053d77402e5cf733eb2111d5adbf0c4eca1ff7dbd9db2a3d28ea5ff9f4ae4da2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Size

645KB
MD5

83758eefa7a5cc7a0d07f638965ea1e0
SHA1

9b26bdb934d31b0ab77ba9e3d5c4ab8285b0da14
SHA256

053d77402e5cf733eb2111d5adbf0c4eca1ff7dbd9db2a3d28ea5ff9f4ae4da2
SHA512

4fd7aa5ccef508b779da5d367ba3f4eed1bafc904cd9323a3cb81fd058c5910a87c70178c42307d69b2a2d3a47187dccd398f36ed293a870585cdfd831314323
SSDEEP

12288:TLySlYJZK6WrFRUPQ+kq8PeeDJIO9ep56+kWLh12jT6xtjdA5:T+SlOa8+PeeDJIIefXkWLD2axtjdA5

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Drops file in Drivers directory 58 IoCs

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Sets service image path in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 28 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3160-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1624-5-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/3160-10-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/2148-21-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1624-24-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
behavioral2/memory/3084-33-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/2148-38-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/1544-49-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3084-52-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
behavioral2/memory/3052-63-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/1544-66-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/4504-77-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3052-79-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/3376-90-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4504-93-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/3616-104-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3376-106-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/3616-118-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
behavioral2/memory/3312-128-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/3264-131-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/3312-143-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/2624-154-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4784-157-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/2624-169-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/2916-180-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1344-182-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/2916-195-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/5036-207-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
behavioral2/memory/4584-218-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1712-221-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\H:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\R:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\R:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\J:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\J:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Modifies registry class 28 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

pid	process
3160	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3160	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2148	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2148	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3084	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3084	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1544	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1544	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3052	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3052	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4504	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4504	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3376	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3376	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3616	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3616	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3264	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3264	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3312	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3312	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4784	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4784	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1344	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1344	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2916	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2916	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
5036	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
5036	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1712	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1712	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4584	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4584	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3628	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3628	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4484	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4484	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
912	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
912	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1644	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1644	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1416	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1416	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3048	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3048	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
8	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
8	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1872	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1872	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4136	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4136	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1372	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
1372	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
5020	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
5020	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
- Installs/modifies Browser Helper Object
PID:4604

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
3⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
4⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
6⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
7⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
8⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
9⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
10⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
11⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3312

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
12⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
13⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
14⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
15⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
16⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
17⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
18⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
19⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
20⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
21⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
22⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
23⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
24⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3048

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
25⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:8

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
26⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
27⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4136

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
28⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
29⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:5020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
674KB

MD5
7f76b03b2f9eef533aac8d257c6547c9

SHA1
2ac3c29b65b8852062d298fdab3cc20b3c933fce

SHA256
7e89624aab7f827d20e1f2b8863cc25a2776ff0feaa8ce10074eba7643df8793

SHA512
0d5c8578a56e85a6496e220493593851b42371d9f0b5c53ad95da4c7cd81cd2fefa1305a2dec81551b474965aeaa67221511904bb70a20a65e80324710a5d6ce

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
673KB

MD5
156f206d56fd9798683d01a589d47e7c

SHA1
cb198dd1a608a540ef3e64bdcf7189e3411ad1d8

SHA256
13182c4582aebac0683d7694ee492c5921d8f5e7d2a127ea89755b93beddfbd1

SHA512
5fbd3b61bb3f678798d00949a53da287ccb3ae22bf50a101b7391796e32ee91f1955f172ea2d3e6f8a9bf925732bf9918aa9ed88b8d1f093c96150fb7fcb58c4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
645KB

MD5
60f30af230eef61e74470822ac7fa4a9

SHA1
8ac99a467eb72f92908da18bf5ad31df8f5830a8

SHA256
b35f08fd33dcce8206e8d9c0ce8bef76d34962d38d026648912818f55acfef4a

SHA512
910d64afb34eefe813664ae7fb1de519f68b28c58ee606442bd374ad7d75cf75a2efac3210a94133d8b0a0fa3f10d3476da2a66676af0f27922b00ff799d8360

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
664KB

MD5
9865990008f71283098f1bc45532714b

SHA1
7c7c3c42c06117e4737a54b0623bc45e79cd61ce

SHA256
e1bb6394b7de2eb1e22b965e9d94d93b772547ee5137a25492d8f2f6698b0b6d

SHA512
b7721d1a66b602abea0dd8f52e48afbdb5049d3b85cfae6fe577d163950c523961702fd63d3f547ce0f47475f221028772e20c1760f1fd63931db2389ead78f4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
675KB

MD5
3b807fb4fe2e25d378d7b000f7db3e6b

SHA1
c9bc4dfd400dc7b37106838d1439ac79c87fb4d1

SHA256
630031dbb83a0fcf5e471498348758f850d4305b5b16f447a3c727ff94a1dae3

SHA512
b6abaeb92b25ac4820d22586d16f14e1f4eae1838d03dc659fb73d73f84b829125e0f42207fa2d803d108495054975a43d7b8d38cb93fe003b8a100109aa9cca

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
654KB

MD5
baa980fbe047a7ea8820efb31c645894

SHA1
c3fda3552928af7d9ad90db43ad6a2185e6eb9c5

SHA256
eaabf572dd408621954d34ab6e761974897627be9ba817cf40d7adc716860495

SHA512
e88bf44359c6963ecf8298240b525a008dc9e954fd97c9513d080f038282394cb03728f6898d1a0e9ebde3660e8daad48c95618bcb8ef17cbe7924bc99fe401b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
677KB

MD5
4a8f2b3a65e5bf868a1fb1981134ab5d

SHA1
f6768546e193be1733ae63094924b66c2ed10391

SHA256
024e5349967713b5ea9c1fb0a11bada9315ef2820e7006dadf9cf9a833383631

SHA512
6c9b7920afdc4bea020b2fd6764b273fcdbf17d7a69b1cf042cfdf7060df4dbc7bc2470440ff0f2fd4d0d6c7852c12bf555d9bb4bc441dc9b3d7f63b8cccf921

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
663KB

MD5
553ffa1ea910abc49d24578a8b52e097

SHA1
d1451535979d4989bfe52b8cbd71203d5d72fe59

SHA256
857eaea59195aa1941f52097603f459e1603fdb0570a22aa3208e2bd178388c1

SHA512
e758276737a6178ea216ad58fb575698e9ff2bf8913861ce4c6018c8264d2241fff7e16ffb946bd432fb365c8169edac6d01de74685665943d1a50e8889ea9b2

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
661KB

MD5
8d682845dabeb1ae6c6d67c3870b3942

SHA1
3a83b286af700becd0e1c48e2cf51d570c5cfe95

SHA256
859b67908c87e400c56bacf8ed4136ce550c5a3dd23f387283e4ca081f8cb110

SHA512
d6e277e9e57350080f98f81502c33829ece4392ed8636eaff2938d36a4d782c16a14b7a6511913a10d360f8be990942d1446f34f15ed515ae7ba5a07d14a3829

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
651KB

MD5
b279f5b35620c953368357b9f3e71b93

SHA1
dbf171be3b641cd393a52babd3fd3f634175cacb

SHA256
f379af5668c1f5b4583d7e66b98d05ee81249e2bf490eaefc5302f8cc0e4e476

SHA512
521542d54d4c9b946b45d837d0778338ee98a83f3da86a8566a819b047cf5636903f29c9e638fb592875afe964b4d7bd501c776682eb15c09f41f1cfea1b7950

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
675KB

MD5
145e172e71846c8551d9ed964360eb05

SHA1
b22b571ab883f2e2b16b221e239661e9f1a4b41d

SHA256
60109e7538cad3480feb4bb3d9bbc3ca738e43a720d80e6c7d103b036a5d7a17

SHA512
c95b8e49038707294700ec72ac74ec09921dc38abc7dfdf6143aaed86faa6c9aaf1c6ac99e402c9949f551ad722c8eaf31ee26339c6caa3409a20617a8ad9b73

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
651KB

MD5
832abbab45406fc0210eaaf569151e3b

SHA1
c43c6ce62ee53fb06cfe96382ec83121b3ddbe98

SHA256
60af41201fe024acd5eb89502721b9bff4bb3145e02c2ad1db6b7fb2b5a034e3

SHA512
fe307298122219c3413cb8e1acf5a2cc6a7f323271f4123744e927b01fc82fde4991654e59f4c10836abef8073ea4d0fc1b6406e499e42ae5541046f8d44a076

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
659KB

MD5
78d8a0912c86a94ccd37e002bbc649dd

SHA1
91a55b5b94454999bbb41ad5b014a3b21ac60974

SHA256
cc0c0c3a176ead3f0e6eeee92f3d523035bac6e28413f0001867ea95fc401a4b

SHA512
9a2a68723f3093c5547cd4939eca01e4657443c44f59643a33e1d78c561feae4f361c3e66b12c4a6fea6c90aa65814645f54fb1638479efacd8aae5995bf0c32

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
661KB

MD5
37a73ad7bcbc0f268376b9059de33d88

SHA1
9c3ce303d96e7810316084635dac80e661d6195c

SHA256
64bbeddd903e89352d3de9f0ca302c7ab16ac38f193ddfc45ebaad78ded48e41

SHA512
0c2dafdf39b97c7ef50b574f52849268677da75ef6a84b4e1dd2aef68c588e38fbb097e7aaf00e08eb9aaddd67007229026ba53f29dca84345b685bb4769ae35

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
660KB

MD5
bb95f6b94f2b36088fbd0eb3c6cf9b8f

SHA1
e4e68c67f218f1daac2b2d22cf89334a5add5dcd

SHA256
a5d60b71c53aa978605138f28e8d7c2a79573b5de9b58d46e0faa1b154d75037

SHA512
9f7a82b1e3b945508a4005cf41bc0891e00b8628670b4abc176289b468d6015f6eff003cc0281695b7bdf0a16c5aa0f7b81c47bcee97c945f3de6655f3e7d17e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
650KB

MD5
a128d8b7259330b52d44fc8dd430d3b9

SHA1
6e3e3df101e0cc54f767914f84ded4a69e97f810

SHA256
92abb4a3c8999f010d04e6d656f046412670d175c5c6aa4ab7b9f0d9486b34f4

SHA512
b58784e23a012f108b1d505e2a56dc4e698680e50e812d81978785b30202b1553158ba309230818d9e347feed0cebe087e94fc43286da3149c5798ef7def77f8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
654KB

MD5
4889df6e14548d215d57dec54ccabe38

SHA1
746148042359a50f50ec4bb95e0b88b178b446e5

SHA256
764a24d513ffdc46cc05b853a0a9b6e11695fc3cc9399d93fd79e07959c8ea59

SHA512
50b2a9f0b12417a97a82280df0c80dfe21d46601faee24ddb34cfcb6d6fc3051638443cb333c1e997d6119daec595f269dc9036d28f571e39caacc70ee12e1e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
647KB

MD5
c4d7c6ad4541b7d68ffea09b2796e43a

SHA1
b515de4d1409249c045b1a4875772ab07bed1827

SHA256
4fa6ab601bb73cfc877008939a6794b50d6314c54938c36758da9046f45b1070

SHA512
614e3d008128c3d662629a08fe81b6bd8a6100ac51a2d3e7139cc453d0db7c55a839f4eddbde9d83fa329559a5d2c1fad97028fea739bf3cc6d8cb2f988ebad4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
660KB

MD5
868fc10c2f0300f9228a546c353624db

SHA1
e42be1e152f0b63790bba4747a4edcf1a623e1f5

SHA256
0fcab9b82b9f002b076d4ee5bf257bfc0d5787de50000a40d1e8076a00b62961

SHA512
01a05a59bbe28db1694dd1a3540bc38f11ed0f8e570d67f6c911e2bf512b9680c7af067f0e48532f3afbbe0cd68fbb4a8362aa7bf5403df62a93e777f352d9a6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
661KB

MD5
d78be0d3a15f1d7674b435cfd21740f3

SHA1
74678c45518c97d69cab62738657527c7fe60dbb

SHA256
32a78d6bdb3e7b1f4307057293320dce5703e80339ed4a62ffbbe0f78729e6eb

SHA512
1aa9b2869522195092bf688f2ff63d3b01d55ebcae8b0146300a65065ee2525dc64e57c7ead94fcb8a025ca530833ce2bfa6b3f0a58189a58c3e490bd9e4321d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
647KB

MD5
fbf4c941a6a84fe68a2dd1f867151747

SHA1
501d96f9841019f89e7ba55120215fa91e569512

SHA256
8575d0153cfc2af19ac60297620adaa9bff5d2917ea4a0ceb7ce98abdba934f5

SHA512
7162048deb0219cd739b66be6fd5c8a8ded0a26f9ffab13708ab62e325fd07180035e1229ffd9bfe3a35e1461311cda0cf87aa209a6ab28a5370efcb2fe708b5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
660KB

MD5
cfea4449a544f5b89088f9f77b21035d

SHA1
b257f4b64ea0886c38008a3becf92ffa9a6a83e2

SHA256
2cf3977ee170c1aba24f74438657e3e4bc6298620030c7041932def01ae85a67

SHA512
6736f310b8e555b9ac6c5c9fb101081eb051f22346b76aaa2e52dbb6b2cc4ea5db788e855e5e313ff54800c56bbcb4b53293f40db79d290135813c76f25777e8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
673KB

MD5
df8d114cf0b842ca662fcef146c66ebc

SHA1
f17925fe9e940336f85a73f59f25a6748c7356e6

SHA256
5712a56edc023daf65fb63f6655815f82f4d16978843f729de05e7f980242f1c

SHA512
a59ec5ea3499da2ebf9272adb78ad012c90e8f1d54253fadf5ddc6fad18025e53d138cd1ff67c891028ca46466aba4bef54306cb78316a5f39f81e0fa6aa3c1f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
652KB

MD5
b4bb8ade4f54400cb51835cd9cd33651

SHA1
66f39772e7f775e49ae12fa770098731b466defc

SHA256
e12de6f5a453edf04150df66a90922003ddda91475fe54d005cf993149f6d4fa

SHA512
5f175b46d8af94b6bc62ed60373eac65df17f212426fc4c97d6699191c204de89f04e109d6c2732826592754cf506da4f6479901a54f66c292fa43f4a56b7296

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
668KB

MD5
d357d37947bb491e3049868a60d11eac

SHA1
def7c2413eea543b4dc10f63af0d3e93a0f57d84

SHA256
ab2b932eb89882228f29f9171f0f6e3f1ecfd8c4f33d0428a601a6e288104d2c

SHA512
8f69d7dbe95b772ef077ddb4d2d51165468232d9c4b41b986a2f881f3524c87ea8e18b29003d1817f1adf50723b2032664504dca6a848fc4d872d772002949c4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
670KB

MD5
367d83743fe9c3e05d8e3254a2562e16

SHA1
2b44d44e71925492ba25d90b573983ad1aade8e0

SHA256
34014c2ff12729b9d9e9bd1d0b83056aab8cb3de32b2e75826b5018302b85964

SHA512
53ebc7666a565a76c57d55902b2d12ceb72669c7d74e94213f013732ad06ed59279b921617cf03438f19356a6198c9202ccf3e611d206c1e0ba73be20670a882

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
673KB

MD5
e9cca063febb66b1aca372fb4d3e765d

SHA1
46f97e9589803345b927b8705fef243d7a3e2d7a

SHA256
4f5f426e162c3c2e37f26b3cf967b86ca95a08c4461ee54fcb51de68e385656f

SHA512
00bdde6f7802b4b2f022b22d349cc8ca35fc731a96150bfacf46ddde0d5ec5f638d9a6d2f892091e5b0bbb0db1f5a2f7d83a74b157c4fa5e5ad4fb1ca3196248

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
670KB

MD5
67037df7a4c51de024072b11fbf9272a

SHA1
c7d0362e90b7540a7f48831d4b6dabde6cf80f9a

SHA256
012dd120f6fb55dc6a905b5bf107a30c1f2ba47f4a34bc9623b795fc175cc5ef

SHA512
536e05b0e1ef1a1dfbc4ee83c7e225d499fa6ebb9cad3c06aed31398050c39adfb63961a1a4a2b5b52abd40ea2b0cc0f3e1ddd9b5e39b64e40a41e8da78dd9a8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
673KB

MD5
99f02aae6e49cfaae0001aae591c9395

SHA1
56b18b4acb50f56ca3e8738251d2c0b5676f42d0

SHA256
67dda55dff40649cff2d74479f2c606338ce5f2d0d943254d440bbf41dc4a62e

SHA512
249d457bd41eb086dcef8abea674c3aa19a1abd811e71740f11f11cea71cd0550200307e6d04114a6b77e8253345659f6f4b9e8b838fab42b067e0dd4d7d363e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
676KB

MD5
fdbe7f67155676590467fafa631776df

SHA1
5633f92bc401d767a90d077d5bc93d47de0d92ea

SHA256
b86641ad6f289f92945e93c81e1128c3a9928776f01636398e166d16544f0b1d

SHA512
81a6d1ce49499b4aabe7a9ef11b5f74687b7addb38462cbfd1a71436d2152a96fa71a81009ad198415d8a909a367bb963acdb886815ecebeea18c635aebd0063

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
660KB

MD5
1fda03360eb5fe9b53d3ce08b43b7f3c

SHA1
2878371e130125fc43b82f0539ad183b4b91beca

SHA256
6b75f2125a260de5b00c413a700fb1f5fd5864541d7741e25f97dee0358ab1b9

SHA512
bc4802afba3e9d73301012f69ba4e3ba4ac40df9e530efbe7790010735c656012d9f883f5ea31a58b6ac15890b14c8adc24620aac3a3fe65189171ed471c4596

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
663KB

MD5
0bd7fd951177873900ebe0dc5cd2ed66

SHA1
97792b4de69fb477ff771e08eb5479c0a1b9d14a

SHA256
59679742c6430ab90c0a92bea4379ecdd80b4e95628f88367bb314cb73f26523

SHA512
ec9d34c80662e3075b71a43a3a5e5c2d9c51609d31781c9ae30b7b66d0673e38800ddeac1712ea2b0a5ffcba63a3b6cae73715b4845f55bb3ba127b7799992a1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
676KB

MD5
4fcf9e86f64bc4eb7444e6f3bd45bfce

SHA1
f47ab59e42e420d523c75ec509ff58c119705bb3

SHA256
e392390ec059815d305e6884dcc19dc5be71173839048c230b5b4903507bc3d1

SHA512
ba96da73ec0c8783013831f1f0c23f8a95335887f36986531364fe47bb54b76ee8a8b9b599e1a9964078f2f67518c4e45ada867b2732695162cc9a5128b459e4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
660KB

MD5
4d388f2b0839f8d6558a16f8db3c1719

SHA1
bfd6e40410f2bb44d0a7b12e2610fdc88b7649a5

SHA256
9717530f2a3c9b4fffa892cc7558fe7de57e337610f48662b80deeb073dc8cad

SHA512
03823a21554a7e3fe57b8ed5128758e53a5d6a5afe80cf8ffe9f34e912e70e9ec1428052525279452055ba4b45e932d48923d426f3c3c7d4b10e20ab9ccc796e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
655KB

MD5
f3a07c1d211ce6f2a3cb1759659a54e0

SHA1
b061e98bbd63e361db4b4637722b6056cfdac32d

SHA256
ff4bd4ac7a64d13f1aaccd61f0cbaabce230f8d41ab776744df931abecc87cd9

SHA512
27c9164d515b1a47b306f8befaf49fccc2dce5f88872d01d686ede6c3235034e6c7add0914a762658413815d981c8c829af2f42add207608a25cb1fd9e181c0b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
665KB

MD5
5948dc0044b3f7a849a7b43a906ec35a

SHA1
b0686945d5bf6ac6b3c1570810c1b7f298f8660c

SHA256
e9b0339884e37b97c72ba9cca3d451720b2ad91fd46c2b176f7a2a251fa08be0

SHA512
29140484804c261ef00c4ed242d7cdbfdf93cf6578e0f3eaa2f597e619618a0aa01089d581bcbbb17401a78a2c5e9e5c1bc82effb1838733ac1a8c8b907b3107

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
676KB

MD5
03831840fe4786ed1859ca84d44b4170

SHA1
be451c32b1e8d5d9cedeb390c70d0e9ca6a50abd

SHA256
ff79910e2bf6c37290a714726f5013aa0053f21dd8e323b1ce06b0ee7b338ba5

SHA512
aac25a679c3af06a1d46a753e74b6705796a3abe0b23f2b92fe15ab369122833d1cf8cae457833240b1fa97b197dd20bfe4cc978092c62d56ff23bc42792deb9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
671KB

MD5
640db0dcfc5eb02119287e3aefb8810f

SHA1
706db3162d83bdb47e37eb98ba9c225b40082493

SHA256
c95fb3944bb5afe765139a098928f668997fa98e56272f487660b04e36388df1

SHA512
28538288ca17529a4a5d4cc9f81cee093f67220075b520de208f585c8276f1d23bc1bb22153241cb32a0978cfe8450891d8c9df2b541cc685066cc6eb3f38d66

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
649KB

MD5
454155a786f3e2d92cf3c999b62a110a

SHA1
01da172d19145fe643405f02056751fca9c94acc

SHA256
e2863e5e445809d22a0c2f7d1d8c3a19e30e201e94720a960e2a748c2c8d0a42

SHA512
1eb8d2c88d9de90378bfc4f076f26d7c1b50754558997ad20df3394b038d27f8a58529170ab4cf0efec7536b200ba557106be4608fd5a53b2c90422816acc165

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
649KB

MD5
11e202b7e5669939ffb588d9ec5e3ac7

SHA1
ca2c2645da50389ee0b4ce26b18427d4a69840eb

SHA256
dcd76d5247c8c10522c4a6a54ad3fe2e6bf6e519d012c5efeeb32e82418d6bcb

SHA512
048a7b412703a571ea85c4f4ae31923800af1b76759f8fe7a9b6fee1098233b4393cee07d8343f5379ce8d6c7a6d9a68a0a2ef5e2e08d253bc153b56142e9fa4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
670KB

MD5
163a048f4dcc22fbc8b04955f5e7dc47

SHA1
449859ae0ed70cf107c3a3bc9865aea2055a89bd

SHA256
0fd3f7d94fc7eb239c4a44fd8ffd3cebfcd81b30d255be500cc2508497dcfa8c

SHA512
307e3f9c0d926a1fad6198c2849eefc5a0811cdeca10f5102202e20669afbc36ca2b22b80ce57a1be163fac544b25aa9d784e4cdc1af7463129681ee312d6faf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
673KB

MD5
104d98383f0ec849975941280048809e

SHA1
1d8169b7a088ec2af4f43112044475a621c852bb

SHA256
324b3881f45b0d03c6d6d0b09594e3fe312ad2d3e360e7925a9a8ad0056b4806

SHA512
77be3e9e924b32bac5a9e80e5cf17c607dbff906d31ff1010ceea26991c166eda7ae4be6c7224f9f0c0e116a505083d3b51580132852122ce0d4cce1bc7b364d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
646KB

MD5
e1441919c99ea31cc3fce2968a9350c7

SHA1
5df3c285b457ccb8499299811b25b37c6021f3c4

SHA256
2aaf6f49ac990fbfcbbf2b47d0ee7dc4d6a20c4226495945d1cf9e771a747fa2

SHA512
ead98320ab3aa1898800182d0357455ee79e5248a2ec45792e9f2a522a27de0091a9a0ca2ed7b6bebc7c663ea863b06f2dc0d7f1cb7bdafe09a5201abd02a8a9

Download Submit
\??\c:\stop
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/8-313-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/8-303-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-272-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1344-182-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1372-340-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1416-294-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1544-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1544-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1624-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1624-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1644-269-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1644-284-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1712-221-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1872-322-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2148-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2148-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2624-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2624-154-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2916-195-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2916-180-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3048-304-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3048-293-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3052-79-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3052-63-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3084-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3084-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3160-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3160-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3264-131-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3312-128-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3312-143-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3376-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3376-106-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3616-104-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3616-118-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3628-246-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3628-233-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4136-331-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4484-258-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4504-93-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4504-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4584-234-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4584-218-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4784-157-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5036-207-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

description	pid	process	target process
PID 3160 wrote to memory of 4604	3160	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	reg.exe
PID 3160 wrote to memory of 4604	3160	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	reg.exe
PID 3160 wrote to memory of 4604	3160	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	reg.exe
PID 3160 wrote to memory of 1624	3160	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3160 wrote to memory of 1624	3160	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3160 wrote to memory of 1624	3160	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1624 wrote to memory of 2148	1624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1624 wrote to memory of 2148	1624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1624 wrote to memory of 2148	1624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2148 wrote to memory of 3084	2148	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2148 wrote to memory of 3084	2148	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2148 wrote to memory of 3084	2148	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3084 wrote to memory of 1544	3084	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3084 wrote to memory of 1544	3084	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3084 wrote to memory of 1544	3084	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1544 wrote to memory of 3052	1544	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1544 wrote to memory of 3052	1544	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1544 wrote to memory of 3052	1544	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3052 wrote to memory of 4504	3052	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3052 wrote to memory of 4504	3052	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3052 wrote to memory of 4504	3052	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4504 wrote to memory of 3376	4504	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4504 wrote to memory of 3376	4504	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4504 wrote to memory of 3376	4504	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3376 wrote to memory of 3616	3376	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3376 wrote to memory of 3616	3376	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3376 wrote to memory of 3616	3376	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3616 wrote to memory of 3264	3616	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3616 wrote to memory of 3264	3616	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3616 wrote to memory of 3264	3616	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3264 wrote to memory of 3312	3264	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3264 wrote to memory of 3312	3264	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3264 wrote to memory of 3312	3264	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3312 wrote to memory of 4784	3312	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3312 wrote to memory of 4784	3312	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3312 wrote to memory of 4784	3312	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4784 wrote to memory of 2624	4784	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4784 wrote to memory of 2624	4784	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4784 wrote to memory of 2624	4784	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2624 wrote to memory of 1344	2624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2624 wrote to memory of 1344	2624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2624 wrote to memory of 1344	2624	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1344 wrote to memory of 2916	1344	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1344 wrote to memory of 2916	1344	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1344 wrote to memory of 2916	1344	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2916 wrote to memory of 5036	2916	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2916 wrote to memory of 5036	2916	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 2916 wrote to memory of 5036	2916	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 5036 wrote to memory of 1712	5036	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 5036 wrote to memory of 1712	5036	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 5036 wrote to memory of 1712	5036	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1712 wrote to memory of 4584	1712	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1712 wrote to memory of 4584	1712	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 1712 wrote to memory of 4584	1712	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4584 wrote to memory of 3628	4584	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4584 wrote to memory of 3628	4584	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4584 wrote to memory of 3628	4584	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3628 wrote to memory of 4484	3628	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3628 wrote to memory of 4484	3628	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 3628 wrote to memory of 4484	3628	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4484 wrote to memory of 912	4484	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4484 wrote to memory of 912	4484	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 4484 wrote to memory of 912	4484	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
PID 912 wrote to memory of 1644	912	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe	83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe