Malware Analysis Report

2025-01-03 08:36

Sample ID 240611-demb7asdnl
Target 2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe
SHA256 cb0774b2436d241112996d10ff8cb962d6e461d49fb6b0e16423d07a895b241a
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

cb0774b2436d241112996d10ff8cb962d6e461d49fb6b0e16423d07a895b241a

Threat Level: Likely malicious

The file 2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5276) files with added filename extension

Renames multiple (3796) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 02:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 02:55

Reported

2024-06-11 02:57

Platform

win7-20240508-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe"

Signatures

Renames multiple (3796) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\offset.ax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\tzmappings.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Mexico_City.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\sbdrop.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2232 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Windows\SysWOW64\Zombie.exe
PID 2232 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2232 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2232 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2232 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2232 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2232 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2232 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe
PID 2156 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe

"_vcredist_x64.exe"

C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe" -burn.unelevated BurnPipe.{7C7B6BEE-0071-48EC-81F1-0867A6B6AB78} {37B3C524-8682-4843-9E3D-B08AE3A97268} 2156

Network

N/A

Files

memory/2232-0-0x0000000000400000-0x0000000000408000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 d1ca5bf74c2be7f82f474189183e625c
SHA1 5cb6f1fc110d50208cf2e25e1c40d4a17e0a99a5
SHA256 645133be63bdd67a3d252fa292d2539f516eab4b398a9c44253db57a45a3b7da
SHA512 f00a5b9bfa1c97fb4bd9a3781bb6370973a92737d7f0092beb81fca0a9d6658cf1864542678fefe16b6829445d6c37413584f82210749931e68b0c74e0aeb3dd

memory/2232-12-0x00000000003B0000-0x00000000003B8000-memory.dmp

\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe

MD5 38410cefc9ef3c7ffc63ac3731658e3d
SHA1 d8638f21d2cfb5d5b89883d8ef0c540dedb85692
SHA256 f351b8e3d5dafb36b7ee16146e66f8ca7ecef751a0c5aaf5356315e9f613fc72
SHA512 d17ce1ec319be3582c4153eceb94e43adb94bc3f5c8bfebb5883cb425fe4a274cfd1a1ce1321c7b9b6a9695c1bc573f0702072a74cca2b932998b8de94e75e6d

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.tmp

MD5 16b30a98c0c99f4c79b635463145a1d2
SHA1 a9f3a7a3debb947b5bbdd6e92a0e5d4b6400ab3e
SHA256 5f9ad23d879bb51113eab7cfc16b22c0b8b8802e76de4f9c3de8a77447684805
SHA512 62aa375ee1f0885e913530b2676ba06682668803cc75ce3e8d7d739089331de75d2ab04d8d0ea31351cce6e98b6b2d6c295e2e7823e9c2c5e167197e74ef69d1

\Users\Admin\AppData\Local\Temp\{a1909659-0a08-4554-8af1-2175904903a1}\.ba1\wixstdba.dll

MD5 d7bf29763354eda154aad637017b5483
SHA1 dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA256 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA512 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

C:\Users\Admin\AppData\Local\Temp\{a1909659-0a08-4554-8af1-2175904903a1}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/2232-198-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2232-701-0x00000000003B0000-0x00000000003B8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 02:55

Reported

2024-06-11 02:57

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe"

Signatures

Renames multiple (5276) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.PNG.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SEQCHK10.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\COPYRIGHT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2514b379f34a15b6955ce402b8e52730_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe

"_vcredist_x64.exe"

C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe" -burn.unelevated BurnPipe.{5E5C2754-EE33-414A-A035-CB1E0CF4EE0C} {6BDD096E-7DE7-43BF-81B9-4C6ABE22A44E} 5000

Network

Files

memory/4808-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 d1ca5bf74c2be7f82f474189183e625c
SHA1 5cb6f1fc110d50208cf2e25e1c40d4a17e0a99a5
SHA256 645133be63bdd67a3d252fa292d2539f516eab4b398a9c44253db57a45a3b7da
SHA512 f00a5b9bfa1c97fb4bd9a3781bb6370973a92737d7f0092beb81fca0a9d6658cf1864542678fefe16b6829445d6c37413584f82210749931e68b0c74e0aeb3dd

C:\Users\Admin\AppData\Local\Temp\_vcredist_x64.exe

MD5 38410cefc9ef3c7ffc63ac3731658e3d
SHA1 d8638f21d2cfb5d5b89883d8ef0c540dedb85692
SHA256 f351b8e3d5dafb36b7ee16146e66f8ca7ecef751a0c5aaf5356315e9f613fc72
SHA512 d17ce1ec319be3582c4153eceb94e43adb94bc3f5c8bfebb5883cb425fe4a274cfd1a1ce1321c7b9b6a9695c1bc573f0702072a74cca2b932998b8de94e75e6d

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 7a6ee0286dbc1f62ab28004d6e1e219b
SHA1 8c808246c01b057ff188dbbb93496d57c66b930d
SHA256 7619f4064723fb2a1aa164531345162fc98e76c7d699d13a643e0c11f4817298
SHA512 d9bf810abcca0a15ec621e2c166df42accfaa69d16d9f108ea6a0aa53c5eba27bb5b83c0632442a7e56183503225ff12be8298660d01f0b02b8c86181a805eab

C:\Users\Admin\AppData\Local\Temp\{a1909659-0a08-4554-8af1-2175904903a1}\.ba1\wixstdba.dll

MD5 d7bf29763354eda154aad637017b5483
SHA1 dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA256 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA512 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

C:\Users\Admin\AppData\Local\Temp\{a1909659-0a08-4554-8af1-2175904903a1}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/4808-1809-0x0000000000400000-0x0000000000408000-memory.dmp