Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 00:13
Behavioral task
behavioral1
Sample
a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe
-
Size
325KB
-
MD5
a8ac1f973938ecb9b7832ac95fd68eb0
-
SHA1
fd15b5427c6989e48fa2df1fffd5ac11d47dd05c
-
SHA256
78a3044f9bffa84a69b377fce8d6645371206de8e3231dcbb80dd9094cfca7b2
-
SHA512
adab0ba5067d31937c0e2d1c48690af097e97bd7bb51441119661d4a2ebee3106dbd29e356a194307573b49b21905dd01bdb07c9a0b834c9e74162a03f6d95c7
-
SSDEEP
3072:pMMME7GW5Lxxu6IfozESZRusvPViND/V//nTPw1bhE8Ph4arLXWoqhBzvJFJ/wK2:7G8I6FBcR1nrwzEqhTLOX+
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x00070000000233d4-8.dat aspack_v212_v242 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ndadmin.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\raserver.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\resmon.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\RmClient.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\UserAccountBroker.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Windows.WARP.JITService.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\logagent.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\winver.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\shrpubw.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\dcomcnfg.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\replace.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\charmap.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\label.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\timeout.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\instnm.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\eudcedit.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\verifiergui.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\dialer.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ctfmon.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\TRACERT.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\calc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\subst.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\xcopy.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\fc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\iscsicli.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\odbcconf.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesPerformance.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\cipher.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ipconfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Netplwiz.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\provlaunch.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\recover.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\waitfor.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\expand.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\poqexec.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\comp.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\autochk.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\clip.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\dplaysvr.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\mountvol.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\msinfo32.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\write.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\userinit.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesRemote.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jre-1.8\bin\ssvagent.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jre-1.8\bin\java-rmi.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk-1.8\bin\jinfo.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk-1.8\bin\klist.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Mozilla Firefox\firefox.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jre-1.8\bin\javaws.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk-1.8\bin\javah.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Mozilla Firefox\crashreporter.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\XGpuEjectDialog.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\AddSuggestedFoldersToLibraryDialog.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\OOBENetworkCaptivePortal.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\NcsiUwpApp.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\PinningConfirmationDialog.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\BioEnrollmentHost.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\FilePicker.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 224 a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
650KB
MD56679b00cdba89ecfe0377f9582a149d5
SHA1295403a27ee3dac726f995dc0904dadc91730b4b
SHA25676b1927cb496ac14e1c1295e824f445ee07a883c3e684352f484e91236ae9e83
SHA512e9906d34169d6f6e2e77b4c9eaf8557f3c626b996a46a34b1f811b8eb05db99da89ff932d71c7185ce187e4ffce7525460962610ed18d6e541e4a54e221f6e80