/300-59-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2156-18-0x0000000000260000-0x000000000028E000-memory.dmp

\Users\Admin\AppData\Local\Temp\pdk-Admin\0a319eb1d56bb802d29db7b0882b0d4b\perl58.dll

MD5 0a319eb1d56bb802d29db7b0882b0d4b
SHA1 538b7d475d5a068b98afc6a98bef349d72b16d0f
SHA256 37c38a5e0d85cb10ff6f68829bc848b27f312e7d95d4c8edcc0fb85366477b7f
SHA512 e6b0f96b58da2e80ca729cb84489b1716e231ddeef66939c1762afc6b5d3914bfd6727041fc170e2f9964edb0b53bd3b4a8ef2fbb81289984898bd703b617ad8

memory/2156-5-0x0000000000400000-0x00000000006A0000-memory.dmp

memory/2632-80-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2156-90-0x0000000003030000-0x00000000030C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\pdk-Admin\611242ee7a1c406283edfb1ce2f9dcf1\Tk.dll

MD5 611242ee7a1c406283edfb1ce2f9dcf1
SHA1 762444790231dc08b6dabb474ed5f0dc782d65a8
SHA256 f790ef2dac6b4cd4d706c4b86dff137de24560077cb060f1da0b64d3278cabf0
SHA512 fe96cbeec3fe6ff40632d7c080285cbde2c3d5398ef32bf0a44d0bf80c2aad4365a674970ce81a0be5c62dfaa489f6d891d196028ab165ed885c430da6b5f197

\Users\Admin\AppData\Local\Temp\pdk-Admin\1ea70e44b6d1df8254c514cde11a5f3b\Cwd.dll

MD5 1ea70e44b6d1df8254c514cde11a5f3b
SHA1 d387b307c569112074980f6140e2aee57c223655
SHA256 c4b1bc9a677e960db4b5182c5917adbdcae14e177f5734b2ea77d2e7726995f3
SHA512 04ddfabbd07b0e33f9134c8d6e419f9d3e0f1546df10d70a2c77ae48799e6ae5ffdc6df78a8c1e43f02bd12d615d2916bf0809c21e5ab3a6bdb4542faaf439fc

\Users\Admin\AppData\Local\Temp\pdk-Admin\14d6b35664bf47c1984722da0acaa7bb\Unicode.dll

MD5 14d6b35664bf47c1984722da0acaa7bb
SHA1 59eb0f4cba1514d44148588e485398667bb5f775
SHA256 b370379b86f6dce6873fb170a6385fcac87f3fda0aa8f9caeecaaa4bc330f84d
SHA512 9583759c2e7604662ff9444094fc332219d53ebd9aab205dbd66fd11203adfd71d4007676f2841a7a7f7a5835766d5bef4a90825cc772147d500580cb5d2b462

\Users\Admin\AppData\Local\Temp\pdk-Admin\1996b48458b3fe66c7ff11cb53f23c43\Encode.dll

MD5 1996b48458b3fe66c7ff11cb53f23c43
SHA1 035d8b86c68e80537ade315ebac842643472cb0e
SHA256 9014060197b24a96bfa08cae7780b948bd4df1c73a1197de3a11f2ddaa2eaca9
SHA512 b6afdd010ef8a5709bd79c43519088688a56cb5838875f26039abb583b6f67db8fafaf1f0b2a1589e00a101c981b48b5438ce821686bbfc0e4f7ec37b5e1f181

memory/2156-99-0x00000000002A0000-0x00000000002AA000-memory.dmp

\Users\Admin\AppData\Local\Temp\pdk-Admin\84f764ccae4d5d7b117c169a67858331\Entry.dll

MD5 84f764ccae4d5d7b117c169a67858331
SHA1 be7d2889ca6648a6e91132d3a824e9a5ebcc2781
SHA256 e7a7da5efd0334c2c591e35147b35df3dcae26d9a30a0a7d5deca559f6ba941d
SHA512 e1a9d53a899312ad1b4e6c4841364ba7bb07f7d3644088912147f41fa2e65730bd17c992f1b84ac2c917e3acd3df1612b9341138e8f48cbd189e582f1ba1e16a

memory/2632-82-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\Temp\pdk-Admin\9e63828c53d7cd2b1bf30ffbce951400\CN.dll

MD5 9e63828c53d7cd2b1bf30ffbce951400
SHA1 5984f6aad00b4cb52c58be7e9a3d63c653b9a10f
SHA256 b7ada205047d833c3d5e4fe8ee34de18260c5ab05b34fd0e16dc154a4769520b
SHA512 d53de2f37473db8538da3db37d3de19742a59171ce6bcd4b3f90ffd6f37d534c090cb6dbf620b3e01619ef58ef8dd835fa812cb9e94b84b1f007d14df21eb6f7

\Users\Admin\AppData\Local\Temp\pdk-Admin\5457f9191e7a7dbd7ae41defd02457e6\encoding.dll

MD5 5457f9191e7a7dbd7ae41defd02457e6
SHA1 141f08e8d14f4e21a15f5808bc55b37168e84571
SHA256 970c5dcbefa446f8f35b58470e1cb5984ae987de409390a6b6c1b40a85e3b588
SHA512 03ef6c85a1503af4fe8371fcd98aafa99328545adb1280c6cde33296ddf538b20dd37bdfb2fa6b81681c168e170171effe5143bb0e57c51a4c483dd9d87a5bea

\Users\Admin\AppData\Local\Temp\pdk-Admin\13ddf9b2dce1fd240486bf7f9f8cb21e\API.dll

MD5 13ddf9b2dce1fd240486bf7f9f8cb21e
SHA1 6c870fe5075963d7e43197ec154bf00523d0fa5a
SHA256 dff275458c470e66ad5c6e76def73dda394a1a3624f794da78f07c6257b876c2
SHA512 e003c752456679793fb658dbe57b23016bec6f9fdf80a4c7174e03c842133889aa9da16558c24606c885a213477e6bdbc8d32acecdb7a7925bdc10340f882425

\Users\Admin\AppData\Local\Temp\pdk-Admin\75f29543113df21eb90d1aefa0207222\Socket.dll

MD5 75f29543113df21eb90d1aefa0207222
SHA1 48a224022b8a9c0a35e703adf26f87929395e6ee
SHA256 6a36a40cd624891dfea7131b62c5ee6fcb4cf5d3ba4022cc47a58486dd17b111
SHA512 39689701e0c051020285c76335c6164b57541a3c35d15048ce4606496fca3f237925a29489992181f61dc05beddb6f78114a759efcfebdd970aa94ed0a2c0e87

memory/2156-169-0x0000000000400000-0x00000000006A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3517.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3608.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7389967cd988fed1f31884e009c6b0e7
SHA1 9a4adb8c3ad406166816f29fcf61098e835570e6
SHA256 cad91fc82d0cefc29f284a477dee66b7157f32836eb2376760573b79de39fdae
SHA512 967151162d5fdaf9c2148075dca8c6b1b3edb316cc8b4d63fd1463883e174f4522b7319178b47ddc6555ced510ab6283f80e5a44f0324423bedcdad16a67e369

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c85b291be9137497450a62670ca614c
SHA1 49e32567042feef24133014790d262daf315f26a
SHA256 0fa8c4c2c6d7ac3689908e0e0bcd71ffaf85aaa82db118fa3a109357a44271df
SHA512 1fd68a96aa5d3b237ae50c93fa6791fe93bbeb10aee0dbc1faf30cb486d86a6e387634326857cdc1ce51be9a77762110109be7feef10d0ec295c3213be7192c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9d78ec15031d7c24fb20905ac35dade
SHA1 d05e8ffcd02aabf877384071a556d3d7dd30063b
SHA256 f6aed80718f6237efd2352034b971379b06802799f99940278979e3fc2c3c6ff
SHA512 b97bf86cfb46355d5e4af947f8bd2010935f1c44af359d9fc7263faf5075f0681c421d2700fcc80ee344814239d583f83b72287bdb024073976183de6268a528

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c2656623cf23afe079ef7002f4bde09
SHA1 8a6ef1b7ca8d5015049861ced05a3145324ca2ba
SHA256 481ea8055c5e2468c03959e4fa975f70f6d69d66b1543b5d7679f819c3eef5a3
SHA512 4abe86c21df1f6e3ef5201b90949f9cdb13f949d899527e970fb176efe20c25890134df598091dd5844889a1d5ce374cc5481ef8e7c6d77208819a72bff94369

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6621a4f07f1cd0f175717de0613a6e4
SHA1 bc407521f6e6aa380b8810d0e737934398c78f83
SHA256 449f0e83c38604b30c7ce82ec0994c28eda5c6c915090e400910797491c6a928
SHA512 12a8aee0e704b556698de246415d5fe3bcfb23577bc042241d38a147183d2dc051ce8d4e3f29486361b99984447d8311a61a2a09336f4885fcc163468b41ad19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3588d31ee15b4648731c5b7bffaf625d
SHA1 a8124f9fbeb17f61e5400595e20ed6235c37c202
SHA256 835dfe28b392c133469ad8d802e4a3ce9f4a91ada466571a9a90568040a00de0
SHA512 7f70344fa0834fc6d6e3bf29c00866c4099e15f5ec585dc9d48dc3e708d80b820cee339f9697d354888df2d1051938f51f4df2351214b9b42fd52e02461665eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b9dc46858d778d7480e73e182ba23d7
SHA1 8da4862a0d79bb286c796e8a497da24e0bfc1ed0
SHA256 36d58360b33d2d54602de5236c95f5027fe462d01c4a570e6c979ca7a052b040
SHA512 ed85c71c9cd42356108bd4bd8ccbba5732f808a930b5c49c9492ecaf3a9857207de0f5e62165be7b30badc41d739bee88d4848db0b3831230705b1069673d533

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47f750b079d841561ee065bfe93acd09
SHA1 e60a2347a2cdd09307c261c7971e43affa04163f
SHA256 1158cfe60928341a80b13e5cd1a332c3ca42195cc7922b8c6434781f2c752170
SHA512 131a5c5d307ccdc8422b9e595e7a33dba5c6183ce93aa79e3244815851d9b6e2dae26063e38b2deae3dfab6763b62be51b8342a253fe198727a71f9670539f1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94b73906b46e1c5bd5c55556178a62bc
SHA1 f56982c55251436acdaa69d29316fd7954ae8ecf
SHA256 f211302c20eabb9e2706384134a426560ecb5111124fc61c86dbd32e2e73b656
SHA512 054518b7d696c7c144f665330bd5cfd53d9a6b2aef96f67a686adfbb375aaa14a6c8b74ab553e367b072051fdd650b66c861e6b81ae7d6fe4511579425584953

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 448488ff74d18f121a43d6feb11d2311
SHA1 5b0f7970dec7b0eb9c3084cac2b776b3772c6922
SHA256 c246e3c5db8db5e49fe4ab5c49b243eb406872aad8a51048aec2594f81bced6c
SHA512 efee3c6127c2ea1b66efbe464de669b94a2598492fa2e0316be937ea716b3103c4a0c956a87353b9f3dcec441ef4908e99ad40e94455efb5d1ca10a56f3317cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bca5b31f673d939f1cd847b7f017caa9
SHA1 3064552cdad11cfc810ecb722332e7556b9be039
SHA256 864c6697212caf1110e21988955da6fe0bb919da4e53a4bbe4b7bc03e8787e8c
SHA512 045ef1ccad86ba9976423e1db76ee8b66faa1d82ed849138a44116dedcbcb3a8b6b1b5e97a82ea5e832773e299dd83c7633db4da1279ea3712583720def50002

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bacef00f0539e7401092e3a32ccae9cf
SHA1 f1ecc68c28bceb58ba2439422b6f7cb4d28f0f7a
SHA256 287e3a1baf3d74ca5c8a91c7cc6b0c09259cea00a59a14253c7e775c98e8733a
SHA512 4acd3a9e21ae9092d1329ccad070cc13d76f9048f2a0d35dced8bb7d4015283a9544486ae72e3a01ef36349f624cc2624297a061f7cf2d59b2c55d6186e9df24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02eb153c344759f1cea770a6f8277011
SHA1 5c2096b596e6654989a1decf350e145265c40736
SHA256 36c42dafd5e77c3617cf06a7eca9699ad90fc96001791b4d7716900c63ec216b
SHA512 eb481651fc997f6be632829db31fcd822a3cc2542c64470e479109d1fd29a54669d5f079ff8183ea645ca0a150d42eb6e02265b74fc1c121f10184bd222d878e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d6f20042d30a0fa273c7c7c9318ffd5
SHA1 414b626c01f4311be1cdc4cd8069c9100fd47e4e
SHA256 d1bd8162869313436928c84dbf904cc6040c055c1ec053194ccc642dce65f647
SHA512 babd5f4be3d43f6fa6726ca79fae123f2af62cc4b2548759dac875b2d30660132f3f7020182949d482699eff5aece1ace4ae959f4462e40bcd9423119d8bd69f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db2a565dc09df11fdf532c4a566f25b7
SHA1 8325c77419f8c45d8182d9d2bc1008a6fc81225e
SHA256 02be8a55ce59a0e89e14237d94e5331f7d58055ad15aeffb45bef5eb4426d7af
SHA512 55ef772269ee5e296dd6c40c0cb6cf284806a9aff9d85ead22bad4b376bf6c2df2fcefcdd3445753923844cb23a18454604b7c59ecae3cabd3b0277499dd7919

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e85d583bb02e687ec8b3769588033a28
SHA1 e63e03c20615281227c6ecda96b4f86c300cac81
SHA256 0cae6b0d10c28730ae3043065250f03adeed1bd32544fa2521e7faa151ff3c16
SHA512 546641f6962ff61d36b6283b8dc7432f67bd966e53bef9f2fb7cdbfb76fe401410b1f7588845219213c728a894e1307f933bcb72d777b98c7595b18a6a56046b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 178f65720b183a05f6f00617053d6cfc
SHA1 c8b25aa6b9e46e433401c8625907fe4d7f1c3b97
SHA256 fbbd8f13f010396c57ac3a02a94350fa1d236962feef74ab925251c0ebcb003e
SHA512 3c083d349fa3cd15150e3d97fcb1cfdd777fa982be64bef94bdbcd9b6b18151b1a25695fb9e9049bcaf05a9257cd4fff59115c25a3d82894bfda560b44190833

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 619e3e84c46a4a3f86cb276de9cacce3
SHA1 ac97844473c09364831b98b28054ecf911bd560e
SHA256 5322ff478a17722998ea0119fbc2c4b88b7466e04d046b751ef475119270bc47
SHA512 f566d273623a6b6b3717ba920e06efe685af85942e37a42da410c1c668d7c1a5adf85866d9ebd1fe09aa5becc5b9ba9f184d7ee3673ac689fee4c81e6f9ef425

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9dc3fdb44c40c5732c52495f834b87f
SHA1 447f087eff9fe565ca409310c8c2a021893c6dc0
SHA256 bd705aee70968842f70105dd8a15b1f18da97c4670cff17ed367f09a6b708f18
SHA512 af899dfcb634414811c789d84d1af9a7d0d67bed66d70a16f79c23d7d14943738e461a84ef066324f03aa76281b1453cea51d6cfecad83be1f1606285310585b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60ec4f9f593953eb9493086d42607e2e
SHA1 515b118b86a79955e072bb8fe480bf257f5b8056
SHA256 bfade0c3dbe6c09e5262d5ce843b0f6cc632c19af073f32e278aff4f094ba8b5
SHA512 a2de9054c6a29f76ab7042dbdba085b35e44da12300a713c9513814adfcd38691dd5570e903c8fca25c9e21f269a9e4b30b473a63d9d9e50d7837bf9fe3f8c66