Analysis Overview
SHA256
4a0059277ce994b7baf1955a1a1136f263dac80792b9bf18a2ee6defe4a2a474
Threat Level: Shows suspicious behavior
The file 4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Event Triggered Execution: Component Object Model Hijacking
Unsigned PE
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 12:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 12:08
Reported
2024-06-18 12:10
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Insertable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll, 101" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CurVer\ = "IPWorksSSH.SFTP.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Control | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\VersionIndependentProgID\ = "IPWorksSSH.SFTP" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ = "ISFTP" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ProgID\ = "IPWorksSSH.SFTP.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\1\ = "132497" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CurVer\ = "IPWorksSSH.SFTP.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CurVer\ = "IPWorksSSH.SFTP.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ = "ISFTP" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 12:08
Reported
2024-06-18 12:10
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ = "_ISFTPEvents" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ = "_ISFTPEvents" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\VersionIndependentProgID\ = "IPWorksSSH.SFTP" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll, 101" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CurVer\ = "IPWorksSSH.SFTP.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CurVer\ = "IPWorksSSH.SFTP.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Insertable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\1\ = "132497" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Control | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\0\win32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ = "ISFTP" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CurVer\ = "IPWorksSSH.SFTP.1" | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |