Malware Analysis Report

2025-01-22 20:13

Sample ID 241016-xtm2ta1bkj
Target 098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa
SHA256 098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa

Threat Level: Likely malicious

The file 098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (516) files with added filename extension

Renames multiple (1753) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 19:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 19:08

Reported

2024-10-16 19:09

Platform

win7-20240903-en

Max time kernel

59s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe"

Signatures

Renames multiple (516) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\Filters.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsink.ax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\iedvtool.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\Common.fxh.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\AssertUnprotect.midi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsource.ax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe C:\Windows\SysWOW64\Zombie.exe
PID 2876 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe C:\Windows\SysWOW64\Zombie.exe
PID 2876 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe C:\Windows\SysWOW64\Zombie.exe
PID 2876 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe C:\Windows\SysWOW64\Zombie.exe
PID 2876 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe
PID 2876 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe
PID 2876 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe
PID 2876 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe

"C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe

"_MpDlpCmd.exe"

Network

N/A

Files

memory/2876-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2288-14-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2876-13-0x00000000003F0000-0x00000000003FA000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 c8431053382d39f40e70d29b2280881f
SHA1 bcd563f6bd8aa0e21dfc2e11a776a788b4171307
SHA256 5ebc94558152aa0d056156f1cbba1cda237e699d9252874e902c8725ebaaca68
SHA512 1989f5be2237782b0ca320e7b2b033e6559fecfde968f50ca7e55ff8710f3ad4202f3741c835962168262856ec5dc6b314d02555e08b61e1e2f71516a00b21d4

\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe

MD5 c7c81e2467fa619d5b4a03b0fa51519c
SHA1 39c7ec92e51d72626d4f5d29d80bdf3eb46e8f7c
SHA256 e3f1eca768f304512804a54489e8a658e9906e7e0911bb869d03eff140cff5d0
SHA512 2438e68ff4cf4bc7d1b8ec9b722e882fa8863cd8690b8c6a03f17d88de1b6eb5697934413ebe4bf1221f1182db841df2ceff4b22a928f577c80968a13b81f8cd

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 cabf1f6a4714acfde8c7f95390ea75b0
SHA1 f5c9939b55bdaa0809825ff23749fb86c8ea6da4
SHA256 33d7bc94cbb818f0c47ddb7b532b9f0477f4c953d398c50d9ed12e1c0cdde092
SHA512 f49f30f361d9c7ef58d741a42ccc2508ba61ac7226665cfc4ff1e937d34265b2842705b7134837fe58f59bdb0e87ce207b287290308efd7d2d8300bd5fae3b5c

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 19:08

Reported

2024-10-16 19:09

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe"

Signatures

Renames multiple (1753) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msador28.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\ConvertDebug.zip.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe

"C:\Users\Admin\AppData\Local\Temp\098348e1c2febe7b46799f79ca4afc7ad8c2950e8d6954a0d604b9d7c154a8fa.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe

"_MpDlpCmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp

Files

memory/4008-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 c8431053382d39f40e70d29b2280881f
SHA1 bcd563f6bd8aa0e21dfc2e11a776a788b4171307
SHA256 5ebc94558152aa0d056156f1cbba1cda237e699d9252874e902c8725ebaaca68
SHA512 1989f5be2237782b0ca320e7b2b033e6559fecfde968f50ca7e55ff8710f3ad4202f3741c835962168262856ec5dc6b314d02555e08b61e1e2f71516a00b21d4

C:\Users\Admin\AppData\Local\Temp\_MpDlpCmd.exe

MD5 c7c81e2467fa619d5b4a03b0fa51519c
SHA1 39c7ec92e51d72626d4f5d29d80bdf3eb46e8f7c
SHA256 e3f1eca768f304512804a54489e8a658e9906e7e0911bb869d03eff140cff5d0
SHA512 2438e68ff4cf4bc7d1b8ec9b722e882fa8863cd8690b8c6a03f17d88de1b6eb5697934413ebe4bf1221f1182db841df2ceff4b22a928f577c80968a13b81f8cd

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 d7568af4362b35dff1b875b78d3621b0
SHA1 1512f6a4c3ead2183b420e29044f29694c8bdec2
SHA256 acc0feaa07dcc7ba2c46c1b9105a9aac842590b526570dcbb48f9c75f1b7cc1d
SHA512 6d644a00a4fd7697bc6f5d4875d0e2edebadcd579b3f2f0a3975a3cafedcde15639a6060632e89f474d7457d6a87debb386aca77873fd2d6cdbaf63d8dd203d0

memory/4008-21-0x0000000000400000-0x000000000040A000-memory.dmp