Malware Analysis Report

2025-01-22 20:16

Sample ID 241019-12vy6sterr
Target 983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN
SHA256 983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5e
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5e

Threat Level: Likely malicious

The file 983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3272) files with added filename extension

Renames multiple (4654) files with added filename extension

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 22:09

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 22:09

Reported

2024-10-19 22:11

Platform

win7-20240708-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe"

Signatures

Renames multiple (3272) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_createdump.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\jfxmedia.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\AccessibleHandler.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\New_York.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Sitka.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Srednekolymsk.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\LICENSE.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Maceio.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\Common.fxh.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 964 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 964 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 964 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe C:\Users\Admin\AppData\Local\Temp\_createdump.exe
PID 964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe C:\Users\Admin\AppData\Local\Temp\_createdump.exe
PID 964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe C:\Users\Admin\AppData\Local\Temp\_createdump.exe
PID 964 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe C:\Users\Admin\AppData\Local\Temp\_createdump.exe

Processes

C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe

"C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_createdump.exe

"_createdump.exe"

Network

N/A

Files

memory/964-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_createdump.exe

MD5 9ca726be24244f2cf7e2dec95b714c46
SHA1 db976e979ec442e03799a26e861dc21847afe79a
SHA256 a6324117d0f5b16d0ecaccd1497f471495e4b3d315f1df0da66758d0bbab18af
SHA512 8e44e93e4cafba0cb6d3ad2d5f5935f5961cef0c841e534865f9f74f15f5d9007c6d304a597b97641d7cc001a1ef4675b4d19775ea7f4b9a778a882f3deeb449

C:\Windows\SysWOW64\Zombie.exe

MD5 252b81caa50d75d7b8c951ed14340710
SHA1 fe6cf9ed470284d3cbf711ec7f7d11ffee34b248
SHA256 d358d3a42c11c593df09a1e70e699319c90e1ae2aa7bfc747c97c5209fe3ae2b
SHA512 905c35dcf249d2f6f1a780b412b9a8837be77c33eb84a6f9b33a83c505bb9abf6bbf2c3b811fb7d70cc52ac77b1fdb9dc6e4bbebd3b89d09370da380d820027b

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

MD5 631cc3626c769f54cf20468907369318
SHA1 8088006b05182dff97a79066bf97084e5ddbdcd2
SHA256 5ac796c05759178173912026db56c426698979a357e300b8430a40294a0babff
SHA512 f4b113179f56cf998489df64820becc3f435667dfc6cf4338b61daf48277b5ebf1fe99e7ee864c4359783efd31b86e9dbfebaeab091c9f28b4a7745ef29b6df9

memory/964-15-0x0000000000330000-0x000000000033A000-memory.dmp

memory/964-23-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 22:09

Reported

2024-10-19 22:11

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe"

Signatures

Renames multiple (4654) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_createdump.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\meta-index.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe

"C:\Users\Admin\AppData\Local\Temp\983b802ca6c7af6a101256521d072b558582f0d39178c767926897f2505def5eN.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_createdump.exe

"_createdump.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/724-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_createdump.exe

MD5 9ca726be24244f2cf7e2dec95b714c46
SHA1 db976e979ec442e03799a26e861dc21847afe79a
SHA256 a6324117d0f5b16d0ecaccd1497f471495e4b3d315f1df0da66758d0bbab18af
SHA512 8e44e93e4cafba0cb6d3ad2d5f5935f5961cef0c841e534865f9f74f15f5d9007c6d304a597b97641d7cc001a1ef4675b4d19775ea7f4b9a778a882f3deeb449

C:\Windows\SysWOW64\Zombie.exe

MD5 252b81caa50d75d7b8c951ed14340710
SHA1 fe6cf9ed470284d3cbf711ec7f7d11ffee34b248
SHA256 d358d3a42c11c593df09a1e70e699319c90e1ae2aa7bfc747c97c5209fe3ae2b
SHA512 905c35dcf249d2f6f1a780b412b9a8837be77c33eb84a6f9b33a83c505bb9abf6bbf2c3b811fb7d70cc52ac77b1fdb9dc6e4bbebd3b89d09370da380d820027b

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.exe

MD5 ac6a5ff6c8ea557af672e2a1a8904c47
SHA1 3ddd381f4276e4ef06b379682a6bc5a4b7132e00
SHA256 205119e237e41155ea5800b4009691b9a6d7603d3bd26e2deab90ded0c4cc54b
SHA512 a870a40ec82a7a39a3fcc469be8d065da61ca6de5f75f243c60c356b28f35ff2b82b7f21d1822a8349989f5434cb9ef19c7caad3128e7ef0d588bc131299639c

memory/724-21-0x0000000000400000-0x000000000040A000-memory.dmp