Analysis Overview
SHA256
57a6faecce8f65cfa66e2cd2e16283e4862fbe8f4717ccde2600deeedb296cce
Threat Level: Shows suspicious behavior
The file aa120751f3688034d1c09796fb6a4710_NEIKI was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Enumerates connected drives
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 00:18
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 00:18
Reported
2024-05-09 00:21
Platform
win7-20240419-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\b: | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jps.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Games\Mahjong\Mahjong.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre7\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre7\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre7\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Defender\MpCmdRun.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre7\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre7\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\updater.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre7\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe"
C:\Windows\SysWOW64\at.exe
at 1 /delete /yes
C:\Windows\SysWOW64\at.exe
at 12:23:32 AM "C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe"
Network
Files
memory/2208-8-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
| MD5 | e7dc3153b95fc3afeb74ff63943236f5 |
| SHA1 | 856bd30f5b2185ec9958feed4fc8ef694c6050ab |
| SHA256 | e281d0046b927bebc46ef07f7bd35fb46f5bc17b2f8c00f44bdcfc8677e12c94 |
| SHA512 | 0265d0a4ee5f541252f0afe08f3e4c5e1eb95a1bffdfe2379032d5ed782eb5d944c830fcc283ec20acac91efa798bf51649d21b449b5899965114c959c1a570f |
memory/2208-17-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-23-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-45-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-55-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-66-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-78-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-88-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-98-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-110-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-120-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-131-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2208-141-0x0000000000400000-0x0000000000428000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 00:18
Reported
2024-05-09 00:21
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\b: | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\lcms.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\bin\jstack.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\xerces.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\dotnet\dotnet.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\dom.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\asm.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\icu.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\icu.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre-1.8\legal\jdk\xalan.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\Client\AppVLP.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2204 wrote to memory of 536 | N/A | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | C:\Windows\SysWOW64\at.exe |
| PID 2204 wrote to memory of 536 | N/A | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | C:\Windows\SysWOW64\at.exe |
| PID 2204 wrote to memory of 536 | N/A | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | C:\Windows\SysWOW64\at.exe |
| PID 2204 wrote to memory of 1300 | N/A | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | C:\Windows\SysWOW64\at.exe |
| PID 2204 wrote to memory of 1300 | N/A | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | C:\Windows\SysWOW64\at.exe |
| PID 2204 wrote to memory of 1300 | N/A | C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe | C:\Windows\SysWOW64\at.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe"
C:\Windows\SysWOW64\at.exe
at 1 /delete /yes
C:\Windows\SysWOW64\at.exe
at 12:23:36 AM "C:\Users\Admin\AppData\Local\Temp\aa120751f3688034d1c09796fb6a4710_NEIKI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 4cd48bbddd29ca31d34a9d67fc3a2075 |
| SHA1 | f85bbfa79f2671bb38aefaa908178ec5fe130dfb |
| SHA256 | ce92525ccc1032ab71607dd0c98509f17539edb78d2ea1ee7fe280d4951f55b6 |
| SHA512 | 04ab035119a4e3ba29aef947318f8cfea588a24dbb357ab24f20e5520ea9853e3f824d07429e5da2e3e4c19ba063cb88257ea5ae417189727e7179d740e7fcaf |
memory/2204-14-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-21-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-31-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-39-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-49-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-59-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-69-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-81-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-92-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-102-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-275-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-288-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-380-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2204-390-0x0000000000400000-0x0000000000428000-memory.dmp