Malware Analysis Report

2025-08-11 01:47

Sample ID 241005-x83e2szfrj
Target 92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8
SHA256 92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8

Threat Level: Likely malicious

The file 92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (961) files with added filename extension

Renames multiple (3748) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:32

Reported

2024-10-05 19:34

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe"

Signatures

Renames multiple (3748) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_cpack.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\it-IT\Hearts.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_rist_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgRes.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\keytool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Baku.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\server\jvm.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\Templates\Music.jtp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe

"C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_cpack.exe

"_cpack.exe"

Network

N/A

Files

\Windows\SysWOW64\Zombie.exe

MD5 5af944cf740d2192d144419d30762476
SHA1 363dd67cf6512196afed71bd203f28f14e10a69e
SHA256 d450ad7ccae673bd9f292caf4dc4b78d20b8a133036bb931cf5fa8d24e1163a5
SHA512 b29406b5c0125c408f600ef91079be3e0239397ba664227e139e44946f828c35485ea0af3a5423f84c0818e03bc698b4c9b0e3b5d303d86ad0e632d26264a148

\Users\Admin\AppData\Local\Temp\_cpack.exe

MD5 caad373422b474737f4d76fb82379581
SHA1 6804be1ae8bfd3858e0053915f75d4b611790bc5
SHA256 22c0d54e96431ebae4d40546f4efe6af61d1a9644710f93dc32ec2ca6cf2ba75
SHA512 dbaba0bc94aaeddb9811b0b9fd923f763ef8c7e290153e21e295230fdbe9c683dbf0b096eda3a3eb06e4ff9733cb3e9906737a1b5ee8e6af034680c198b95dd5

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 943bc1b052463e3cc4e2214f90e4211a
SHA1 bd7c2ec926d39f51beb3a82d353a3bfb513f2ae2
SHA256 af44ce5c42d1728342fb417c1e2307677b3b857fea2929606ecadb53f11ead8d
SHA512 c888deae1d042b892d2ef201b9b40861ca84fe25417b3da44b5e603e1893fc3dc304e1da4855c07bd0e8f785579a8919f3160558e1c86fed81b26e4595a3f2b4

memory/2196-19-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

memory/2196-20-0x00000000011F0000-0x0000000001218000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:32

Reported

2024-10-05 19:33

Platform

win10v2004-20240802-en

Max time kernel

31s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe"

Signatures

Renames multiple (961) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_cpack.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe

"C:\Users\Admin\AppData\Local\Temp\92f96fb27c1adfbfc8d7bc43795268957c9717c38200f9b3ea78818e6c7a30d8.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_cpack.exe

"_cpack.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 5af944cf740d2192d144419d30762476
SHA1 363dd67cf6512196afed71bd203f28f14e10a69e
SHA256 d450ad7ccae673bd9f292caf4dc4b78d20b8a133036bb931cf5fa8d24e1163a5
SHA512 b29406b5c0125c408f600ef91079be3e0239397ba664227e139e44946f828c35485ea0af3a5423f84c0818e03bc698b4c9b0e3b5d303d86ad0e632d26264a148

C:\Users\Admin\AppData\Local\Temp\_cpack.exe

MD5 caad373422b474737f4d76fb82379581
SHA1 6804be1ae8bfd3858e0053915f75d4b611790bc5
SHA256 22c0d54e96431ebae4d40546f4efe6af61d1a9644710f93dc32ec2ca6cf2ba75
SHA512 dbaba0bc94aaeddb9811b0b9fd923f763ef8c7e290153e21e295230fdbe9c683dbf0b096eda3a3eb06e4ff9733cb3e9906737a1b5ee8e6af034680c198b95dd5

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.exe

MD5 c2bdb63cc4fc4400e0f577a47618c338
SHA1 5137e6f5fd7c43f694823b77ea8f5d18724825ac
SHA256 d0c53a384e6015ceb2650b94458fd48f32e3620fca5a84a0e83dff9da28492e0
SHA512 0f3af86f4ec3d2f954b6f364b86609edbda33eac94839ff90f4d2a19ce5baa3b2394f9efa1e37bd9a452fc1b00b3823aaddfc215e1545aa8ae3417444fbbe28c

memory/4684-19-0x0000000000060000-0x0000000000088000-memory.dmp

memory/4684-20-0x00007FFABC2B3000-0x00007FFABC2B5000-memory.dmp