Malware Analysis Report

2025-03-15 08:20

Sample ID 241020-xmfzxswfpm
Target b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N
SHA256 b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1

Threat Level: Likely malicious

The file b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3273) files with added filename extension

Renames multiple (4277) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 18:58

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 18:58

Reported

2024-10-20 19:00

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe"

Signatures

Renames multiple (3273) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_checksum.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Zurich.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Chess\Chess.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\LockSync.mp2.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\iexplore.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Regina.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\sunmscapi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\EST.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\rtstreamsink.ax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\mozavutil.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\java_crw_demo.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe C:\Users\Admin\AppData\Local\Temp\_checksum.exe
PID 1016 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe C:\Users\Admin\AppData\Local\Temp\_checksum.exe
PID 1016 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe C:\Users\Admin\AppData\Local\Temp\_checksum.exe
PID 1016 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe C:\Users\Admin\AppData\Local\Temp\_checksum.exe
PID 1016 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe C:\Windows\SysWOW64\Zombie.exe
PID 1016 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe C:\Windows\SysWOW64\Zombie.exe
PID 1016 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe C:\Windows\SysWOW64\Zombie.exe
PID 1016 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe

"C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe"

C:\Users\Admin\AppData\Local\Temp\_checksum.exe

"_checksum.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/1016-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_checksum.exe

MD5 23f049f14ca0e68af4b9883514791dfe
SHA1 1224ecfda221e54d4536a4ac102a56235320ee25
SHA256 9562aabe1f71d7ff5ec879fd2fb5cfe4be2c8f62a7fa5a1aa49660c3a495f1fb
SHA512 ce91cd089a299ba88f047cf15fd06673389942dabbf8be5bf2e2666e1048bc6da261ce30cae1e2ecb3b50392441a335bf97cc4ed51540554bedabe65590be677

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

MD5 578e32e47b1778e975b843812a5c05b4
SHA1 3027bb73f33170931883708fd479efd22630726c
SHA256 2eaa067d475503dcdf9c1b0c352f0148524e13ff85acdf45a8da128a5e9ef5a6
SHA512 a5fc30044fd4330045dd383dbad59df3334c120f6763778686970775d291449f68b7ad5e746d881ca77ad1d66fc68fe22e0307990c088156d070342919f21e0c

memory/2252-18-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 eb56941b8e19f1a0c72dce23b5e428f0
SHA1 fcdc899edc98196aa23844d878c7746837a4a1a3
SHA256 478e3cebc519ec8a0100331842a6200a8127408f2bf1a89689f076798d6e5bd0
SHA512 22ca82c9615e6b7140d2be9a8722c6c1f192a101198a7d83bd0a141d42b6f6e43a539b98e8a3ccaa0807f547b089642bf1068935a864253b73a4971fbcfc7a8e

memory/1016-16-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/1016-15-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/2288-23-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

memory/2288-24-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

memory/2288-28-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 18:58

Reported

2024-10-20 19:00

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe"

Signatures

Renames multiple (4277) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_checksum.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-BR.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\images\bing.ico.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\tr.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe

"C:\Users\Admin\AppData\Local\Temp\b769301c55d7cd21ac3fa85222b87625f2927b0e0ac39b2eee774184528c83a1N.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_checksum.exe

"_checksum.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4052-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_checksum.exe

MD5 23f049f14ca0e68af4b9883514791dfe
SHA1 1224ecfda221e54d4536a4ac102a56235320ee25
SHA256 9562aabe1f71d7ff5ec879fd2fb5cfe4be2c8f62a7fa5a1aa49660c3a495f1fb
SHA512 ce91cd089a299ba88f047cf15fd06673389942dabbf8be5bf2e2666e1048bc6da261ce30cae1e2ecb3b50392441a335bf97cc4ed51540554bedabe65590be677

C:\Windows\SysWOW64\Zombie.exe

MD5 eb56941b8e19f1a0c72dce23b5e428f0
SHA1 fcdc899edc98196aa23844d878c7746837a4a1a3
SHA256 478e3cebc519ec8a0100331842a6200a8127408f2bf1a89689f076798d6e5bd0
SHA512 22ca82c9615e6b7140d2be9a8722c6c1f192a101198a7d83bd0a141d42b6f6e43a539b98e8a3ccaa0807f547b089642bf1068935a864253b73a4971fbcfc7a8e

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.exe

MD5 a5e33f9547f1e9d78c94d41cd7d6a580
SHA1 fc42ea651850432651c2093dea65ae8eb0654528
SHA256 598f375a3f4a79ab86f1c746d526f6947db82555a3ca5e071223587c82e43998
SHA512 8b4666313a591ea080b7d6016711bec0297e73d4b3594b572b849b616e90db2a4232cdf11cc541b1c3a60bff4f6a36c64098ec95bb408e635fc29546c3645b0e

memory/3852-23-0x00007FFBFB083000-0x00007FFBFB085000-memory.dmp

memory/3852-20-0x0000000000510000-0x000000000051E000-memory.dmp

memory/3852-31-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

memory/4052-35-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3852-801-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp