Malware Analysis Report

2025-08-11 01:48

Sample ID 241005-x6vmeszflm
Target 92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8
SHA256 92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8

Threat Level: Likely malicious

The file 92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (1829) files with added filename extension

Renames multiple (520) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:28

Reported

2024-10-05 19:29

Platform

win10v2004-20240802-en

Max time kernel

59s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe"

Signatures

Renames multiple (1829) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_cpack.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ru.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msado28.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe

"C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_cpack.exe

"_cpack.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 5af944cf740d2192d144419d30762476
SHA1 363dd67cf6512196afed71bd203f28f14e10a69e
SHA256 d450ad7ccae673bd9f292caf4dc4b78d20b8a133036bb931cf5fa8d24e1163a5
SHA512 b29406b5c0125c408f600ef91079be3e0239397ba664227e139e44946f828c35485ea0af3a5423f84c0818e03bc698b4c9b0e3b5d303d86ad0e632d26264a148

C:\Users\Admin\AppData\Local\Temp\_cpack.exe

MD5 caad373422b474737f4d76fb82379581
SHA1 6804be1ae8bfd3858e0053915f75d4b611790bc5
SHA256 22c0d54e96431ebae4d40546f4efe6af61d1a9644710f93dc32ec2ca6cf2ba75
SHA512 dbaba0bc94aaeddb9811b0b9fd923f763ef8c7e290153e21e295230fdbe9c683dbf0b096eda3a3eb06e4ff9733cb3e9906737a1b5ee8e6af034680c198b95dd5

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.exe

MD5 45c36dc95d84d0250a4d19c1d76b981e
SHA1 2c77854577cda1248348bdb4c81a7ddbb0ea9d7d
SHA256 f095974e9cdc4daebca299160de3d18b23662a99ce7ab410e3ad55c4b72da1fc
SHA512 e01540aab9b74cdd0dc1d52e852fd74557a5388b4c6acefdc5bf378576f97d1f5836596efa42fa7cbd1bfa63e567dd03e6b01fdc6c77049f6d180039158d58cc

memory/2784-19-0x0000000000650000-0x0000000000678000-memory.dmp

memory/2784-20-0x00007FFC36753000-0x00007FFC36755000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:28

Reported

2024-10-05 19:29

Platform

win7-20240708-en

Max time kernel

59s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe"

Signatures

Renames multiple (520) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_cpack.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\directshowtap.ax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\CompressApprove.wdp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe

"C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_cpack.exe

"_cpack.exe"

Network

N/A

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 5af944cf740d2192d144419d30762476
SHA1 363dd67cf6512196afed71bd203f28f14e10a69e
SHA256 d450ad7ccae673bd9f292caf4dc4b78d20b8a133036bb931cf5fa8d24e1163a5
SHA512 b29406b5c0125c408f600ef91079be3e0239397ba664227e139e44946f828c35485ea0af3a5423f84c0818e03bc698b4c9b0e3b5d303d86ad0e632d26264a148

C:\Users\Admin\AppData\Local\Temp\_cpack.exe

MD5 caad373422b474737f4d76fb82379581
SHA1 6804be1ae8bfd3858e0053915f75d4b611790bc5
SHA256 22c0d54e96431ebae4d40546f4efe6af61d1a9644710f93dc32ec2ca6cf2ba75
SHA512 dbaba0bc94aaeddb9811b0b9fd923f763ef8c7e290153e21e295230fdbe9c683dbf0b096eda3a3eb06e4ff9733cb3e9906737a1b5ee8e6af034680c198b95dd5

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 9b9bb6cbf171f85a72e240ac86c821dc
SHA1 f0d4fa8695a44a5243b5b7868585aacf0086301e
SHA256 a60fa6fe78f414b941ffe41d12ef38d12eae2b4d4174c02e064659df39252a6a
SHA512 5d191c6c6867b8c1a8e46f4ef7fde2a5b6801c39e2324d6dcaabef79845f075ca1a8eca2c0f77c98a34a6dbbed27d906b5711b135e4f095873f039cfa6154407

memory/2632-19-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

memory/2632-20-0x0000000000920000-0x0000000000948000-memory.dmp