Analysis Overview
SHA256
053d77402e5cf733eb2111d5adbf0c4eca1ff7dbd9db2a3d28ea5ff9f4ae4da2
Threat Level: Known bad
The file 83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Sets service image path in registry
Drops file in Drivers directory
UPX packed file
Modifies system executable filetype association
Modifies WinLogon
Enumerates connected drives
Adds Run key to start application
Installs/modifies Browser Helper Object
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-02 23:37
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 23:37
Reported
2024-06-02 23:39
Platform
win7-20240221-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/2896-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2896-1-0x00000000001B0000-0x00000000001E0000-memory.dmp
memory/2900-6-0x00000000002E0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 46063a5f718621fc492d231aa80e6248 |
| SHA1 | 0913f1e5f5c549af60e51589ecd7fa1e148420a5 |
| SHA256 | 37d35f9a3185f2f135d66e436c8685754f771aa926cf273728df34938c837f93 |
| SHA512 | b60bf0564db7c07b0c8d3869283f2a97df21e49fc5a0f07f03ec6cba680a395b218c20cc9daa8a379584d49852d164d0735fc2e9c92a661fdefb9cfda1bb3c4d |
memory/2808-7-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2900-12-0x0000000000400000-0x0000000000430000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2896-13-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b4d8a3537524269af377773d0ec4575d |
| SHA1 | 395b925b5324f61c7379cf7e5a2f8404c560442a |
| SHA256 | bd61584b5682ad8921f12566daa90ab2e79eb084a49ec01b37791aa4eeff3d54 |
| SHA512 | a8a003f70309c4261afcf6544798eba75330ea0efe25d1f471dd8732ffd067afded227965207e3e0847cf8dc3a7b520dadd6b832590415d444b6cceb587eacb0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4f0982aebd5658e6cdfb287aa4e7153a |
| SHA1 | a4636db8e341b9aca773ce6267310d40883ab293 |
| SHA256 | 4d5b0e460de6872e435afcb83c35f85f36bb98ba46e5b8efa9b300e83a31bbdd |
| SHA512 | b7e776826c39ed5618c2f270dde97f8c4a4d7b9fc948e52b9ba4449d3fb6aff1adf7f2bf24cb754a3de3f8eac490b6e3a29e103752258950c794dfe5b3762e24 |
memory/2808-21-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ee68a5934062010e820df167d1f2b028 |
| SHA1 | d8abcc5c73e93175e3594c89e499045f51eb41b3 |
| SHA256 | 953e07658c02440f9792a8c185da8b01d6f27b19c435453bf103a152d98d2528 |
| SHA512 | 3ab1a2db14a04e6d1dd6a8cd02811b7cab00e99ddb53abe5a5a65303a8a017eb80c44eb424075264b1a215abd08577fa80c5cbb01d6fea6a9eb03928f63254e7 |
memory/2648-29-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 12fb15803d3cb08e68bfc9d999ae649f |
| SHA1 | a99bb9a40780283bb42efafb9facc268c4063dee |
| SHA256 | 9753f17332a4070f8e17d0ad5d4bd9565117cc02cab4af3d753b88d7f0f378b1 |
| SHA512 | cc298c4b83dfa05bec0f38760326804538713b81ffe3c392f45598c6d6713544e8d5af4b903e000c22aedb4676ecce5e397600274568a3468fceae92ce2f2447 |
memory/2364-33-0x00000000003D0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bc6f35365caed72d4db1cc86d9d6b98a |
| SHA1 | 6bcf91bed98513c9da27e9896d9fbf925f79a99c |
| SHA256 | 5f10f5fe59aba16092542f6b1a4572fd751420620a9545ac19fd7a0117b26e7e |
| SHA512 | f6e42ef37b1a184bdadb79571f73f3a30094d3deda965484477f14c7f6a2c9c8901e45dd8ab1aad59990ff0b63a42cd9a7ed5e0ac95d39f835ea19bb50e34522 |
memory/2364-38-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2912-43-0x00000000005A0000-0x00000000005D0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4e4e5f05b731ff9ac94875c48a9c5652 |
| SHA1 | 370f6040af2e7374e522d4b53cd76d51cb706e95 |
| SHA256 | 85a8d7a731a5463e17f151b4f1911170729cf406e10717147037ac4255cf5783 |
| SHA512 | 529dd3d61748e32f91d277d8b222a191b4a66bc2e3e3cf6a9c7b5b0e37978b30297bcc33102598145d1a4d723fdb116c09c6c5897705e29ebcab10367422097f |
memory/2912-48-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 86d27010cdae78dd7193e3955d31be80 |
| SHA1 | 7fd3d1197d4343ddc4d4a03ad4842db4412d20e4 |
| SHA256 | 31e25ed7ad805e18b176678bf8b542b3317d7134d248570511ee168db1425c36 |
| SHA512 | 0c23121b41310cd4230b3262e870bc916d551271909b0982192670ba1572077f418ca91fa42ba1df76e91bf2616d938d02faaa77a011faacce234b975f473123 |
memory/572-54-0x00000000002C0000-0x00000000002F0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a2b7cb019a57b7a97dbbc7d23b1a9b55 |
| SHA1 | 3c6715d1ff48d1121638489c6d7726fb8d68359c |
| SHA256 | cf7bdcccc70e5412eff3d10bd48b5668de46632214f9f4620d3f3735db46b661 |
| SHA512 | d26552e462027fd52060f86be8989ae09d9b94e20500f19ab3123c82d310f648e01c54330b7206ec7fdd2c9106f9ca8276f444318a36c496626c2af2e0cd7360 |
memory/572-59-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e560eb8d609e00ba87271955c788b123 |
| SHA1 | 680dbc0dd128a305094d4ae46c4c7355dd28fd93 |
| SHA256 | 0480d4af3dae360673864e510bf0b2e625b1e72982586a2fe27644fcce8d0864 |
| SHA512 | c4421a4c9c4963139e56e14f4a14d55d7186c05d1e7f68de14601b68cf43a8b631d9416ace06b9c58d09dd4a1c5ca486ad8d62ef41b93b1741afef921626e4a7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | fa43539f10bd44d7813acda8c76702ea |
| SHA1 | 2366b788110089395859ae421fc2e340c7d1861d |
| SHA256 | 16bf5273a44a89e2301b69bed5aa9e523b01c90be5d929474a7f8e6d10c920d7 |
| SHA512 | 9243f93f12ba1a14a0fc00dbf43ef24bc56d8e90798f873151a298ce5a781d7171bc05b6c6636483eeace976b2c440903f4f89f2330e0ad9f62b98c437a8e547 |
memory/1924-64-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2724-63-0x0000000000370000-0x00000000003A0000-memory.dmp
memory/2724-68-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1924-73-0x0000000000360000-0x0000000000390000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 94a6d51df969f404385b35030a7057ca |
| SHA1 | 9252520d4747b68e916186b7a134964d388afde7 |
| SHA256 | 9faae94a74dfa66e7a9cad5aa402baaece414a8d365644065a188d9bad2856b3 |
| SHA512 | 1e09455c6df71d4da3bad87b6ffef46b05aee8969620f3ea2b6dadb7e905c09394ce77bb6f1d680920bebcade51d5ebd7f3e571b2b243a5c3ead4b57cf8b1711 |
memory/1924-77-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b1ad36f94b2a6919d73f04264e7a7f5e |
| SHA1 | 2f5e1dff38f7db8860d7be22ea783a25a3d867a7 |
| SHA256 | 92522a946fb27f6abf80082bf5dcca577bc78001b46ba65e256efc55e08cbfe9 |
| SHA512 | 90ea4aafe868f69399e06d52a223a80528ede3b9e1b68cf70ed402ee6b64e4cdda6e2f68234eba24fffd3082a4c1c4fef9eb2f78a9f8c0d1f5635485a8b3de31 |
memory/1692-81-0x00000000004F0000-0x0000000000520000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6389da9ff438a07923b714ca2749a82a |
| SHA1 | deb30a1ff73eca88bdfe84729f01e84adebd9cf3 |
| SHA256 | 8184099f71275f3dfd99660b3e42491733f89fc1fe026ab49c629eeb0c55b8fc |
| SHA512 | b8178363f8bb51596a2b00fcf6730323bf8e686b9401ed7fe846b8172deb4143f68fe4fc9c57c88ec6d0192b0b29c686aef6c2e398b9d4a8907c9d23507bcad3 |
memory/1692-85-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2228-90-0x0000000000360000-0x0000000000390000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 51b97cb27af6ac2512851a2189485bfb |
| SHA1 | c70c99ada5e929cd193c92acc0cc450112c8f933 |
| SHA256 | 834b5af00a5154db7ad2e1561766bad558a5a3c5db918400968cad1f9ee063ce |
| SHA512 | 0cce1bcbb955a6cb70a93f0ce7ebb97302d1c8daac2ded88756f2beb9911b3d8c5aeceb394516df95fbe6fb6448590dbcc159694bd4d60f23edc9a067c626424 |
memory/2228-95-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | dcd605c78865feaa4b2f323d7fa1689e |
| SHA1 | 5094f67b7160b1c2e79f28747afc54d65a1a6b90 |
| SHA256 | 47b2d2cdf2fba22f14f5eb51ecdd7d485f1a11674fc2668427c86a4fd6786ac6 |
| SHA512 | fd05afbdaba31f1bf0b395062b4da1586805fa192b97cdddc58bbebae5f2bf5bbbbe22a9eaee674b7fb534459a84d692bf4bc37320e687d01a47a1d33fe92bb1 |
memory/868-99-0x0000000000430000-0x0000000000460000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1938016c3e7c12789e752d6319bb602a |
| SHA1 | ad15ae0bfcc423590920bb45bf9d90fbfd3b4217 |
| SHA256 | 01db3fb00ac107bec07ba468f8591d8ea2b5055b2027e5a0b0f7a08cdc724760 |
| SHA512 | 64c69a4ccfc9514cf621eab4508474567ff0fa3c47a7c0ee474040f788ac57251b562798a295052fe386b0716e774bd11e84b7f44c2e8d9a5310af88538ca60d |
memory/868-104-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3048-109-0x0000000000380000-0x00000000003B0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 54059a14cf518524c0498c70f452206d |
| SHA1 | 84aa21455dbe775e0df7bf7e9046981d3206ac10 |
| SHA256 | 8b91e2c76a1fc64e31eec9af8263e239443d11614d60ad1197f600e58233e047 |
| SHA512 | 70490467fb13772d6c41f16e792096ab218deea0ac749fba491e5768a4c68306dabe61efd620067fb5ecce7878da601f6d1d1f8aae0a1ed50fab74ebaecc6e31 |
memory/3048-114-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5a20df51483277500571351bbe833440 |
| SHA1 | b4470fcea4a80bf078a389c9913eede4bb6394e2 |
| SHA256 | 1b84512840d6b0cdfdaee101871614e0ef06400d23f79cd3ac24bbc21cab6700 |
| SHA512 | 562378d25e93a124ac1103dbf738382c749124473688ad09392e4e43efe52907987733990974038cc9975f20d72e97ab79767f17d37bf983d2751e26ca0334a3 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2c7ffbcf358882e6f148f2216b62b4b1 |
| SHA1 | 884200a6913b35f7d2744c4e91318f2842c9969a |
| SHA256 | c703f82c6895e69d2618623d384bbfcbd09d607beed0f9b3614091a8dc46e776 |
| SHA512 | c500c5c8d1353bdb7b7e12706db3448612bcf5c79e6ca8272ffa42084369dedf44e2e4f29bc3522ab0a22d2e8de8eb623966dd71bf24d2df12262cc6f993ac1f |
memory/676-124-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 138e366a54398bea6db7fe664378b64f |
| SHA1 | 74ef45dea93e7810957c6ec772a339e615313a1f |
| SHA256 | e3d24ce756798e53ae65f5b992705776165e1d26ee9f8a7708f1ec5b7ee95ac8 |
| SHA512 | c5ffb90124e59331eb4c15ad4d365c00cdaec41fd660f228e10297a90e43c7725eb6f94258ad0449d13f5f9ebd3157cc9b05b491411bfd706b9225f798d759a7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1d3ee1febe25f654571674975158f307 |
| SHA1 | a63e2ebfba5ac4671822ccd91a75cac2a123f51f |
| SHA256 | c18f032df1258eb93435ed2ca9aac4e1f3cb6c2b94c0f141675732cfe894898d |
| SHA512 | 2e9560463d1ace5fbc6b78e58c9f4f51810b88d052e2b387c1643e4dd4bdf6bce220849a66f94b36853c2f1241bac7fc53a1c47b8951f739d4f443ce72545726 |
memory/2072-132-0x0000000000400000-0x0000000000430000-memory.dmp
memory/708-137-0x00000000003D0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5d41c5671408f578618c3e38a63f4694 |
| SHA1 | 3565b9d5e7dd88f62fda0d2a181c67f2b32eb54f |
| SHA256 | 8ef7d5ba0ebb3517507651730b9d7772d8e1937f228a1f2e480a66cd14f12ed8 |
| SHA512 | 423f8ab6d9ac97b5765e258e3b5a16625b7b7d01fcee4916ad27cbc9cf58c116c71ee6929b629a6f864bb568ea51b8096dd97347c871b1ea73fd1d59b8e92efc |
memory/708-141-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6eadd5ef25e5cee6886f4905c208836a |
| SHA1 | e031d91866769614b8a3a0c47588a92601ab69be |
| SHA256 | 7caa8d08bc5492cdf398cead47d026b0ad04de1a6026d9f2c9f2a97fa96383c3 |
| SHA512 | 5433d7676eef3dc4ed802b476de25d20aed9bf2ff9db8041ecd5adf24caf69843001316ff6fb578ebbaedc8199c1ad9fdf5edc93b17a306b6abf0e11e8c457d9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5d3bdfb5edbd16b3dcfd32bf0ecf3748 |
| SHA1 | a43f72756f8d6b3480ba836dafefa321f8c0e969 |
| SHA256 | 6df5220cbd356c210cd393bcfbbbf14108753ae5ec3d6feb7fa15a15ae110f93 |
| SHA512 | 8461db06dce0bdcda5ab8aec6a20a136955081c6db40427f1e5091957b1349e547c2794440797d9ac484d8aa2b969a102a2a77506777e77e2d27582ae11dcc58 |
memory/1952-149-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2556-154-0x0000000000260000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2b8c5acf0ff99664a149f081e9402d02 |
| SHA1 | 6a183ece2b1e046a376842e296c0341db85c8942 |
| SHA256 | cf3b493a31dab2682f5022215cf93bcf3e0ac5b3e9717966763256e210956e87 |
| SHA512 | 24c68111778f566d69ece52777fb5340f291692e5dd9109660ccd66a9703491be17353578d550ffb0f26af2a28b4cd9d41d85c81de5b65dc302ebac358a3b4b7 |
memory/2556-159-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | efaf472b1127f258dd84cdcc5c018d2f |
| SHA1 | f921d8f952f74e1a7b021c9200d5bdbb64a0fd3b |
| SHA256 | d5bb2dad27c088801cca5b2c2f0bdc16cded5e0910c511991997324cd7e45998 |
| SHA512 | 66b915c2ba8690e6a46d6f4faf76f87a9fc462cf79f8749e3cf92cf6bfd744dbd3beb7614351b39d54a4ae6647b4986879d61b659995bf33a0c1ae76150a7ed2 |
memory/2832-163-0x00000000003D0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8c6fed2f9106f576ce1aecfded1b8d2e |
| SHA1 | ddca6d96d56a29ac83a2b0eb75f66c60bd589bb8 |
| SHA256 | 3e55be05c856e500387426b4bfdb11db49680bf607f8eea8440d86e05ca13412 |
| SHA512 | 86e257cd8d58b5fb7eea891a2d35928848a6ceaf60a27804b077b9fd102244c1c9e2605778aca796b0c0b1b43b1cbd82104ab41d7e53e4a64a23df9825310a63 |
memory/2832-167-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2116-172-0x00000000001B0000-0x00000000001E0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c92d01e29c114793a514f56fd30317f1 |
| SHA1 | 2a44fe7ec753e71cc4cf01a75340276c416fa9c9 |
| SHA256 | e9d8b697bc192a5e91c7b4a24ab4e6a1bae2b937ce44b7b6e23ce24e8c6d213e |
| SHA512 | 628bd63c73b77205d8ddeeeeef92e949e142c2df8b4606bd7e34bb60d5e85e6a4527c028a96479581b23e00cb1e4da0786357fa295c2110186bc152de03aa6a0 |
memory/2116-177-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 153d749ff81729ff3b051d528f703737 |
| SHA1 | dcecb81b1468729b8d5f3a9e75a325ed6d0606be |
| SHA256 | aeda0f0275ad8237288eb8907cabcace638bc1f6d526189dfeec4432173f5573 |
| SHA512 | 9e168cde5d6f4606a5020d1dd2161461cf2ba2d0d91589227c9feff44958fea74699ee4bf0f901d0bab173265cb07c8213b2102252b1a91819946b80101e6fc5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 86307d395c162745a61ec885cf9b4f71 |
| SHA1 | a04ee3cf16a485e6619024e58d2b2b98f9d3f82a |
| SHA256 | 794147c7c76d5f75f1be2493483c60c03fef6acec16675e42e6d0ce52a9eb814 |
| SHA512 | de8ab9d6c897628c1f6d9abd4a3d14236401138b00a8d151810abf9d7cee9bc9c0822ee2948ea5e65d806367b2ea081fb19db374e4343470f77a53dc047ff8fc |
memory/1720-184-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2028-189-0x00000000003B0000-0x00000000003E0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 365eae5e7447a86f3b049d202415dac1 |
| SHA1 | 774d4d6e8f24de458d458cb47d02926aa3f63d26 |
| SHA256 | e832c23d3f147087eab4740ff8e14e4c946e872658689f94d6b9058e11e5064f |
| SHA512 | c480116ceaff8fb3301f3e7f2aa2359f0dbc29787e232c2b079c62cc10274abc0f1f76aabf9114a655b28c45d07375348816e6bba4a953a526ddc139ffdc5eaa |
memory/2028-194-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f3bf299865f5619fb181ee6ab1f2a68d |
| SHA1 | 5d39604902056d60aba29cf85b864550a77cda78 |
| SHA256 | e4094fd2b327179946daf7048605f8e6688ff223e5e0c9e6b8b44688ca98538b |
| SHA512 | 7ebda10a43e56bad52557e7f17ee8c444353eb7ce94660573b731039e8d8d0b89d0c36f269365737c9fcbcedb1b7b5699c2c4b589d4abb37035c87b9b80c0324 |
memory/2900-198-0x00000000001C0000-0x00000000001F0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7b1e5557cb229714bb1c5453e878fa7b |
| SHA1 | 7e5732c9f565d9f65e63510698de6232f4aec360 |
| SHA256 | c8d8325eaf8b67996d961b9727119ec51baba322bd37b8771a80ff5e0b008fdd |
| SHA512 | bf5e935f5adf8e2fdd543cb2d5b58e13a3739fd1cc1b3bb3cdfd46ebd78c1edee2597cc4a64bce474026903e22ca74ba28e94f4a51065412df0dd783fdf4e5bc |
memory/2900-202-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2480-207-0x00000000003D0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 77b58b542b70c4e541945a3d2251a0c6 |
| SHA1 | 53a0e32ae9d3946a82894a30a6d324bfc1726185 |
| SHA256 | ef488393201b84a5c858adc864c5ea0319e8058ec3d5a5b41438998db6fe16e2 |
| SHA512 | d323dcfe7a831e17b47656f161e6ed8354a7840a566384b83b3056cc6c776c624b8fde8757ce40d339246e3ff2f68e1833004d6ec248bec8eb4b6c47a6e70e3b |
memory/2536-210-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2480-212-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 943b94591aa51e3f2f816b2d730982fe |
| SHA1 | 60cb8762cad05338f7c3d697b217fa407665539c |
| SHA256 | 57e139beebb1d358f023d63b8f7f02c3b2f73c5e23f58c0550fc513230e21c12 |
| SHA512 | 817f3df63f0f1bcaf3f2e0e3a6694a137f5db06d89ef73f10ab9341b5c00fa027bd44e16a321bc10e9774a49653e3fc8753a8093382927b5aaa0e2b5d1535b41 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d7b84eaaae8eed24e4ed8cf74bd9d6da |
| SHA1 | c9ba6ec6b7e30e2862351c36b9aef96227ce48d7 |
| SHA256 | e700c91dca8c70ce76f050536c6f0ede542bbbd49466ad4404aff9950acb27ff |
| SHA512 | d84c691ab3eaaa303b5931a81454a05d41f157842a07046b4e28b2d6970bf637d6bc6b7f5ac5b412b3afc8fe6778c1e50d6133b1b042f649911183cc611c3585 |
memory/2536-220-0x0000000000400000-0x0000000000430000-memory.dmp
memory/240-228-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2428-227-0x0000000000370000-0x00000000003A0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ff2e09bb6ed0bb050603a01d4150a5e2 |
| SHA1 | 3eb6acd7571926013974a499df931d9c14ceadfa |
| SHA256 | c85d65d618f9077e489e83eafb5874e1f1a3799fd86515f5d522fd66f4b47135 |
| SHA512 | 1ae6d3b7c8a8c00d1bbdea751425988a3c2d2c02a67aef133b4f58cf490fb2782b2813ce4566a92d6a6fbbe9d07a3c016a374f59958a9397517b3e572726aa50 |
memory/2428-231-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f8a0fb36231e17404b709a7d33c9605e |
| SHA1 | e07807b496f5659d4e62812b2f2efc4bd6049757 |
| SHA256 | 681cc41be74360ad8149c294728d10a6117507c1d06afdcd9815876d81ed2fb6 |
| SHA512 | 2fd23ca76e98aba035da4104d9a92c1b0a42c7fab0c9d475979785547e82d6db5722ae25b21a0b62375edc771c7e2202a4367f1a011a4b92bbf55cd725e4e9d8 |
memory/240-235-0x0000000000260000-0x0000000000290000-memory.dmp
memory/240-237-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2568-242-0x00000000004B0000-0x00000000004E0000-memory.dmp
memory/2568-244-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2768-249-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/2768-251-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2752-257-0x0000000000400000-0x0000000000430000-memory.dmp
memory/968-263-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2576-269-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2164-274-0x0000000000580000-0x00000000005B0000-memory.dmp
memory/2164-276-0x0000000000400000-0x0000000000430000-memory.dmp
memory/940-281-0x00000000002C0000-0x00000000002F0000-memory.dmp
memory/940-283-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 23:37
Reported
2024-06-02 23:39
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\83758eefa7a5cc7a0d07f638965ea1e0_NeikiAnalytics.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 2.17.178.52.in-addr.arpa | udp |
Files
memory/3160-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1624-5-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4fcf9e86f64bc4eb7444e6f3bd45bfce |
| SHA1 | f47ab59e42e420d523c75ec509ff58c119705bb3 |
| SHA256 | e392390ec059815d305e6884dcc19dc5be71173839048c230b5b4903507bc3d1 |
| SHA512 | ba96da73ec0c8783013831f1f0c23f8a95335887f36986531364fe47bb54b76ee8a8b9b599e1a9964078f2f67518c4e45ada867b2732695162cc9a5128b459e4 |
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3160-10-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4889df6e14548d215d57dec54ccabe38 |
| SHA1 | 746148042359a50f50ec4bb95e0b88b178b446e5 |
| SHA256 | 764a24d513ffdc46cc05b853a0a9b6e11695fc3cc9399d93fd79e07959c8ea59 |
| SHA512 | 50b2a9f0b12417a97a82280df0c80dfe21d46601faee24ddb34cfcb6d6fc3051638443cb333c1e997d6119daec595f269dc9036d28f571e39caacc70ee12e1e5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | df8d114cf0b842ca662fcef146c66ebc |
| SHA1 | f17925fe9e940336f85a73f59f25a6748c7356e6 |
| SHA256 | 5712a56edc023daf65fb63f6655815f82f4d16978843f729de05e7f980242f1c |
| SHA512 | a59ec5ea3499da2ebf9272adb78ad012c90e8f1d54253fadf5ddc6fad18025e53d138cd1ff67c891028ca46466aba4bef54306cb78316a5f39f81e0fa6aa3c1f |
memory/2148-21-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1624-24-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 553ffa1ea910abc49d24578a8b52e097 |
| SHA1 | d1451535979d4989bfe52b8cbd71203d5d72fe59 |
| SHA256 | 857eaea59195aa1941f52097603f459e1603fdb0570a22aa3208e2bd178388c1 |
| SHA512 | e758276737a6178ea216ad58fb575698e9ff2bf8913861ce4c6018c8264d2241fff7e16ffb946bd432fb365c8169edac6d01de74685665943d1a50e8889ea9b2 |
memory/3084-33-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d357d37947bb491e3049868a60d11eac |
| SHA1 | def7c2413eea543b4dc10f63af0d3e93a0f57d84 |
| SHA256 | ab2b932eb89882228f29f9171f0f6e3f1ecfd8c4f33d0428a601a6e288104d2c |
| SHA512 | 8f69d7dbe95b772ef077ddb4d2d51165468232d9c4b41b986a2f881f3524c87ea8e18b29003d1817f1adf50723b2032664504dca6a848fc4d872d772002949c4 |
memory/2148-38-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 156f206d56fd9798683d01a589d47e7c |
| SHA1 | cb198dd1a608a540ef3e64bdcf7189e3411ad1d8 |
| SHA256 | 13182c4582aebac0683d7694ee492c5921d8f5e7d2a127ea89755b93beddfbd1 |
| SHA512 | 5fbd3b61bb3f678798d00949a53da287ccb3ae22bf50a101b7391796e32ee91f1955f172ea2d3e6f8a9bf925732bf9918aa9ed88b8d1f093c96150fb7fcb58c4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e9cca063febb66b1aca372fb4d3e765d |
| SHA1 | 46f97e9589803345b927b8705fef243d7a3e2d7a |
| SHA256 | 4f5f426e162c3c2e37f26b3cf967b86ca95a08c4461ee54fcb51de68e385656f |
| SHA512 | 00bdde6f7802b4b2f022b22d349cc8ca35fc731a96150bfacf46ddde0d5ec5f638d9a6d2f892091e5b0bbb0db1f5a2f7d83a74b157c4fa5e5ad4fb1ca3196248 |
memory/1544-49-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3084-52-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 37a73ad7bcbc0f268376b9059de33d88 |
| SHA1 | 9c3ce303d96e7810316084635dac80e661d6195c |
| SHA256 | 64bbeddd903e89352d3de9f0ca302c7ab16ac38f193ddfc45ebaad78ded48e41 |
| SHA512 | 0c2dafdf39b97c7ef50b574f52849268677da75ef6a84b4e1dd2aef68c588e38fbb097e7aaf00e08eb9aaddd67007229026ba53f29dca84345b685bb4769ae35 |
memory/3052-63-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 99f02aae6e49cfaae0001aae591c9395 |
| SHA1 | 56b18b4acb50f56ca3e8738251d2c0b5676f42d0 |
| SHA256 | 67dda55dff40649cff2d74479f2c606338ce5f2d0d943254d440bbf41dc4a62e |
| SHA512 | 249d457bd41eb086dcef8abea674c3aa19a1abd811e71740f11f11cea71cd0550200307e6d04114a6b77e8253345659f6f4b9e8b838fab42b067e0dd4d7d363e |
memory/1544-66-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | baa980fbe047a7ea8820efb31c645894 |
| SHA1 | c3fda3552928af7d9ad90db43ad6a2185e6eb9c5 |
| SHA256 | eaabf572dd408621954d34ab6e761974897627be9ba817cf40d7adc716860495 |
| SHA512 | e88bf44359c6963ecf8298240b525a008dc9e954fd97c9513d080f038282394cb03728f6898d1a0e9ebde3660e8daad48c95618bcb8ef17cbe7924bc99fe401b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | fdbe7f67155676590467fafa631776df |
| SHA1 | 5633f92bc401d767a90d077d5bc93d47de0d92ea |
| SHA256 | b86641ad6f289f92945e93c81e1128c3a9928776f01636398e166d16544f0b1d |
| SHA512 | 81a6d1ce49499b4aabe7a9ef11b5f74687b7addb38462cbfd1a71436d2152a96fa71a81009ad198415d8a909a367bb963acdb886815ecebeea18c635aebd0063 |
memory/4504-77-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3052-79-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8d682845dabeb1ae6c6d67c3870b3942 |
| SHA1 | 3a83b286af700becd0e1c48e2cf51d570c5cfe95 |
| SHA256 | 859b67908c87e400c56bacf8ed4136ce550c5a3dd23f387283e4ca081f8cb110 |
| SHA512 | d6e277e9e57350080f98f81502c33829ece4392ed8636eaff2938d36a4d782c16a14b7a6511913a10d360f8be990942d1446f34f15ed515ae7ba5a07d14a3829 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1fda03360eb5fe9b53d3ce08b43b7f3c |
| SHA1 | 2878371e130125fc43b82f0539ad183b4b91beca |
| SHA256 | 6b75f2125a260de5b00c413a700fb1f5fd5864541d7741e25f97dee0358ab1b9 |
| SHA512 | bc4802afba3e9d73301012f69ba4e3ba4ac40df9e530efbe7790010735c656012d9f883f5ea31a58b6ac15890b14c8adc24620aac3a3fe65189171ed471c4596 |
memory/3376-90-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4504-93-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bb95f6b94f2b36088fbd0eb3c6cf9b8f |
| SHA1 | e4e68c67f218f1daac2b2d22cf89334a5add5dcd |
| SHA256 | a5d60b71c53aa978605138f28e8d7c2a79573b5de9b58d46e0faa1b154d75037 |
| SHA512 | 9f7a82b1e3b945508a4005cf41bc0891e00b8628670b4abc176289b468d6015f6eff003cc0281695b7bdf0a16c5aa0f7b81c47bcee97c945f3de6655f3e7d17e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0bd7fd951177873900ebe0dc5cd2ed66 |
| SHA1 | 97792b4de69fb477ff771e08eb5479c0a1b9d14a |
| SHA256 | 59679742c6430ab90c0a92bea4379ecdd80b4e95628f88367bb314cb73f26523 |
| SHA512 | ec9d34c80662e3075b71a43a3a5e5c2d9c51609d31781c9ae30b7b66d0673e38800ddeac1712ea2b0a5ffcba63a3b6cae73715b4845f55bb3ba127b7799992a1 |
memory/3616-104-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3376-106-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a128d8b7259330b52d44fc8dd430d3b9 |
| SHA1 | 6e3e3df101e0cc54f767914f84ded4a69e97f810 |
| SHA256 | 92abb4a3c8999f010d04e6d656f046412670d175c5c6aa4ab7b9f0d9486b34f4 |
| SHA512 | b58784e23a012f108b1d505e2a56dc4e698680e50e812d81978785b30202b1553158ba309230818d9e347feed0cebe087e94fc43286da3149c5798ef7def77f8 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4d388f2b0839f8d6558a16f8db3c1719 |
| SHA1 | bfd6e40410f2bb44d0a7b12e2610fdc88b7649a5 |
| SHA256 | 9717530f2a3c9b4fffa892cc7558fe7de57e337610f48662b80deeb073dc8cad |
| SHA512 | 03823a21554a7e3fe57b8ed5128758e53a5d6a5afe80cf8ffe9f34e912e70e9ec1428052525279452055ba4b45e932d48923d426f3c3c7d4b10e20ab9ccc796e |
memory/3616-118-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 868fc10c2f0300f9228a546c353624db |
| SHA1 | e42be1e152f0b63790bba4747a4edcf1a623e1f5 |
| SHA256 | 0fcab9b82b9f002b076d4ee5bf257bfc0d5787de50000a40d1e8076a00b62961 |
| SHA512 | 01a05a59bbe28db1694dd1a3540bc38f11ed0f8e570d67f6c911e2bf512b9680c7af067f0e48532f3afbbe0cd68fbb4a8362aa7bf5403df62a93e777f352d9a6 |
memory/3312-128-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f3a07c1d211ce6f2a3cb1759659a54e0 |
| SHA1 | b061e98bbd63e361db4b4637722b6056cfdac32d |
| SHA256 | ff4bd4ac7a64d13f1aaccd61f0cbaabce230f8d41ab776744df931abecc87cd9 |
| SHA512 | 27c9164d515b1a47b306f8befaf49fccc2dce5f88872d01d686ede6c3235034e6c7add0914a762658413815d981c8c829af2f42add207608a25cb1fd9e181c0b |
memory/3264-131-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d78be0d3a15f1d7674b435cfd21740f3 |
| SHA1 | 74678c45518c97d69cab62738657527c7fe60dbb |
| SHA256 | 32a78d6bdb3e7b1f4307057293320dce5703e80339ed4a62ffbbe0f78729e6eb |
| SHA512 | 1aa9b2869522195092bf688f2ff63d3b01d55ebcae8b0146300a65065ee2525dc64e57c7ead94fcb8a025ca530833ce2bfa6b3f0a58189a58c3e490bd9e4321d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5948dc0044b3f7a849a7b43a906ec35a |
| SHA1 | b0686945d5bf6ac6b3c1570810c1b7f298f8660c |
| SHA256 | e9b0339884e37b97c72ba9cca3d451720b2ad91fd46c2b176f7a2a251fa08be0 |
| SHA512 | 29140484804c261ef00c4ed242d7cdbfdf93cf6578e0f3eaa2f597e619618a0aa01089d581bcbbb17401a78a2c5e9e5c1bc82effb1838733ac1a8c8b907b3107 |
memory/3312-143-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | fbf4c941a6a84fe68a2dd1f867151747 |
| SHA1 | 501d96f9841019f89e7ba55120215fa91e569512 |
| SHA256 | 8575d0153cfc2af19ac60297620adaa9bff5d2917ea4a0ceb7ce98abdba934f5 |
| SHA512 | 7162048deb0219cd739b66be6fd5c8a8ded0a26f9ffab13708ab62e325fd07180035e1229ffd9bfe3a35e1461311cda0cf87aa209a6ab28a5370efcb2fe708b5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 03831840fe4786ed1859ca84d44b4170 |
| SHA1 | be451c32b1e8d5d9cedeb390c70d0e9ca6a50abd |
| SHA256 | ff79910e2bf6c37290a714726f5013aa0053f21dd8e323b1ce06b0ee7b338ba5 |
| SHA512 | aac25a679c3af06a1d46a753e74b6705796a3abe0b23f2b92fe15ab369122833d1cf8cae457833240b1fa97b197dd20bfe4cc978092c62d56ff23bc42792deb9 |
memory/2624-154-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4784-157-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c4d7c6ad4541b7d68ffea09b2796e43a |
| SHA1 | b515de4d1409249c045b1a4875772ab07bed1827 |
| SHA256 | 4fa6ab601bb73cfc877008939a6794b50d6314c54938c36758da9046f45b1070 |
| SHA512 | 614e3d008128c3d662629a08fe81b6bd8a6100ac51a2d3e7139cc453d0db7c55a839f4eddbde9d83fa329559a5d2c1fad97028fea739bf3cc6d8cb2f988ebad4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 640db0dcfc5eb02119287e3aefb8810f |
| SHA1 | 706db3162d83bdb47e37eb98ba9c225b40082493 |
| SHA256 | c95fb3944bb5afe765139a098928f668997fa98e56272f487660b04e36388df1 |
| SHA512 | 28538288ca17529a4a5d4cc9f81cee093f67220075b520de208f585c8276f1d23bc1bb22153241cb32a0978cfe8450891d8c9df2b541cc685066cc6eb3f38d66 |
memory/2624-169-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b279f5b35620c953368357b9f3e71b93 |
| SHA1 | dbf171be3b641cd393a52babd3fd3f634175cacb |
| SHA256 | f379af5668c1f5b4583d7e66b98d05ee81249e2bf490eaefc5302f8cc0e4e476 |
| SHA512 | 521542d54d4c9b946b45d837d0778338ee98a83f3da86a8566a819b047cf5636903f29c9e638fb592875afe964b4d7bd501c776682eb15c09f41f1cfea1b7950 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 454155a786f3e2d92cf3c999b62a110a |
| SHA1 | 01da172d19145fe643405f02056751fca9c94acc |
| SHA256 | e2863e5e445809d22a0c2f7d1d8c3a19e30e201e94720a960e2a748c2c8d0a42 |
| SHA512 | 1eb8d2c88d9de90378bfc4f076f26d7c1b50754558997ad20df3394b038d27f8a58529170ab4cf0efec7536b200ba557106be4608fd5a53b2c90422816acc165 |
memory/2916-180-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1344-182-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 832abbab45406fc0210eaaf569151e3b |
| SHA1 | c43c6ce62ee53fb06cfe96382ec83121b3ddbe98 |
| SHA256 | 60af41201fe024acd5eb89502721b9bff4bb3145e02c2ad1db6b7fb2b5a034e3 |
| SHA512 | fe307298122219c3413cb8e1acf5a2cc6a7f323271f4123744e927b01fc82fde4991654e59f4c10836abef8073ea4d0fc1b6406e499e42ae5541046f8d44a076 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 11e202b7e5669939ffb588d9ec5e3ac7 |
| SHA1 | ca2c2645da50389ee0b4ce26b18427d4a69840eb |
| SHA256 | dcd76d5247c8c10522c4a6a54ad3fe2e6bf6e519d012c5efeeb32e82418d6bcb |
| SHA512 | 048a7b412703a571ea85c4f4ae31923800af1b76759f8fe7a9b6fee1098233b4393cee07d8343f5379ce8d6c7a6d9a68a0a2ef5e2e08d253bc153b56142e9fa4 |
memory/2916-195-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7f76b03b2f9eef533aac8d257c6547c9 |
| SHA1 | 2ac3c29b65b8852062d298fdab3cc20b3c933fce |
| SHA256 | 7e89624aab7f827d20e1f2b8863cc25a2776ff0feaa8ce10074eba7643df8793 |
| SHA512 | 0d5c8578a56e85a6496e220493593851b42371d9f0b5c53ad95da4c7cd81cd2fefa1305a2dec81551b474965aeaa67221511904bb70a20a65e80324710a5d6ce |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 163a048f4dcc22fbc8b04955f5e7dc47 |
| SHA1 | 449859ae0ed70cf107c3a3bc9865aea2055a89bd |
| SHA256 | 0fd3f7d94fc7eb239c4a44fd8ffd3cebfcd81b30d255be500cc2508497dcfa8c |
| SHA512 | 307e3f9c0d926a1fad6198c2849eefc5a0811cdeca10f5102202e20669afbc36ca2b22b80ce57a1be163fac544b25aa9d784e4cdc1af7463129681ee312d6faf |
memory/5036-207-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 145e172e71846c8551d9ed964360eb05 |
| SHA1 | b22b571ab883f2e2b16b221e239661e9f1a4b41d |
| SHA256 | 60109e7538cad3480feb4bb3d9bbc3ca738e43a720d80e6c7d103b036a5d7a17 |
| SHA512 | c95b8e49038707294700ec72ac74ec09921dc38abc7dfdf6143aaed86faa6c9aaf1c6ac99e402c9949f551ad722c8eaf31ee26339c6caa3409a20617a8ad9b73 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 104d98383f0ec849975941280048809e |
| SHA1 | 1d8169b7a088ec2af4f43112044475a621c852bb |
| SHA256 | 324b3881f45b0d03c6d6d0b09594e3fe312ad2d3e360e7925a9a8ad0056b4806 |
| SHA512 | 77be3e9e924b32bac5a9e80e5cf17c607dbff906d31ff1010ceea26991c166eda7ae4be6c7224f9f0c0e116a505083d3b51580132852122ce0d4cce1bc7b364d |
memory/4584-218-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1712-221-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 78d8a0912c86a94ccd37e002bbc649dd |
| SHA1 | 91a55b5b94454999bbb41ad5b014a3b21ac60974 |
| SHA256 | cc0c0c3a176ead3f0e6eeee92f3d523035bac6e28413f0001867ea95fc401a4b |
| SHA512 | 9a2a68723f3093c5547cd4939eca01e4657443c44f59643a33e1d78c561feae4f361c3e66b12c4a6fea6c90aa65814645f54fb1638479efacd8aae5995bf0c32 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e1441919c99ea31cc3fce2968a9350c7 |
| SHA1 | 5df3c285b457ccb8499299811b25b37c6021f3c4 |
| SHA256 | 2aaf6f49ac990fbfcbbf2b47d0ee7dc4d6a20c4226495945d1cf9e771a747fa2 |
| SHA512 | ead98320ab3aa1898800182d0357455ee79e5248a2ec45792e9f2a522a27de0091a9a0ca2ed7b6bebc7c663ea863b06f2dc0d7f1cb7bdafe09a5201abd02a8a9 |
memory/3628-233-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4584-234-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3b807fb4fe2e25d378d7b000f7db3e6b |
| SHA1 | c9bc4dfd400dc7b37106838d1439ac79c87fb4d1 |
| SHA256 | 630031dbb83a0fcf5e471498348758f850d4305b5b16f447a3c727ff94a1dae3 |
| SHA512 | b6abaeb92b25ac4820d22586d16f14e1f4eae1838d03dc659fb73d73f84b829125e0f42207fa2d803d108495054975a43d7b8d38cb93fe003b8a100109aa9cca |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cfea4449a544f5b89088f9f77b21035d |
| SHA1 | b257f4b64ea0886c38008a3becf92ffa9a6a83e2 |
| SHA256 | 2cf3977ee170c1aba24f74438657e3e4bc6298620030c7041932def01ae85a67 |
| SHA512 | 6736f310b8e555b9ac6c5c9fb101081eb051f22346b76aaa2e52dbb6b2cc4ea5db788e855e5e313ff54800c56bbcb4b53293f40db79d290135813c76f25777e8 |
memory/3628-246-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 60f30af230eef61e74470822ac7fa4a9 |
| SHA1 | 8ac99a467eb72f92908da18bf5ad31df8f5830a8 |
| SHA256 | b35f08fd33dcce8206e8d9c0ce8bef76d34962d38d026648912818f55acfef4a |
| SHA512 | 910d64afb34eefe813664ae7fb1de519f68b28c58ee606442bd374ad7d75cf75a2efac3210a94133d8b0a0fa3f10d3476da2a66676af0f27922b00ff799d8360 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b4bb8ade4f54400cb51835cd9cd33651 |
| SHA1 | 66f39772e7f775e49ae12fa770098731b466defc |
| SHA256 | e12de6f5a453edf04150df66a90922003ddda91475fe54d005cf993149f6d4fa |
| SHA512 | 5f175b46d8af94b6bc62ed60373eac65df17f212426fc4c97d6699191c204de89f04e109d6c2732826592754cf506da4f6479901a54f66c292fa43f4a56b7296 |
memory/4484-258-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4a8f2b3a65e5bf868a1fb1981134ab5d |
| SHA1 | f6768546e193be1733ae63094924b66c2ed10391 |
| SHA256 | 024e5349967713b5ea9c1fb0a11bada9315ef2820e7006dadf9cf9a833383631 |
| SHA512 | 6c9b7920afdc4bea020b2fd6764b273fcdbf17d7a69b1cf042cfdf7060df4dbc7bc2470440ff0f2fd4d0d6c7852c12bf555d9bb4bc441dc9b3d7f63b8cccf921 |
memory/1644-269-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 367d83743fe9c3e05d8e3254a2562e16 |
| SHA1 | 2b44d44e71925492ba25d90b573983ad1aade8e0 |
| SHA256 | 34014c2ff12729b9d9e9bd1d0b83056aab8cb3de32b2e75826b5018302b85964 |
| SHA512 | 53ebc7666a565a76c57d55902b2d12ceb72669c7d74e94213f013732ad06ed59279b921617cf03438f19356a6198c9202ccf3e611d206c1e0ba73be20670a882 |
memory/912-272-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9865990008f71283098f1bc45532714b |
| SHA1 | 7c7c3c42c06117e4737a54b0623bc45e79cd61ce |
| SHA256 | e1bb6394b7de2eb1e22b965e9d94d93b772547ee5137a25492d8f2f6698b0b6d |
| SHA512 | b7721d1a66b602abea0dd8f52e48afbdb5049d3b85cfae6fe577d163950c523961702fd63d3f547ce0f47475f221028772e20c1760f1fd63931db2389ead78f4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 67037df7a4c51de024072b11fbf9272a |
| SHA1 | c7d0362e90b7540a7f48831d4b6dabde6cf80f9a |
| SHA256 | 012dd120f6fb55dc6a905b5bf107a30c1f2ba47f4a34bc9623b795fc175cc5ef |
| SHA512 | 536e05b0e1ef1a1dfbc4ee83c7e225d499fa6ebb9cad3c06aed31398050c39adfb63961a1a4a2b5b52abd40ea2b0cc0f3e1ddd9b5e39b64e40a41e8da78dd9a8 |
memory/1644-284-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3048-293-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1416-294-0x0000000000400000-0x0000000000430000-memory.dmp
memory/8-303-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3048-304-0x0000000000400000-0x0000000000430000-memory.dmp
memory/8-313-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1872-322-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4136-331-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1372-340-0x0000000000400000-0x0000000000430000-memory.dmp