Malware Analysis Report

2024-10-18 23:52

Sample ID 210306-pfhc83235s
Target drpbx.exe
SHA256 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
Tags
jigsaw persistence ransomware spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f

Threat Level: Known bad

The file drpbx.exe was found to be: Known bad.

Malicious Activity Summary

jigsaw persistence ransomware spyware

Suspicious use of NtCreateProcessExOtherParentProcess

Jigsaw Ransomware

Executes dropped EXE

Modifies extensions of user files

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-03-06 22:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-03-06 22:23

Reported

2021-03-06 22:26

Platform

win7v20201028

Max time kernel

132s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\drpbx.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\drpbx.exe

"C:\Users\Admin\AppData\Local\Temp\drpbx.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe

Network

N/A

Files

memory/1924-2-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/1924-3-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/1924-4-0x0000000001F30000-0x0000000001F32000-memory.dmp

memory/1980-5-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 7fab69dcc9fbee7ca91bef27dc551f63
SHA1 fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA256 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512 ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 7fab69dcc9fbee7ca91bef27dc551f63
SHA1 fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA256 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512 ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

memory/1980-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/1980-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/1924-10-0x0000000001F36000-0x0000000001F55000-memory.dmp

memory/1980-11-0x0000000001EC0000-0x0000000001EC2000-memory.dmp

memory/1980-12-0x0000000001EC6000-0x0000000001EE5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-03-06 22:23

Reported

2021-03-06 22:26

Platform

win10v20201028

Max time kernel

150s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\drpbx.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 3560 created 2112 N/A C:\Windows\system32\taskmgr.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
PID 3560 created 2112 N/A C:\Windows\system32\taskmgr.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File created C:\Users\Admin\Pictures\UseInvoke.tif.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\drpbx.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\drpbx.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Services\verisign.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\eml.scale-256.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11s.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\file_icons.png.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SmallLogo.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fi_135x40.svg.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2653_24x24x32.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5606_40x40x32.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\avatar.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_de_135x40.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\excel.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lr_60x42.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-disabled_32.svg.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\images\en-US\windows-main-08294e1b-0ad7-4937-9616-fcbc42ff7ff1.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Goal_3.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\dull_tauri.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Goal_3.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js.Professeur C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\drpbx.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\drpbx.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\drpbx.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\werfault.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\drpbx.exe

"C:\Users\Admin\AppData\Local\Temp\drpbx.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\drpbx.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\79ecef5938984a3c9c83e4f773e06057 /t 2188 /p 2112

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff8247b6e00,0x7ff8247b6e10,0x7ff8247b6e20

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.msftconnecttest.com udp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp

Files

memory/3008-2-0x00007FF81EAB0000-0x00007FF81F450000-memory.dmp

memory/3008-3-0x0000000000B40000-0x0000000000B42000-memory.dmp

memory/2112-4-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 7fab69dcc9fbee7ca91bef27dc551f63
SHA1 fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA256 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512 ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 7fab69dcc9fbee7ca91bef27dc551f63
SHA1 fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA256 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512 ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\drpbx.exe.log

MD5 6a0f54467260893b55f9d04c3bad702c
SHA1 177b81fe0d1f2635804306c25e622cc546bbef38
SHA256 74657b15056a650a40c348f59a214432828d761c1ee5f30e222af86f445e5f31
SHA512 6a70e703ecb8b2d46cce99002e31411eaeb2578062dd65378ed9c0a5d53ed2469b9befedd6f7b091bc0192b7152524a72cbf7cd9d611961f7a8946e8434c751e

memory/2112-8-0x00007FF81EAB0000-0x00007FF81F450000-memory.dmp

memory/2112-9-0x00000000009A0000-0x00000000009A2000-memory.dmp

memory/2112-10-0x00000000009A4000-0x00000000009A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe

MD5 7fab69dcc9fbee7ca91bef27dc551f63
SHA1 fe272f074373e80e2a00144e0fcc4de6e68cf0e3
SHA256 6f94e5747ba1aaa2bb666704ee65b37aac8aff47dbc321be2b607d47dd695e8f
SHA512 ac87841efd28941ee4b13142602b6f91a43b29136236d78ccde1ba838d453c9d9de5ab94ced8eaddb426f1b569ee8a3f593fdae04f02984b7fc337bccd0b3ae8

memory/2112-12-0x00000000009A8000-0x00000000009AA000-memory.dmp

memory/2112-13-0x00000000009AA000-0x00000000009AF000-memory.dmp

memory/2488-15-0x000001F7D0D50000-0x000001F7D0D51000-memory.dmp

memory/2488-14-0x000001F7D0D50000-0x000001F7D0D51000-memory.dmp

memory/2752-17-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 7e14ee65865d86bf5f846a2559cbba7d
SHA1 3c0a8b1ef68f0d726cabc6b100e622be82cb4069
SHA256 5328c968651001725e6f1cb7dd79105cf04f2270b0679b897caeae2d6811f9fa
SHA512 b0cb66cfd310d6bb2c7b9ec60d72b0763a9f8df99c9e19aec73fc6676de755bd7febbabf34b0ef22e643987e70bdf27d7831f6841cee198686f59164c121a3fa