053d77402e5cf733eb2111d5adbf0c4eca1ff7dbd9db2a3d28ea5ff9f4ae4da2

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Size

645KB
MD5

83758eefa7a5cc7a0d07f638965ea1e0
SHA1

9b26bdb934d31b0ab77ba9e3d5c4ab8285b0da14
SHA256

053d77402e5cf733eb2111d5adbf0c4eca1ff7dbd9db2a3d28ea5ff9f4ae4da2
SHA512

4fd7aa5ccef508b779da5d367ba3f4eed1bafc904cd9323a3cb81fd058c5910a87c70178c42307d69b2a2d3a47187dccd398f36ed293a870585cdfd831314323
SSDEEP

12288:TLySlYJZK6WrFRUPQ+kq8PeeDJIO9ep56+kWLh12jT6xtjdA5:T+SlOa8+PeeDJIIefXkWLD2axtjdA5

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Drops file in Drivers directory 64 IoCs

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2896-1-0x00000000001B0000-0x00000000001E0000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2808-7-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2900-12-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2896-13-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2808-21-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2648-29-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
behavioral1/memory/2364-33-0x00000000003D0000-0x0000000000400000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2364-38-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2912-48-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/572-59-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/1924-64-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2724-68-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/1924-77-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/1692-85-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2228-95-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/868-104-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/3048-114-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/676-124-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2072-132-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/708-141-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/1952-149-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2556-159-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2832-167-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2116-177-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/1720-184-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2028-194-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2900-202-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral1/memory/2536-210-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\N:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\R:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\L:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\L:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\R:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\J:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\R:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\J:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Modifies registry class 1 IoCs

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

pid	process
2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2900	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2808	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2648	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2364	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2912	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
572	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2724	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1924	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1692	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2228	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
868	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3048	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
676	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2072	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
708	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1952	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2556	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2832	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2116	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1720	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2028	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2900	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2480	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2536	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2428	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
240	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2568	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2768	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2752	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
968	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2576	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2164	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
940	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
5⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
6⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
7⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
8⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
9⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
10⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
11⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
12⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
13⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
14⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
15⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
16⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:708

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
17⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
18⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
19⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2832

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
20⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
21⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
22⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
23⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2900

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
24⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
25⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2536

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
26⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
27⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:240

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
28⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2568

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
29⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
30⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2752

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
31⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
32⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
33⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2164

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
34⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
35⤵
- Drops file in Drivers directory
PID:1716

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
- Installs/modifies Browser Helper Object
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
663KB

MD5
12fb15803d3cb08e68bfc9d999ae649f

SHA1
a99bb9a40780283bb42efafb9facc268c4063dee

SHA256
9753f17332a4070f8e17d0ad5d4bd9565117cc02cab4af3d753b88d7f0f378b1

SHA512
cc298c4b83dfa05bec0f38760326804538713b81ffe3c392f45598c6d6713544e8d5af4b903e000c22aedb4676ecce5e397600274568a3468fceae92ce2f2447

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
650KB

MD5
86d27010cdae78dd7193e3955d31be80

SHA1
7fd3d1197d4343ddc4d4a03ad4842db4412d20e4

SHA256
31e25ed7ad805e18b176678bf8b542b3317d7134d248570511ee168db1425c36

SHA512
0c23121b41310cd4230b3262e870bc916d551271909b0982192670ba1572077f418ca91fa42ba1df76e91bf2616d938d02faaa77a011faacce234b975f473123

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
675KB

MD5
e560eb8d609e00ba87271955c788b123

SHA1
680dbc0dd128a305094d4ae46c4c7355dd28fd93

SHA256
0480d4af3dae360673864e510bf0b2e625b1e72982586a2fe27644fcce8d0864

SHA512
c4421a4c9c4963139e56e14f4a14d55d7186c05d1e7f68de14601b68cf43a8b631d9416ace06b9c58d09dd4a1c5ca486ad8d62ef41b93b1741afef921626e4a7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
677KB

MD5
b4d8a3537524269af377773d0ec4575d

SHA1
395b925b5324f61c7379cf7e5a2f8404c560442a

SHA256
bd61584b5682ad8921f12566daa90ab2e79eb084a49ec01b37791aa4eeff3d54

SHA512
a8a003f70309c4261afcf6544798eba75330ea0efe25d1f471dd8732ffd067afded227965207e3e0847cf8dc3a7b520dadd6b832590415d444b6cceb587eacb0

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
646KB

MD5
b1ad36f94b2a6919d73f04264e7a7f5e

SHA1
2f5e1dff38f7db8860d7be22ea783a25a3d867a7

SHA256
92522a946fb27f6abf80082bf5dcca577bc78001b46ba65e256efc55e08cbfe9

SHA512
90ea4aafe868f69399e06d52a223a80528ede3b9e1b68cf70ed402ee6b64e4cdda6e2f68234eba24fffd3082a4c1c4fef9eb2f78a9f8c0d1f5635485a8b3de31

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
668KB

MD5
dcd605c78865feaa4b2f323d7fa1689e

SHA1
5094f67b7160b1c2e79f28747afc54d65a1a6b90

SHA256
47b2d2cdf2fba22f14f5eb51ecdd7d485f1a11674fc2668427c86a4fd6786ac6

SHA512
fd05afbdaba31f1bf0b395062b4da1586805fa192b97cdddc58bbebae5f2bf5bbbbe22a9eaee674b7fb534459a84d692bf4bc37320e687d01a47a1d33fe92bb1

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
673KB

MD5
5a20df51483277500571351bbe833440

SHA1
b4470fcea4a80bf078a389c9913eede4bb6394e2

SHA256
1b84512840d6b0cdfdaee101871614e0ef06400d23f79cd3ac24bbc21cab6700

SHA512
562378d25e93a124ac1103dbf738382c749124473688ad09392e4e43efe52907987733990974038cc9975f20d72e97ab79767f17d37bf983d2751e26ca0334a3

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
660KB

MD5
138e366a54398bea6db7fe664378b64f

SHA1
74ef45dea93e7810957c6ec772a339e615313a1f

SHA256
e3d24ce756798e53ae65f5b992705776165e1d26ee9f8a7708f1ec5b7ee95ac8

SHA512
c5ffb90124e59331eb4c15ad4d365c00cdaec41fd660f228e10297a90e43c7725eb6f94258ad0449d13f5f9ebd3157cc9b05b491411bfd706b9225f798d759a7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
671KB

MD5
6eadd5ef25e5cee6886f4905c208836a

SHA1
e031d91866769614b8a3a0c47588a92601ab69be

SHA256
7caa8d08bc5492cdf398cead47d026b0ad04de1a6026d9f2c9f2a97fa96383c3

SHA512
5433d7676eef3dc4ed802b476de25d20aed9bf2ff9db8041ecd5adf24caf69843001316ff6fb578ebbaedc8199c1ad9fdf5edc93b17a306b6abf0e11e8c457d9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
674KB

MD5
efaf472b1127f258dd84cdcc5c018d2f

SHA1
f921d8f952f74e1a7b021c9200d5bdbb64a0fd3b

SHA256
d5bb2dad27c088801cca5b2c2f0bdc16cded5e0910c511991997324cd7e45998

SHA512
66b915c2ba8690e6a46d6f4faf76f87a9fc462cf79f8749e3cf92cf6bfd744dbd3beb7614351b39d54a4ae6647b4986879d61b659995bf33a0c1ae76150a7ed2

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
662KB

MD5
153d749ff81729ff3b051d528f703737

SHA1
dcecb81b1468729b8d5f3a9e75a325ed6d0606be

SHA256
aeda0f0275ad8237288eb8907cabcace638bc1f6d526189dfeec4432173f5573

SHA512
9e168cde5d6f4606a5020d1dd2161461cf2ba2d0d91589227c9feff44958fea74699ee4bf0f901d0bab173265cb07c8213b2102252b1a91819946b80101e6fc5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
658KB

MD5
f3bf299865f5619fb181ee6ab1f2a68d

SHA1
5d39604902056d60aba29cf85b864550a77cda78

SHA256
e4094fd2b327179946daf7048605f8e6688ff223e5e0c9e6b8b44688ca98538b

SHA512
7ebda10a43e56bad52557e7f17ee8c444353eb7ce94660573b731039e8d8d0b89d0c36f269365737c9fcbcedb1b7b5699c2c4b589d4abb37035c87b9b80c0324

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
655KB

MD5
943b94591aa51e3f2f816b2d730982fe

SHA1
60cb8762cad05338f7c3d697b217fa407665539c

SHA256
57e139beebb1d358f023d63b8f7f02c3b2f73c5e23f58c0550fc513230e21c12

SHA512
817f3df63f0f1bcaf3f2e0e3a6694a137f5db06d89ef73f10ab9341b5c00fa027bd44e16a321bc10e9774a49653e3fc8753a8093382927b5aaa0e2b5d1535b41

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
666KB

MD5
f8a0fb36231e17404b709a7d33c9605e

SHA1
e07807b496f5659d4e62812b2f2efc4bd6049757

SHA256
681cc41be74360ad8149c294728d10a6117507c1d06afdcd9815876d81ed2fb6

SHA512
2fd23ca76e98aba035da4104d9a92c1b0a42c7fab0c9d475979785547e82d6db5722ae25b21a0b62375edc771c7e2202a4367f1a011a4b92bbf55cd725e4e9d8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
663KB

MD5
46063a5f718621fc492d231aa80e6248

SHA1
0913f1e5f5c549af60e51589ecd7fa1e148420a5

SHA256
37d35f9a3185f2f135d66e436c8685754f771aa926cf273728df34938c837f93

SHA512
b60bf0564db7c07b0c8d3869283f2a97df21e49fc5a0f07f03ec6cba680a395b218c20cc9daa8a379584d49852d164d0735fc2e9c92a661fdefb9cfda1bb3c4d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
647KB

MD5
4f0982aebd5658e6cdfb287aa4e7153a

SHA1
a4636db8e341b9aca773ce6267310d40883ab293

SHA256
4d5b0e460de6872e435afcb83c35f85f36bb98ba46e5b8efa9b300e83a31bbdd

SHA512
b7e776826c39ed5618c2f270dde97f8c4a4d7b9fc948e52b9ba4449d3fb6aff1adf7f2bf24cb754a3de3f8eac490b6e3a29e103752258950c794dfe5b3762e24

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
669KB

MD5
ee68a5934062010e820df167d1f2b028

SHA1
d8abcc5c73e93175e3594c89e499045f51eb41b3

SHA256
953e07658c02440f9792a8c185da8b01d6f27b19c435453bf103a152d98d2528

SHA512
3ab1a2db14a04e6d1dd6a8cd02811b7cab00e99ddb53abe5a5a65303a8a017eb80c44eb424075264b1a215abd08577fa80c5cbb01d6fea6a9eb03928f63254e7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
670KB

MD5
bc6f35365caed72d4db1cc86d9d6b98a

SHA1
6bcf91bed98513c9da27e9896d9fbf925f79a99c

SHA256
5f10f5fe59aba16092542f6b1a4572fd751420620a9545ac19fd7a0117b26e7e

SHA512
f6e42ef37b1a184bdadb79571f73f3a30094d3deda965484477f14c7f6a2c9c8901e45dd8ab1aad59990ff0b63a42cd9a7ed5e0ac95d39f835ea19bb50e34522

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
668KB

MD5
4e4e5f05b731ff9ac94875c48a9c5652

SHA1
370f6040af2e7374e522d4b53cd76d51cb706e95

SHA256
85a8d7a731a5463e17f151b4f1911170729cf406e10717147037ac4255cf5783

SHA512
529dd3d61748e32f91d277d8b222a191b4a66bc2e3e3cf6a9c7b5b0e37978b30297bcc33102598145d1a4d723fdb116c09c6c5897705e29ebcab10367422097f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
658KB

MD5
a2b7cb019a57b7a97dbbc7d23b1a9b55

SHA1
3c6715d1ff48d1121638489c6d7726fb8d68359c

SHA256
cf7bdcccc70e5412eff3d10bd48b5668de46632214f9f4620d3f3735db46b661

SHA512
d26552e462027fd52060f86be8989ae09d9b94e20500f19ab3123c82d310f648e01c54330b7206ec7fdd2c9106f9ca8276f444318a36c496626c2af2e0cd7360

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
648KB

MD5
fa43539f10bd44d7813acda8c76702ea

SHA1
2366b788110089395859ae421fc2e340c7d1861d

SHA256
16bf5273a44a89e2301b69bed5aa9e523b01c90be5d929474a7f8e6d10c920d7

SHA512
9243f93f12ba1a14a0fc00dbf43ef24bc56d8e90798f873151a298ce5a781d7171bc05b6c6636483eeace976b2c440903f4f89f2330e0ad9f62b98c437a8e547

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
646KB

MD5
94a6d51df969f404385b35030a7057ca

SHA1
9252520d4747b68e916186b7a134964d388afde7

SHA256
9faae94a74dfa66e7a9cad5aa402baaece414a8d365644065a188d9bad2856b3

SHA512
1e09455c6df71d4da3bad87b6ffef46b05aee8969620f3ea2b6dadb7e905c09394ce77bb6f1d680920bebcade51d5ebd7f3e571b2b243a5c3ead4b57cf8b1711

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
652KB

MD5
6389da9ff438a07923b714ca2749a82a

SHA1
deb30a1ff73eca88bdfe84729f01e84adebd9cf3

SHA256
8184099f71275f3dfd99660b3e42491733f89fc1fe026ab49c629eeb0c55b8fc

SHA512
b8178363f8bb51596a2b00fcf6730323bf8e686b9401ed7fe846b8172deb4143f68fe4fc9c57c88ec6d0192b0b29c686aef6c2e398b9d4a8907c9d23507bcad3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
650KB

MD5
51b97cb27af6ac2512851a2189485bfb

SHA1
c70c99ada5e929cd193c92acc0cc450112c8f933

SHA256
834b5af00a5154db7ad2e1561766bad558a5a3c5db918400968cad1f9ee063ce

SHA512
0cce1bcbb955a6cb70a93f0ce7ebb97302d1c8daac2ded88756f2beb9911b3d8c5aeceb394516df95fbe6fb6448590dbcc159694bd4d60f23edc9a067c626424

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
662KB

MD5
1938016c3e7c12789e752d6319bb602a

SHA1
ad15ae0bfcc423590920bb45bf9d90fbfd3b4217

SHA256
01db3fb00ac107bec07ba468f8591d8ea2b5055b2027e5a0b0f7a08cdc724760

SHA512
64c69a4ccfc9514cf621eab4508474567ff0fa3c47a7c0ee474040f788ac57251b562798a295052fe386b0716e774bd11e84b7f44c2e8d9a5310af88538ca60d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
660KB

MD5
54059a14cf518524c0498c70f452206d

SHA1
84aa21455dbe775e0df7bf7e9046981d3206ac10

SHA256
8b91e2c76a1fc64e31eec9af8263e239443d11614d60ad1197f600e58233e047

SHA512
70490467fb13772d6c41f16e792096ab218deea0ac749fba491e5768a4c68306dabe61efd620067fb5ecce7878da601f6d1d1f8aae0a1ed50fab74ebaecc6e31

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
671KB

MD5
2c7ffbcf358882e6f148f2216b62b4b1

SHA1
884200a6913b35f7d2744c4e91318f2842c9969a

SHA256
c703f82c6895e69d2618623d384bbfcbd09d607beed0f9b3614091a8dc46e776

SHA512
c500c5c8d1353bdb7b7e12706db3448612bcf5c79e6ca8272ffa42084369dedf44e2e4f29bc3522ab0a22d2e8de8eb623966dd71bf24d2df12262cc6f993ac1f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
656KB

MD5
1d3ee1febe25f654571674975158f307

SHA1
a63e2ebfba5ac4671822ccd91a75cac2a123f51f

SHA256
c18f032df1258eb93435ed2ca9aac4e1f3cb6c2b94c0f141675732cfe894898d

SHA512
2e9560463d1ace5fbc6b78e58c9f4f51810b88d052e2b387c1643e4dd4bdf6bce220849a66f94b36853c2f1241bac7fc53a1c47b8951f739d4f443ce72545726

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
652KB

MD5
5d41c5671408f578618c3e38a63f4694

SHA1
3565b9d5e7dd88f62fda0d2a181c67f2b32eb54f

SHA256
8ef7d5ba0ebb3517507651730b9d7772d8e1937f228a1f2e480a66cd14f12ed8

SHA512
423f8ab6d9ac97b5765e258e3b5a16625b7b7d01fcee4916ad27cbc9cf58c116c71ee6929b629a6f864bb568ea51b8096dd97347c871b1ea73fd1d59b8e92efc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
650KB

MD5
5d3bdfb5edbd16b3dcfd32bf0ecf3748

SHA1
a43f72756f8d6b3480ba836dafefa321f8c0e969

SHA256
6df5220cbd356c210cd393bcfbbbf14108753ae5ec3d6feb7fa15a15ae110f93

SHA512
8461db06dce0bdcda5ab8aec6a20a136955081c6db40427f1e5091957b1349e547c2794440797d9ac484d8aa2b969a102a2a77506777e77e2d27582ae11dcc58

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
648KB

MD5
2b8c5acf0ff99664a149f081e9402d02

SHA1
6a183ece2b1e046a376842e296c0341db85c8942

SHA256
cf3b493a31dab2682f5022215cf93bcf3e0ac5b3e9717966763256e210956e87

SHA512
24c68111778f566d69ece52777fb5340f291692e5dd9109660ccd66a9703491be17353578d550ffb0f26af2a28b4cd9d41d85c81de5b65dc302ebac358a3b4b7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
662KB

MD5
8c6fed2f9106f576ce1aecfded1b8d2e

SHA1
ddca6d96d56a29ac83a2b0eb75f66c60bd589bb8

SHA256
3e55be05c856e500387426b4bfdb11db49680bf607f8eea8440d86e05ca13412

SHA512
86e257cd8d58b5fb7eea891a2d35928848a6ceaf60a27804b077b9fd102244c1c9e2605778aca796b0c0b1b43b1cbd82104ab41d7e53e4a64a23df9825310a63

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
658KB

MD5
c92d01e29c114793a514f56fd30317f1

SHA1
2a44fe7ec753e71cc4cf01a75340276c416fa9c9

SHA256
e9d8b697bc192a5e91c7b4a24ab4e6a1bae2b937ce44b7b6e23ce24e8c6d213e

SHA512
628bd63c73b77205d8ddeeeeef92e949e142c2df8b4606bd7e34bb60d5e85e6a4527c028a96479581b23e00cb1e4da0786357fa295c2110186bc152de03aa6a0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
658KB

MD5
86307d395c162745a61ec885cf9b4f71

SHA1
a04ee3cf16a485e6619024e58d2b2b98f9d3f82a

SHA256
794147c7c76d5f75f1be2493483c60c03fef6acec16675e42e6d0ce52a9eb814

SHA512
de8ab9d6c897628c1f6d9abd4a3d14236401138b00a8d151810abf9d7cee9bc9c0822ee2948ea5e65d806367b2ea081fb19db374e4343470f77a53dc047ff8fc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
651KB

MD5
365eae5e7447a86f3b049d202415dac1

SHA1
774d4d6e8f24de458d458cb47d02926aa3f63d26

SHA256
e832c23d3f147087eab4740ff8e14e4c946e872658689f94d6b9058e11e5064f

SHA512
c480116ceaff8fb3301f3e7f2aa2359f0dbc29787e232c2b079c62cc10274abc0f1f76aabf9114a655b28c45d07375348816e6bba4a953a526ddc139ffdc5eaa

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
668KB

MD5
7b1e5557cb229714bb1c5453e878fa7b

SHA1
7e5732c9f565d9f65e63510698de6232f4aec360

SHA256
c8d8325eaf8b67996d961b9727119ec51baba322bd37b8771a80ff5e0b008fdd

SHA512
bf5e935f5adf8e2fdd543cb2d5b58e13a3739fd1cc1b3bb3cdfd46ebd78c1edee2597cc4a64bce474026903e22ca74ba28e94f4a51065412df0dd783fdf4e5bc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
664KB

MD5
77b58b542b70c4e541945a3d2251a0c6

SHA1
53a0e32ae9d3946a82894a30a6d324bfc1726185

SHA256
ef488393201b84a5c858adc864c5ea0319e8058ec3d5a5b41438998db6fe16e2

SHA512
d323dcfe7a831e17b47656f161e6ed8354a7840a566384b83b3056cc6c776c624b8fde8757ce40d339246e3ff2f68e1833004d6ec248bec8eb4b6c47a6e70e3b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
664KB

MD5
d7b84eaaae8eed24e4ed8cf74bd9d6da

SHA1
c9ba6ec6b7e30e2862351c36b9aef96227ce48d7

SHA256
e700c91dca8c70ce76f050536c6f0ede542bbbd49466ad4404aff9950acb27ff

SHA512
d84c691ab3eaaa303b5931a81454a05d41f157842a07046b4e28b2d6970bf637d6bc6b7f5ac5b412b3afc8fe6778c1e50d6133b1b042f649911183cc611c3585

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
668KB

MD5
ff2e09bb6ed0bb050603a01d4150a5e2

SHA1
3eb6acd7571926013974a499df931d9c14ceadfa

SHA256
c85d65d618f9077e489e83eafb5874e1f1a3799fd86515f5d522fd66f4b47135

SHA512
1ae6d3b7c8a8c00d1bbdea751425988a3c2d2c02a67aef133b4f58cf490fb2782b2813ce4566a92d6a6fbbe9d07a3c016a374f59958a9397517b3e572726aa50

Download Submit
\??\c:\stop
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/240-228-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/240-235-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/240-237-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/572-54-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/572-59-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/676-124-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/708-137-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/708-141-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/868-104-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/868-99-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/940-281-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/940-283-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/968-263-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1692-81-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/1692-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1720-184-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1924-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1924-73-0x0000000000360000-0x0000000000390000-memory.dmp

Filesize
192KB

Download
memory/1924-64-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1952-149-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2028-194-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2028-189-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/2072-132-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2116-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2116-172-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2164-274-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/2164-276-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2228-90-0x0000000000360000-0x0000000000390000-memory.dmp

Filesize
192KB

Download
memory/2228-95-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2364-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2364-33-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2428-227-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/2428-231-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2480-212-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2480-207-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2536-210-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-220-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2556-154-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/2556-159-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2568-244-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2568-242-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/2576-269-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2648-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2724-63-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/2724-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2752-257-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-251-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-249-0x0000000000380000-0x00000000003B0000-memory.dmp

Filesize
192KB

Download
memory/2808-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2832-163-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2832-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2896-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2896-1-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/2896-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2900-6-0x00000000002E0000-0x0000000000310000-memory.dmp

Filesize
192KB

Download
memory/2900-202-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2900-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2900-198-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/2912-43-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/2912-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3048-114-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3048-109-0x0000000000380000-0x00000000003B0000-memory.dmp

Filesize
192KB

Download

description	pid	process	target process
PID 2896 wrote to memory of 2900	2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2896 wrote to memory of 2900	2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2896 wrote to memory of 2900	2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2896 wrote to memory of 2900	2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2896 wrote to memory of 1960	2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	reg.exe
PID 2896 wrote to memory of 1960	2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	reg.exe
PID 2896 wrote to memory of 1960	2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	reg.exe
PID 2896 wrote to memory of 1960	2896	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	reg.exe
PID 2900 wrote to memory of 2808	2900	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2900 wrote to memory of 2808	2900	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2900 wrote to memory of 2808	2900	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2900 wrote to memory of 2808	2900	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2808 wrote to memory of 2648	2808	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2808 wrote to memory of 2648	2808	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2808 wrote to memory of 2648	2808	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2808 wrote to memory of 2648	2808	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2648 wrote to memory of 2364	2648	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2648 wrote to memory of 2364	2648	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2648 wrote to memory of 2364	2648	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2648 wrote to memory of 2364	2648	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2364 wrote to memory of 2912	2364	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2364 wrote to memory of 2912	2364	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2364 wrote to memory of 2912	2364	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2364 wrote to memory of 2912	2364	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2912 wrote to memory of 572	2912	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2912 wrote to memory of 572	2912	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2912 wrote to memory of 572	2912	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2912 wrote to memory of 572	2912	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 572 wrote to memory of 2724	572	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 572 wrote to memory of 2724	572	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 572 wrote to memory of 2724	572	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 572 wrote to memory of 2724	572	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2724 wrote to memory of 1924	2724	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2724 wrote to memory of 1924	2724	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2724 wrote to memory of 1924	2724	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2724 wrote to memory of 1924	2724	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1924 wrote to memory of 1692	1924	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1924 wrote to memory of 1692	1924	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1924 wrote to memory of 1692	1924	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1924 wrote to memory of 1692	1924	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1692 wrote to memory of 2228	1692	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1692 wrote to memory of 2228	1692	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1692 wrote to memory of 2228	1692	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1692 wrote to memory of 2228	1692	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2228 wrote to memory of 868	2228	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2228 wrote to memory of 868	2228	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2228 wrote to memory of 868	2228	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2228 wrote to memory of 868	2228	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 868 wrote to memory of 3048	868	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 868 wrote to memory of 3048	868	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 868 wrote to memory of 3048	868	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 868 wrote to memory of 3048	868	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3048 wrote to memory of 676	3048	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3048 wrote to memory of 676	3048	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3048 wrote to memory of 676	3048	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3048 wrote to memory of 676	3048	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 676 wrote to memory of 2072	676	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 676 wrote to memory of 2072	676	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 676 wrote to memory of 2072	676	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 676 wrote to memory of 2072	676	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2072 wrote to memory of 708	2072	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2072 wrote to memory of 708	2072	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2072 wrote to memory of 708	2072	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2072 wrote to memory of 708	2072	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe