Malware Analysis Report

2024-09-09 18:06

Sample ID 240618-pa1vkasfnd
Target 4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.exe
SHA256 4a0059277ce994b7baf1955a1a1136f263dac80792b9bf18a2ee6defe4a2a474
Tags
persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4a0059277ce994b7baf1955a1a1136f263dac80792b9bf18a2ee6defe4a2a474

Threat Level: Shows suspicious behavior

The file 4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence privilege_escalation

Event Triggered Execution: Component Object Model Hijacking

Unsigned PE

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 12:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 12:08

Reported

2024-06-18 12:10

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CurVer C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Insertable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll, 101" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CurVer\ = "IPWorksSSH.SFTP.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Control C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CurVer C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\VersionIndependentProgID\ = "IPWorksSSH.SFTP" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ = "ISFTP" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ProgID\ = "IPWorksSSH.SFTP.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\1\ = "132497" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CurVer\ = "IPWorksSSH.SFTP.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CurVer\ = "IPWorksSSH.SFTP.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ = "ISFTP" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 12:08

Reported

2024-06-18 12:10

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ = "_ISFTPEvents" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ = "_ISFTPEvents" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\VersionIndependentProgID\ = "IPWorksSSH.SFTP" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll, 101" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\ = "/n software inc. - IPWorks! SSH V8 SFTP Control" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CurVer C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CurVer\ = "IPWorksSSH.SFTP.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP\CurVer\ = "IPWorksSSH.SFTP.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Insertable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\1\ = "132497" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Control C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB}\TypeLib\ = "{74800173-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74800173-F789-11CE-86F8-0020AFD8C6DB}\1.0\0\win32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CLSID\ = "{74800170-F789-11CE-86F8-0020AFD8C6DB}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH8.SFTP\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74800170-F789-11CE-86F8-0020AFD8C6DB}\MiscStatus\ = "0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800172-F789-11CE-86F8-0020AFD8C6DB} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74800171-F789-11CE-86F8-0020AFD8C6DB}\ = "ISFTP" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPWorksSSH.SFTP.1\CurVer\ = "IPWorksSSH.SFTP.1" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4361714d82539f50e5c2e29497c8d980_NeikiAnalytics.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 243.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A