Analysis Overview
SHA256
ec18f3cd05ca393f6fe4d548677ad25a985829b227bf115a170da04c579ac358
Threat Level: Shows suspicious behavior
The file 9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-10 06:51
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 06:51
Reported
2024-05-10 06:53
Platform
win7-20240221-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ = "ICubiqueReport" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OPReportPreview.CubiqueReport\ = "CubiqueReport Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Verb\0\ = "Properties,0,2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll,1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\FLAGS\ = "2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Verb | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\ = "OPReport Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\ = "CubiqueReport Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OPReportPreview.CubiqueReport\Clsid\ = "{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ = "ICubiqueReportEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\MiscStatus\1\ = "205201" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Verb\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ = "ICubiqueReport" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ = "ICubiqueReportEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\OPReportPreview.CubiqueReport | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\OPReportPreview.CubiqueReport\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Control\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Verb\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 2092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2984 wrote to memory of 2092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2984 wrote to memory of 2092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2984 wrote to memory of 2092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2984 wrote to memory of 2092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2984 wrote to memory of 2092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2984 wrote to memory of 2092 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 06:51
Reported
2024-05-10 06:53
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Verb\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ = "ICubiqueReport" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\OPReportPreview.CubiqueReport\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Control\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\FLAGS\ = "2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ = "ICubiqueReport" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OPReportPreview.CubiqueReport\Clsid\ = "{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ = "ICubiqueReportEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Verb\0\ = "Properties,0,2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\TypeLib\ = "{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OPReportPreview.CubiqueReport\ = "CubiqueReport Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\ProgID\ = "OPReportPreview.CubiqueReport" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll,1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\ = "OPReport Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ = "ICubiqueReportEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\MiscStatus\1\ = "205201" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C1BE5FB-FBE8-4D70-90FE-0F838AE04F2A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Verb | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\OPReportPreview.CubiqueReport | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A7C01C1-9F03-4D1E-959D-9D9D2B54670A}\Verb\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4FD29E5-FD73-4F2E-BD01-46441BFE93B1}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C95025-2756-4828-923B-E2808A4B486C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C95025-2756-4828-923B-E2808A4B486C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4952 wrote to memory of 3532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4952 wrote to memory of 3532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4952 wrote to memory of 3532 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9652d8eae91c5807e2589d6d468748e0_NeikiAnalytics.dll
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3532-0-0x0000000000FF0000-0x0000000000FF1000-memory.dmp