Malware Analysis Report

2024-10-18 23:54

Sample ID 231002-n9bt2sad71
Target 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe.zip
SHA256 6247a7a4f29912882d90b9d76243ec9cf64900ed54c165e3c73d7245f48383ae
Tags
jigsaw persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6247a7a4f29912882d90b9d76243ec9cf64900ed54c165e3c73d7245f48383ae

Threat Level: Known bad

The file 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe.zip was found to be: Known bad.

Malicious Activity Summary

jigsaw persistence ransomware spyware stealer upx

Jigsaw Ransomware

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-02 12:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-02 12:05

Reported

2023-10-02 12:16

Platform

win7-20230831-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_OliveGreen.gif.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe

"C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe

Network

N/A

Files

memory/2424-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2424-1-0x00000000743D0000-0x000000007497B000-memory.dmp

memory/2424-2-0x00000000743D0000-0x000000007497B000-memory.dmp

memory/2424-3-0x00000000020F0000-0x0000000002130000-memory.dmp

memory/2424-4-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-5-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-9-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-7-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-11-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-13-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-15-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-17-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-19-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-21-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-23-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-25-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-29-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-33-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-35-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-39-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-43-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-45-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-49-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-53-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-55-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-57-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-63-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-61-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-67-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-65-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-59-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-51-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-47-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-41-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-37-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-31-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-27-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

memory/2424-162-0x00000000005F0000-0x00000000005F1000-memory.dmp

\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

memory/2424-169-0x0000000004AB0000-0x0000000004B04000-memory.dmp

memory/1528-172-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2424-174-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1528-180-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/2424-178-0x00000000743D0000-0x000000007497B000-memory.dmp

memory/1528-182-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1528-177-0x00000000743D0000-0x000000007497B000-memory.dmp

memory/1528-173-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1528-337-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

memory/1528-338-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1528-339-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1528-340-0x00000000743D0000-0x000000007497B000-memory.dmp

memory/1528-341-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1528-342-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1528-359-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1528-360-0x0000000002180000-0x00000000021C0000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.zemblax

MD5 000e8c41d4a15fb34d0be0dbb56e3778
SHA1 00c4eae64ee6239d7c65d819c6ce1ac329224f8c
SHA256 8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28
SHA512 775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zemblax

MD5 bd42ba47ff97fd7e395c90f79e0f9508
SHA1 c2d8069ff6d72f3c63eeeac23933e5620f649d9d
SHA256 3ad6f0a5c15cd3e24aa59e9687649e0d8d8b85789f3feef68e22b61a34a183e5
SHA512 4eb6b58c46225f6e96bf41177892131384507cd8437e314426b797797c10960db52b84abd1fbf3cd845d1ed4bb8c67d2be3099a9ff5379a04d059b0557ef7fca

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zemblax

MD5 29c6678d44aa7966ae163d70dd9f3661
SHA1 04e2608b9497905befec2c9c74931cdd14c754e8
SHA256 f7634f4769d57b1fd7ff257cafd60a0b309194e610202dfd26fc5113d0abf834
SHA512 e80a6a0270d20e255f84ee6ef285b610b79731058f88272b8246e4f0c97222cebf2113d7ae70a1a145c0bec2a94fea5cb5abff0203a8be64c634a9b9b6a3b1b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.zemblax

MD5 cfdae8214d34112dbee6587664059558
SHA1 f649f45d08c46572a9a50476478ddaef7e964353
SHA256 33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325
SHA512 c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

memory/1528-2453-0x0000000006180000-0x0000000006280000-memory.dmp

memory/1528-2452-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1528-2457-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1528-2458-0x0000000006180000-0x0000000006280000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-02 12:05

Reported

2023-10-02 12:15

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\ApplySticker.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-256.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe

"C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/2740-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2740-1-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/2740-4-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/2740-5-0x0000000002300000-0x0000000002310000-memory.dmp

memory/2740-6-0x0000000002300000-0x0000000002310000-memory.dmp

memory/2740-7-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-8-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-10-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-12-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-14-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-16-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-18-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-20-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-22-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-24-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-26-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-28-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-30-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-32-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-34-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-36-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-38-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-40-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-42-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-44-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-46-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-48-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-50-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-52-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-54-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-56-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-58-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-60-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-62-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-64-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-66-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-68-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-70-0x0000000005060000-0x0000000005094000-memory.dmp

memory/2740-165-0x0000000005100000-0x0000000005101000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

memory/2740-180-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1416-181-0x0000000002150000-0x0000000002160000-memory.dmp

memory/2740-182-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/1416-183-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/1416-186-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/1416-188-0x0000000002150000-0x0000000002160000-memory.dmp

memory/1416-191-0x0000000002150000-0x0000000002160000-memory.dmp

memory/1416-345-0x0000000004F70000-0x0000000004F71000-memory.dmp

memory/1416-346-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1416-347-0x0000000002150000-0x0000000002160000-memory.dmp

memory/1416-348-0x0000000002150000-0x0000000002160000-memory.dmp

memory/1416-349-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/1416-350-0x0000000002150000-0x0000000002160000-memory.dmp

memory/1416-351-0x0000000074610000-0x0000000074BC1000-memory.dmp

memory/1416-352-0x0000000002150000-0x0000000002160000-memory.dmp

memory/1416-353-0x0000000002150000-0x0000000002160000-memory.dmp

memory/1416-375-0x0000000002150000-0x0000000002160000-memory.dmp