Malware Analysis Report

2025-01-06 07:48

Sample ID 240530-qa5deshe5s
Target 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe
SHA256 79db5ee51b3e04f6d56b27a9305c39331e803e363994b0ab6ed64b0e1aa4701c
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79db5ee51b3e04f6d56b27a9305c39331e803e363994b0ab6ed64b0e1aa4701c

Threat Level: Known bad

The file 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 13:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 13:04

Reported

2024-05-30 13:06

Platform

win7-20240508-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SPOOLSV.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" F:\recycled\SVCHOST.EXE N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened for modification F:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\I: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\W: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Z: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\N: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\M: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\P: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\O: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\U: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\R: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\S: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\G: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Z: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\X: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\I: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\T: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\H: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\P: C:\recycled\SPOOLSV.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SVCHOST.EXE
PID 2128 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SVCHOST.EXE
PID 2128 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SVCHOST.EXE
PID 2128 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2076 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2076 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2076 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2076 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 3036 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 3036 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 3036 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 3036 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 3036 wrote to memory of 2760 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 3036 wrote to memory of 2760 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 3036 wrote to memory of 2760 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 3036 wrote to memory of 2760 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 3036 wrote to memory of 2272 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 3036 wrote to memory of 2272 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 3036 wrote to memory of 2272 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 3036 wrote to memory of 2272 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 3036 wrote to memory of 2804 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 3036 wrote to memory of 2804 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 3036 wrote to memory of 2804 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 3036 wrote to memory of 2804 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2804 wrote to memory of 1664 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2804 wrote to memory of 1664 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2804 wrote to memory of 1664 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2804 wrote to memory of 1664 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 2804 wrote to memory of 2688 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2804 wrote to memory of 2688 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2804 wrote to memory of 2688 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2804 wrote to memory of 2688 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 2804 wrote to memory of 2548 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2804 wrote to memory of 2548 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2804 wrote to memory of 2548 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2804 wrote to memory of 2548 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 2472 wrote to memory of 2968 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2472 wrote to memory of 2968 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2472 wrote to memory of 2968 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2472 wrote to memory of 2968 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2128 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe F:\recycled\SVCHOST.EXE
PID 2128 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe F:\recycled\SVCHOST.EXE
PID 2128 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe F:\recycled\SVCHOST.EXE
PID 2128 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe F:\recycled\SVCHOST.EXE
PID 2472 wrote to memory of 2724 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2472 wrote to memory of 2724 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2472 wrote to memory of 2724 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2472 wrote to memory of 2724 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SPOOLSV.EXE
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SPOOLSV.EXE
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SPOOLSV.EXE
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SPOOLSV.EXE
PID 2724 wrote to memory of 1956 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2724 wrote to memory of 1956 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2724 wrote to memory of 1956 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2724 wrote to memory of 1956 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 2128 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2128 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2128 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2128 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1980 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1980 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1980 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1980 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe"

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2128-0-0x0000000000400000-0x000000000041A000-memory.dmp

F:\Recycled\SVCHOST.EXE

MD5 7ff93d0514eceb0211c206844b2b204f
SHA1 0f8bc74dacdedae1dc02110543c05da5560193c6
SHA256 96153b57662b2aa88878017d93673d50d6b15f3fd43b6c5c4162a71e946b60dd
SHA512 9166940ac2baace0af590a552cbee442a14395a55c7561704bc8acff06cc3d972de85f45c668c730131637bb748408c9dd4e149df39e18c8e10434af248a00e7

\Recycled\SVCHOST.EXE

MD5 bd239d379298357d6d38d90cd991ac69
SHA1 34446066ddea9afbc4e9c71c24c21a0bae4359ad
SHA256 33a78d4f55b3a62d3d63675a2b8a353e9e5d98fa5bbfb0a123517ee506515352
SHA512 73ec09f27d89272ee4a7fcc40f64f796f617ccc5f84a35f7e923e89d18034e65fb801eccbaaffa4825e3ce346e009b1978c45809c2ed3b5bde317205f3335f58

memory/2128-18-0x00000000003D0000-0x00000000003EA000-memory.dmp

memory/2472-26-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2128-25-0x00000000003D0000-0x00000000003EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

MD5 0269b6347e473980c5378044ac67aa1f
SHA1 c3334de50e320ad8bce8398acff95c363d039245
SHA256 68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512 e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

memory/2472-32-0x0000000000730000-0x000000000074A000-memory.dmp

memory/2076-37-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2472-40-0x0000000000730000-0x000000000074A000-memory.dmp

memory/3036-42-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2472-41-0x0000000000730000-0x000000000074A000-memory.dmp

memory/2760-52-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2272-57-0x0000000000400000-0x000000000041A000-memory.dmp

\Recycled\SPOOLSV.EXE

MD5 8922b4a060f7e5fbe2cf31e16338dc4d
SHA1 72a177373b1cef99dc66fa28e33dd6f27be8a48d
SHA256 51dc0f633b62680165b82ee2931d98f5fb856ed02ee32dded77e635b5324523b
SHA512 7c78ff85774c4c4500608d6022fda8a42e4172c8ba95aad7887d7777e41fcbe17ffef0bfb65321d6bd8200ce48cdba01fe1b2fc813e4be30d0c05d377a17df6f

memory/2272-60-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3036-61-0x0000000000800000-0x000000000081A000-memory.dmp

memory/2804-71-0x0000000002430000-0x000000000244A000-memory.dmp

memory/1664-74-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2804-78-0x0000000002430000-0x000000000244A000-memory.dmp

memory/2548-85-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2548-86-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2968-93-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1316-98-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2720-103-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2128-104-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/2128-105-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1980-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\begolu.txt

MD5 2b9d4fa85c8e82132bde46b143040142
SHA1 a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA256 4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512 c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 13:04

Reported

2024-05-30 13:07

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" F:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\recycled\SPOOLSV.EXE N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SPOOLSV.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" F:\recycled\SVCHOST.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\recycled\SVCHOST.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened for modification F:\Recycled\desktop.ini C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\W: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Y: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\Y: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\V: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\U: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\W: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\K: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\I: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\V: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\K: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\X: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\L: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\S: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\J: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\V: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\O: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\X: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\E: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\J: C:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\N: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\Q: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\T: F:\recycled\SVCHOST.EXE N/A
File opened (read-only) \??\H: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\P: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\T: C:\recycled\SPOOLSV.EXE N/A
File opened (read-only) \??\E: F:\recycled\SVCHOST.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\TileInfo = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\InfoTip = "prop:Type;Write;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" F:\recycled\SVCHOST.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL\COMMAND C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\TileInfo = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\QuickTip = "prop:Type;Size" C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\recycled\SPOOLSV.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\QuickTip = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\docicon.exe" C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ C:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ F:\recycled\SVCHOST.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Windows\Explorer.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\CONFIG\COMMAND C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\SCRFILE\SHELL\INSTALL C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\QuickTip = "prop:Type;Size" F:\recycled\SVCHOST.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\TileInfo = "prop:Type;Size" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SPOOLSV.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\*\InfoTip = "prop:Type;Write;Size" C:\recycled\SVCHOST.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A C:\recycled\SPOOLSV.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\recycled\SVCHOST.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A
N/A N/A F:\recycled\SVCHOST.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SVCHOST.EXE
PID 4556 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SVCHOST.EXE
PID 4556 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SVCHOST.EXE
PID 4804 wrote to memory of 872 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 4804 wrote to memory of 872 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 4804 wrote to memory of 872 N/A C:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 4804 wrote to memory of 2540 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 4804 wrote to memory of 2540 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 4804 wrote to memory of 2540 N/A C:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2540 wrote to memory of 2176 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2540 wrote to memory of 2176 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2540 wrote to memory of 2176 N/A F:\recycled\SVCHOST.EXE C:\recycled\SVCHOST.EXE
PID 2540 wrote to memory of 3324 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2540 wrote to memory of 3324 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2540 wrote to memory of 3324 N/A F:\recycled\SVCHOST.EXE F:\recycled\SVCHOST.EXE
PID 2540 wrote to memory of 1220 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2540 wrote to memory of 1220 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 2540 wrote to memory of 1220 N/A F:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 1220 wrote to memory of 2868 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1220 wrote to memory of 2868 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1220 wrote to memory of 2868 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SVCHOST.EXE
PID 1220 wrote to memory of 624 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1220 wrote to memory of 624 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1220 wrote to memory of 624 N/A C:\recycled\SPOOLSV.EXE F:\recycled\SVCHOST.EXE
PID 1220 wrote to memory of 5016 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 1220 wrote to memory of 5016 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 1220 wrote to memory of 5016 N/A C:\recycled\SPOOLSV.EXE C:\recycled\SPOOLSV.EXE
PID 4804 wrote to memory of 2116 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 4804 wrote to memory of 2116 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 4804 wrote to memory of 2116 N/A C:\recycled\SVCHOST.EXE C:\recycled\SPOOLSV.EXE
PID 4556 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe F:\recycled\SVCHOST.EXE
PID 4556 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe F:\recycled\SVCHOST.EXE
PID 4556 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe F:\recycled\SVCHOST.EXE
PID 4556 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SPOOLSV.EXE
PID 4556 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SPOOLSV.EXE
PID 4556 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\recycled\SPOOLSV.EXE
PID 4804 wrote to memory of 3964 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 4804 wrote to memory of 3964 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 4804 wrote to memory of 3964 N/A C:\recycled\SVCHOST.EXE C:\Windows\SysWOW64\userinit.exe
PID 3964 wrote to memory of 2704 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 3964 wrote to memory of 2704 N/A C:\Windows\SysWOW64\userinit.exe C:\Windows\Explorer.EXE
PID 4556 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4556 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe"

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SVCHOST.EXE

C:\recycled\SVCHOST.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

F:\recycled\SVCHOST.EXE

F:\recycled\SVCHOST.EXE :agent

C:\recycled\SPOOLSV.EXE

C:\recycled\SPOOLSV.EXE :agent

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 2.17.251.32:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4556-0-0x0000000000400000-0x000000000041A000-memory.dmp

F:\Recycled\SVCHOST.EXE

MD5 ebeaa8657231c2d1786e4f38c15948e3
SHA1 097713cb6b55521ea5294f85adacfb84dc0afb84
SHA256 4c0e6bccea1b5b62dbd2fc88926496bdb61dfac85029393aa9c1db58279c04d4
SHA512 129662542de922b3c9a67ff1fb305a73f0d76467c9e24fb8d8f005d2299996e8c3648455bcb9cf54c0f23929de62454169418959c182d5d8316dcb13621123d5

C:\Recycled\SVCHOST.EXE

MD5 6c9c9f12535612eed119b5f8ed137457
SHA1 d061c21b9411e3816fdf85387e4e05b62a278514
SHA256 bc1e863bde6f68e3611b74b76fea33ba81e988e0f13b040c223c6a89872ee258
SHA512 c161a2c17de9e25441cb87939be5319ed54d022307f883038c688f0629504f611c3921c51bcf14a34836819542b22d277fd12ff8b02cf6d9188ddef778775a84

memory/4804-18-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

MD5 0269b6347e473980c5378044ac67aa1f
SHA1 c3334de50e320ad8bce8398acff95c363d039245
SHA256 68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512 e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

memory/872-25-0x0000000000400000-0x000000000041A000-memory.dmp

memory/872-29-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2540-31-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2176-39-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3324-41-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3324-44-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Recycled\SPOOLSV.EXE

MD5 dea7ac0928d76fe25df0d233cf9cfd42
SHA1 d3dac7241dea3925948649c43b62d55eee1e32d5
SHA256 4e198d138f28edd805a7d2e24636bce42b8c4e8b51013cdf89458b33d83b78bf
SHA512 3b43e6f6e304cda82824a4a11937e583d0fa2f9567a000ebd753b66fe6d1198fb2f65c928c22aa6571d8653036260a7dd15193c6cf08498a98d73f0c69dcc8d3

memory/1220-49-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2868-56-0x0000000000400000-0x000000000041A000-memory.dmp

memory/624-60-0x0000000000400000-0x000000000041A000-memory.dmp

memory/5016-64-0x0000000000400000-0x000000000041A000-memory.dmp

memory/624-65-0x0000000000400000-0x000000000041A000-memory.dmp

memory/5016-66-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2116-68-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2116-72-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3952-76-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2100-79-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1444-80-0x00007FFD20850000-0x00007FFD20860000-memory.dmp

memory/1444-81-0x00007FFD20850000-0x00007FFD20860000-memory.dmp

memory/1444-84-0x00007FFD20850000-0x00007FFD20860000-memory.dmp

memory/1444-82-0x00007FFD20850000-0x00007FFD20860000-memory.dmp

memory/1444-85-0x00007FFD20850000-0x00007FFD20860000-memory.dmp

memory/4556-83-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1444-86-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmp

memory/1444-87-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD90E0.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

C:\begolu.txt

MD5 2b9d4fa85c8e82132bde46b143040142
SHA1 a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA256 4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512 c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be