Malware Analysis Report

2024-10-18 23:53

Sample ID 231008-l1b3cabb3s
Target Jigsaw2-b.exe
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
Tags
upx jigsaw persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa

Threat Level: Known bad

The file Jigsaw2-b.exe was found to be: Known bad.

Malicious Activity Summary

upx jigsaw persistence ransomware spyware stealer

Jigsaw Ransomware

UPX packed file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-08 09:59

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-08 09:59

Reported

2023-10-08 10:02

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\management-agent.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-execution.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-150.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_single_filetype.svg.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-250.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkDrop32x32.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\DemoModeInk.dat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ExtendedSplashScreen.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholder.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe

"C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Jigsaw2-b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/4236-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4236-1-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/4236-4-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/4236-6-0x0000000002670000-0x0000000002680000-memory.dmp

memory/4236-5-0x0000000002670000-0x0000000002680000-memory.dmp

memory/4236-8-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-7-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-10-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-12-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-14-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-16-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-18-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-22-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-20-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-24-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-26-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-28-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-30-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-32-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-34-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-36-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-38-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-40-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-42-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-44-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-46-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-48-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-50-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-52-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-54-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-56-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-58-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-60-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-62-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-64-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-66-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-68-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-70-0x0000000005190000-0x00000000051C4000-memory.dmp

memory/4236-165-0x0000000005240000-0x0000000005241000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

memory/2824-180-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/4236-181-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2824-182-0x0000000001FF0000-0x0000000002000000-memory.dmp

memory/4236-185-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2824-186-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2824-189-0x0000000001FF0000-0x0000000002000000-memory.dmp

memory/2824-191-0x0000000001FF0000-0x0000000002000000-memory.dmp

memory/2824-193-0x0000000001FF0000-0x0000000002000000-memory.dmp

memory/2824-346-0x0000000004F70000-0x0000000004F71000-memory.dmp

memory/2824-347-0x0000000001FF0000-0x0000000002000000-memory.dmp

memory/2824-348-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2824-349-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2824-350-0x0000000001FF0000-0x0000000002000000-memory.dmp

memory/2824-351-0x0000000001FF0000-0x0000000002000000-memory.dmp

memory/2824-352-0x0000000001FF0000-0x0000000002000000-memory.dmp

memory/2824-353-0x0000000001FF0000-0x0000000002000000-memory.dmp

memory/2824-374-0x0000000001FF0000-0x0000000002000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{34CECD48-FEBF-4A03-9FC9-71A60707F2E5} - OProcSessId.dat.zemblax

MD5 cfdae8214d34112dbee6587664059558
SHA1 f649f45d08c46572a9a50476478ddaef7e964353
SHA256 33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325
SHA512 c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif.zemblax

MD5 000e8c41d4a15fb34d0be0dbb56e3778
SHA1 00c4eae64ee6239d7c65d819c6ce1ac329224f8c
SHA256 8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28
SHA512 775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zemblax

MD5 bd42ba47ff97fd7e395c90f79e0f9508
SHA1 c2d8069ff6d72f3c63eeeac23933e5620f649d9d
SHA256 3ad6f0a5c15cd3e24aa59e9687649e0d8d8b85789f3feef68e22b61a34a183e5
SHA512 4eb6b58c46225f6e96bf41177892131384507cd8437e314426b797797c10960db52b84abd1fbf3cd845d1ed4bb8c67d2be3099a9ff5379a04d059b0557ef7fca

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zemblax

MD5 29c6678d44aa7966ae163d70dd9f3661
SHA1 04e2608b9497905befec2c9c74931cdd14c754e8
SHA256 f7634f4769d57b1fd7ff257cafd60a0b309194e610202dfd26fc5113d0abf834
SHA512 e80a6a0270d20e255f84ee6ef285b610b79731058f88272b8246e4f0c97222cebf2113d7ae70a1a145c0bec2a94fea5cb5abff0203a8be64c634a9b9b6a3b1b6

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.zemblax

MD5 aec7bd7c96948d97d13c7df53988e89c
SHA1 7b906b88009e7509324ae92dc8a32ae4fb38626c
SHA256 15fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0
SHA512 27d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803

C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.zemblax

MD5 420960c4b17842a24bbf117222c60e47
SHA1 4e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d
SHA256 e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174
SHA512 b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392318791421694.txt.zemblax

MD5 1a700fd9a77e98b0566228584dff1bc8
SHA1 86f3a5b4de6a035ffa16640129d93fbbb9eb453c
SHA256 a21974f1aa648d668d2354fd035b4863fcf4a569d65edfdc65600e4e529ba9eb
SHA512 fafb674b043dda59ee8d36db0bff522b99a5d5b7f4e4f3fc40b2e58328e9a1b1494a0e5433405dd8c97475c410cc682781189938fc281eb2f439981cb4b1bac2

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392320506032409.txt.zemblax

MD5 54aba453bd844e5a95e47d1581049223
SHA1 48ae4bfd10118c7d0e34546e2fff0627d6a2c0fe
SHA256 e8ce52461269d2febaf8f1027e8e9b6c3c4a64ea9df32a31734b28ab27524df6
SHA512 7b642c657a2f184516865bdbd25f70ff685875682e8e45df20c88ef7f751d715f50cbd4c983adf159d11eccf49beb50d45a942b6fa1b36ff146a5f13626aef14

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392326545314047.txt.zemblax

MD5 1b14fc6e725cbecfc35517db6ce0bcd0
SHA1 1392f958004596266e0e3365e3b9713646306661
SHA256 7c87a27509e5ee131fc9a1a0429b6a8f9a32866ac7f16b71e0e6180f8cc77d96
SHA512 e9096938bf6fc98898b7cd7a13a72021699209a05f492fd37aa449b0d61c73c72dd715c14f63b72c59fd89f2f926306ec4d1443593548b8438172a2ad8d72d42

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392360647283748.txt.zemblax

MD5 1ba511addded4e44a88b9d51b0ee9179
SHA1 b035fc9ebfe9977cf7fc89d2fe664bb163f149f3
SHA256 bc33fb372dc7721605a9ba908d63c4df8dc0bd01b9660c96dd266bb7ef385c04
SHA512 1b5255a572e4be9f8e30d1eeddfd8b9f24fcea552b173592e2312ffe7dc49acc22c8c2a60d389f60ebb566f2b8e0250a32dd21147fd7dc6c9142cef386d5ad34

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{3d4af127-8d78-49f5-9cc1-ad1681b3f913}\0.2.filtertrie.intermediate.txt.zemblax

MD5 2a89b7646b4d795f4bfc5bb4269138e7
SHA1 ff1ffe4b11ab6094419b961bcdc9b923369293bf
SHA256 9dd722337fac6f6363c0697082384f6866d27ad7f5f3d541cb494c91afe14c16
SHA512 4a2cfc5c842227c576b3f93962fa38001db85ae56f5989880e6938c31cc77718b69d94c900cbe150d2126d1952242450981bf2f3f148909b5e056d69579bf3d9

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{3d4af127-8d78-49f5-9cc1-ad1681b3f913}\0.1.filtertrie.intermediate.txt.zemblax

MD5 9817c637ea440822e5d3ff2144d17467
SHA1 84080fede70d3544aad82976cec9b51c83c472ec
SHA256 df1b3b60351e48245d6ac589c68ddf77dba1aa9ba12427405b90daa9143d8252
SHA512 399bd0074e50829c3f5b5000c5e6da863de969adab921b5244da53ae35661ffbc24687176ecc1411f0da78d6a186c999846d454c365500f9833607095a0f2373