Malware Analysis Report

2025-01-19 07:16

Sample ID 240531-gemjqsgh71
Target 797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.exe
SHA256 ba0b188e2d49247864e1c709aa9b1467f57a2c73b484418217c1ad678f8645bc
Tags
ramnit banker persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba0b188e2d49247864e1c709aa9b1467f57a2c73b484418217c1ad678f8645bc

Threat Level: Known bad

The file 797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

ramnit banker persistence spyware stealer trojan upx worm

Modifies WinLogon for persistence

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 05:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 05:43

Reported

2024-05-31 05:45

Platform

win7-20240215-en

Max time kernel

150s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#1

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSORES.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpAsDesc.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\osclientcerts.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\glass.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotionblur_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pidgenx.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\hprof.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1372 wrote to memory of 2264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1372 wrote to memory of 2264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1372 wrote to memory of 2264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1372 wrote to memory of 2264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2264 wrote to memory of 2548 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2264 wrote to memory of 2548 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2264 wrote to memory of 2548 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2264 wrote to memory of 2548 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 2548 wrote to memory of 2656 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2548 wrote to memory of 2656 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2548 wrote to memory of 2656 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2548 wrote to memory of 2656 N/A C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2264 wrote to memory of 2880 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2264 wrote to memory of 2880 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2264 wrote to memory of 2880 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2264 wrote to memory of 2880 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2844 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2880 wrote to memory of 2240 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2656 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp

Files

memory/1372-1-0x0000000010000000-0x000000001002B000-memory.dmp

\Windows\SysWOW64\rundll32mgr.exe

MD5 c5255edf109342e3e1d1eb0990b2d094
SHA1 ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256 ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA512 6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

memory/1372-3-0x0000000000190000-0x00000000001C3000-memory.dmp

memory/1372-10-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1372-11-0x0000000000190000-0x0000000000191000-memory.dmp

memory/1372-12-0x0000000077930000-0x0000000077931000-memory.dmp

memory/2264-25-0x0000000000140000-0x0000000000141000-memory.dmp

\Program Files (x86)\Microsoft\WaterMark.exe

MD5 f2c8b7e238a07cce22920efb1c8645a6
SHA1 cd2af4b30add747e222f938206b78d7730fdf346
SHA256 6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512 c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

memory/2656-54-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2264-52-0x0000000000416000-0x0000000000420000-memory.dmp

memory/2264-51-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2548-50-0x0000000000401000-0x0000000000416000-memory.dmp

memory/2548-49-0x0000000000416000-0x0000000000420000-memory.dmp

memory/2548-48-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2880-56-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2548-33-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2548-32-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2548-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2264-24-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2264-23-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2264-22-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2264-20-0x0000000000120000-0x0000000000143000-memory.dmp

memory/2264-21-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2880-64-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2656-70-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2844-72-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2880-83-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2844-104-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2844-99-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2844-95-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2656-82-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2844-74-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2880-154-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2656-156-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 67701ba02451abf3bc53b8a165170fff
SHA1 45f4262def81d255c405e31ac3ab38b2e560583d
SHA256 397a4a3d2e376845f6d3816af275b19a59acc368dcb661f58093c5b3fc746f8e
SHA512 f2466f20831d0acd8b934c7bcc6eff08d1dc7543f354fe42859f1971bb581137d8c5ab86d0c6badea32706cbbc2ca2674e4edabd3a0a288d6a0e411c56e7d1af

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 c506416a5dd5cbe6fc86cd6fb7585487
SHA1 33889abac18666814f0d3c61c5df7280ae2e5ebc
SHA256 b79816ae0b418e3dd1c50c8afade3c90f539152a0c81daa65374c1d1e4c30982
SHA512 9b4e8e338c9582cb07fe5e651bfce4cafefebae5277a1ed1809d02b03acf1a8316dc19d60e3b212b91c555fcd5ffa363fac5cb7502cef6ae441dd491bf398711

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 05:43

Reported

2024-05-31 05:45

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\rundll32mgrmgr.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxE04E.tmp C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxDF73.tmp C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxDF83.tmp C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109917" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AC8C84A0-1F10-11EF-B8C0-46FD0705B728} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2163140975" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109917" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2163140975" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2165015916" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423899169" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109917" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 860 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 860 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 5096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2184 wrote to memory of 5096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2184 wrote to memory of 5096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 5096 wrote to memory of 2108 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 5096 wrote to memory of 2108 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 5096 wrote to memory of 2108 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32mgrmgr.exe
PID 5096 wrote to memory of 4488 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 5096 wrote to memory of 4488 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 5096 wrote to memory of 4488 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4488 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 4488 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 4488 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
PID 4528 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4528 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4528 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4488 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 5080 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1496 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1496 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1496 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1496 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1496 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1496 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1496 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1496 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1496 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4488 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4488 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4488 wrote to memory of 60 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4488 wrote to memory of 60 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1496 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1496 wrote to memory of 3480 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1496 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1496 wrote to memory of 2624 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4360 wrote to memory of 3012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4360 wrote to memory of 3012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4360 wrote to memory of 3012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Windows\SysWOW64\rundll32mgrmgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4276 -ip 4276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4360 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 812

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/2184-2-0x0000000010000000-0x000000001002B000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 c5255edf109342e3e1d1eb0990b2d094
SHA1 ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256 ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA512 6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

memory/2184-8-0x00000000774F2000-0x00000000774F3000-memory.dmp

C:\Windows\SysWOW64\rundll32mgrmgr.exe

MD5 f2c8b7e238a07cce22920efb1c8645a6
SHA1 cd2af4b30add747e222f938206b78d7730fdf346
SHA256 6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512 c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

memory/2108-12-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5096-7-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2184-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/5096-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5096-25-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/2108-28-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5096-24-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5096-19-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5096-18-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5096-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5096-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5096-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2184-6-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/4488-36-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4488-46-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4488-57-0x00000000774F2000-0x00000000774F3000-memory.dmp

memory/4528-56-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1496-66-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5080-65-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/5080-64-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/4488-55-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1496-68-0x0000000000060000-0x0000000000061000-memory.dmp

memory/1496-69-0x0000000020010000-0x0000000020022000-memory.dmp

memory/4488-70-0x0000000000070000-0x0000000000071000-memory.dmp

memory/4488-72-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3d6908c3ea7ced33d2696a9ef09f8961
SHA1 a7d4321bbf04cb7335522cfee2cd36edc2d19c80
SHA256 fc0c60c571c30a39ce618b280cdede4a1837d2be33dfe2a4a3413c92a731b6e5
SHA512 071c3fa58a08000ad898384fef6e5fcdcd080ed52b084ec80d19e45f9fb5119557a1dfb42ebba2b22d1c971baa5a852c756c7526010b6b487f3239c8f0df4af1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 278b8b499733e824fa562dce5b3f2d31
SHA1 33214ee31a177e2e3a276de4f32cb7496c831d46
SHA256 790a987651fa54d1bd6f43854e41acb20ea4f9f27521efdf1334a2594887030d
SHA512 61495d742a302ef568f00af7fa4f95960c2da7eeddba4016eb3e5b980cab71f5d671c12d5651595af6da81e1c06b67ee81fc0426976fc83035772d5fea5dab20

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee