jigsaw | 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa

Resubmissions

08/10/2023, 10:02

231008-l2z6kabb3z 10

08/10/2023, 09:59

231008-l1b3cabb3s 10

27/09/2023, 16:49

230927-vb39zadg59 10

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Jigsaw2-b.exe
Size

249KB
MD5

33862bca1fe73d44277e9ad4f0aa81e1
SHA1

e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256

053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512

08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c
SSDEEP

6144:VFVg9EpWQxCKDgqLSV2hIq45K4O4xDL1UnhvHNJ7h0W93MPNdLM7G:/VgGD4KNWViIq4pOOPipHlzsQ7

Score

10^/10

jigsaw persistence ransomware spyware stealer upx

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	Jigsaw2-b.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	drpbx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4236-0-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/files/0x00060000000231ef-170.dat	upx
behavioral1/files/0x00060000000231ef-177.dat	upx
behavioral1/files/0x00060000000231ef-176.dat	upx
behavioral1/memory/4236-181-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2824-348-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	Jigsaw2-b.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Jigsaw2-b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Jigsaw2-b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar.zemblax	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-60_altform-lightunplated.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management-agent.jar.zemblax	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg.zemblax	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-100.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.zemblax	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-250.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-execution.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.zemblax	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-150.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.zemblax	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_single_filetype.svg.zemblax	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js.zemblax	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-125.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat.zemblax	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-250.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-48_altform-unplated.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.zemblax	drpbx.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkDrop32x32.gif	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-100.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.zemblax	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-40_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.zemblax	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.zemblax	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\DemoModeInk.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ExtendedSplashScreen.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-400.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml.zemblax	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html	drpbx.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.zemblax	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholder.png	drpbx.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	Jigsaw2-b.exe
File created	C:\Windows\assembly\Desktop.ini	Jigsaw2-b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Jigsaw2-b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	Jigsaw2-b.exe
Token: SeDebugPrivilege	2824	drpbx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2824	4236	Jigsaw2-b.exe	87
PID 4236 wrote to memory of 2824	4236	Jigsaw2-b.exe	87
PID 4236 wrote to memory of 2824	4236	Jigsaw2-b.exe	87

C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe
"C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.zemblax

Filesize
32KB

MD5
aec7bd7c96948d97d13c7df53988e89c

SHA1
7b906b88009e7509324ae92dc8a32ae4fb38626c

SHA256
15fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0

SHA512
27d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif.zemblax

Filesize
160B

MD5
000e8c41d4a15fb34d0be0dbb56e3778

SHA1
00c4eae64ee6239d7c65d819c6ce1ac329224f8c

SHA256
8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

SHA512
775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zemblax

Filesize
12KB

MD5
bd42ba47ff97fd7e395c90f79e0f9508

SHA1
c2d8069ff6d72f3c63eeeac23933e5620f649d9d

SHA256
3ad6f0a5c15cd3e24aa59e9687649e0d8d8b85789f3feef68e22b61a34a183e5

SHA512
4eb6b58c46225f6e96bf41177892131384507cd8437e314426b797797c10960db52b84abd1fbf3cd845d1ed4bb8c67d2be3099a9ff5379a04d059b0557ef7fca

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zemblax

Filesize
8KB

MD5
29c6678d44aa7966ae163d70dd9f3661

SHA1
04e2608b9497905befec2c9c74931cdd14c754e8

SHA256
f7634f4769d57b1fd7ff257cafd60a0b309194e610202dfd26fc5113d0abf834

SHA512
e80a6a0270d20e255f84ee6ef285b610b79731058f88272b8246e4f0c97222cebf2113d7ae70a1a145c0bec2a94fea5cb5abff0203a8be64c634a9b9b6a3b1b6

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
249KB

MD5
33862bca1fe73d44277e9ad4f0aa81e1

SHA1
e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1

SHA256
053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa

SHA512
08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
249KB

MD5
33862bca1fe73d44277e9ad4f0aa81e1

SHA1
e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1

SHA256
053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa

SHA512
08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
249KB

MD5
33862bca1fe73d44277e9ad4f0aa81e1

SHA1
e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1

SHA256
053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa

SHA512
08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.zemblax

Filesize
8KB

MD5
420960c4b17842a24bbf117222c60e47

SHA1
4e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d

SHA256
e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174

SHA512
b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{3d4af127-8d78-49f5-9cc1-ad1681b3f913}\0.1.filtertrie.intermediate.txt.zemblax

Filesize
16B

MD5
9817c637ea440822e5d3ff2144d17467

SHA1
84080fede70d3544aad82976cec9b51c83c472ec

SHA256
df1b3b60351e48245d6ac589c68ddf77dba1aa9ba12427405b90daa9143d8252

SHA512
399bd0074e50829c3f5b5000c5e6da863de969adab921b5244da53ae35661ffbc24687176ecc1411f0da78d6a186c999846d454c365500f9833607095a0f2373

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{3d4af127-8d78-49f5-9cc1-ad1681b3f913}\0.2.filtertrie.intermediate.txt.zemblax

Filesize
16B

MD5
2a89b7646b4d795f4bfc5bb4269138e7

SHA1
ff1ffe4b11ab6094419b961bcdc9b923369293bf

SHA256
9dd722337fac6f6363c0697082384f6866d27ad7f5f3d541cb494c91afe14c16

SHA512
4a2cfc5c842227c576b3f93962fa38001db85ae56f5989880e6938c31cc77718b69d94c900cbe150d2126d1952242450981bf2f3f148909b5e056d69579bf3d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392318791421694.txt.zemblax

Filesize
77KB

MD5
1a700fd9a77e98b0566228584dff1bc8

SHA1
86f3a5b4de6a035ffa16640129d93fbbb9eb453c

SHA256
a21974f1aa648d668d2354fd035b4863fcf4a569d65edfdc65600e4e529ba9eb

SHA512
fafb674b043dda59ee8d36db0bff522b99a5d5b7f4e4f3fc40b2e58328e9a1b1494a0e5433405dd8c97475c410cc682781189938fc281eb2f439981cb4b1bac2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392320506032409.txt.zemblax

Filesize
47KB

MD5
54aba453bd844e5a95e47d1581049223

SHA1
48ae4bfd10118c7d0e34546e2fff0627d6a2c0fe

SHA256
e8ce52461269d2febaf8f1027e8e9b6c3c4a64ea9df32a31734b28ab27524df6

SHA512
7b642c657a2f184516865bdbd25f70ff685875682e8e45df20c88ef7f751d715f50cbd4c983adf159d11eccf49beb50d45a942b6fa1b36ff146a5f13626aef14

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392326545314047.txt.zemblax

Filesize
65KB

MD5
1b14fc6e725cbecfc35517db6ce0bcd0

SHA1
1392f958004596266e0e3365e3b9713646306661

SHA256
7c87a27509e5ee131fc9a1a0429b6a8f9a32866ac7f16b71e0e6180f8cc77d96

SHA512
e9096938bf6fc98898b7cd7a13a72021699209a05f492fd37aa449b0d61c73c72dd715c14f63b72c59fd89f2f926306ec4d1443593548b8438172a2ad8d72d42

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392360647283748.txt.zemblax

Filesize
75KB

MD5
1ba511addded4e44a88b9d51b0ee9179

SHA1
b035fc9ebfe9977cf7fc89d2fe664bb163f149f3

SHA256
bc33fb372dc7721605a9ba908d63c4df8dc0bd01b9660c96dd266bb7ef385c04

SHA512
1b5255a572e4be9f8e30d1eeddfd8b9f24fcea552b173592e2312ffe7dc49acc22c8c2a60d389f60ebb566f2b8e0250a32dd21147fd7dc6c9142cef386d5ad34

Download Submit
C:\Users\Admin\AppData\Local\Temp\{34CECD48-FEBF-4A03-9FC9-71A60707F2E5} - OProcSessId.dat.zemblax

Filesize
16B

MD5
cfdae8214d34112dbee6587664059558

SHA1
f649f45d08c46572a9a50476478ddaef7e964353

SHA256
33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

SHA512
c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

Download Submit
memory/2824-353-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2824-351-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2824-350-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2824-349-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2824-348-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2824-347-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2824-346-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2824-193-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2824-191-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2824-189-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2824-186-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2824-182-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2824-180-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2824-352-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/2824-374-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/4236-30-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-36-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-60-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-62-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-64-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-66-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-68-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-70-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-165-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4236-56-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-54-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-52-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-50-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-181-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4236-48-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-185-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4236-46-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-44-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-42-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-40-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-38-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-58-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-34-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-32-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4236-28-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-26-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-24-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-20-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-22-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-18-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-16-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-14-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-12-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-10-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-7-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-8-0x0000000005190000-0x00000000051C4000-memory.dmp

Filesize
208KB

Download
memory/4236-5-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/4236-6-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/4236-4-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/4236-1-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads