Malware Analysis Report

2024-10-18 23:53

Sample ID 231008-vl1a3aee91
Target NEAS.tmp_JC.exe
SHA256 95b7cfcdbe25fce19e887510d5da55ffdff66b3ef6db7400977f9bb94f9fec2c
Tags
upx jigsaw persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95b7cfcdbe25fce19e887510d5da55ffdff66b3ef6db7400977f9bb94f9fec2c

Threat Level: Known bad

The file NEAS.tmp_JC.exe was found to be: Known bad.

Malicious Activity Summary

upx jigsaw persistence ransomware spyware stealer

Jigsaw Ransomware

Checks computer location settings

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-08 17:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-08 17:05

Reported

2023-10-08 17:08

Platform

win7-20230831-en

Max time kernel

153s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Traditional.dotx.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\header.gif.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\Whistling.wav C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_over.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\service.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe

Network

N/A

Files

memory/2332-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2332-1-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/2332-2-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/2332-3-0x00000000021B0000-0x00000000021F0000-memory.dmp

memory/2332-4-0x00000000021B0000-0x00000000021F0000-memory.dmp

memory/2332-5-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-6-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-8-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-12-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-14-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-18-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-22-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-24-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-28-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-30-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-34-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-36-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-40-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-45-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-47-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-51-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-53-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-57-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-59-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-63-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-65-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-69-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-67-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-61-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-55-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-49-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-43-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2332-42-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-38-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-32-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-26-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-20-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-16-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-10-0x0000000000810000-0x0000000000844000-memory.dmp

memory/2332-164-0x0000000002070000-0x0000000002071000-memory.dmp

\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 79b6d4f066d1875b18de19ad54177fa7
SHA1 d99188afd625268875b1050bd561a72c51d51d38
SHA256 95b7cfcdbe25fce19e887510d5da55ffdff66b3ef6db7400977f9bb94f9fec2c
SHA512 365ac763dfd0986ad06acfc6b5d6a1c124ec8816d5a5ddc05f4145a91bb6fd50b7e97b4fa3d309adfe4995f57375583c619d919ecdcc1b3c792cdef9e6414cd6

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 79b6d4f066d1875b18de19ad54177fa7
SHA1 d99188afd625268875b1050bd561a72c51d51d38
SHA256 95b7cfcdbe25fce19e887510d5da55ffdff66b3ef6db7400977f9bb94f9fec2c
SHA512 365ac763dfd0986ad06acfc6b5d6a1c124ec8816d5a5ddc05f4145a91bb6fd50b7e97b4fa3d309adfe4995f57375583c619d919ecdcc1b3c792cdef9e6414cd6

memory/2332-172-0x0000000004BF0000-0x0000000004C44000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 79b6d4f066d1875b18de19ad54177fa7
SHA1 d99188afd625268875b1050bd561a72c51d51d38
SHA256 95b7cfcdbe25fce19e887510d5da55ffdff66b3ef6db7400977f9bb94f9fec2c
SHA512 365ac763dfd0986ad06acfc6b5d6a1c124ec8816d5a5ddc05f4145a91bb6fd50b7e97b4fa3d309adfe4995f57375583c619d919ecdcc1b3c792cdef9e6414cd6

memory/564-174-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/564-176-0x0000000002240000-0x0000000002280000-memory.dmp

memory/2332-178-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/564-180-0x0000000002240000-0x0000000002280000-memory.dmp

memory/564-177-0x0000000002240000-0x0000000002280000-memory.dmp

memory/2332-175-0x0000000000400000-0x0000000000454000-memory.dmp

memory/564-185-0x0000000002240000-0x0000000002280000-memory.dmp

memory/564-187-0x0000000000400000-0x0000000000454000-memory.dmp

memory/564-192-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/564-341-0x0000000002200000-0x0000000002201000-memory.dmp

memory/564-342-0x0000000002240000-0x0000000002280000-memory.dmp

memory/564-344-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/564-345-0x0000000002240000-0x0000000002280000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.zemblax

MD5 000e8c41d4a15fb34d0be0dbb56e3778
SHA1 00c4eae64ee6239d7c65d819c6ce1ac329224f8c
SHA256 8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28
SHA512 775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zemblax

MD5 bd42ba47ff97fd7e395c90f79e0f9508
SHA1 c2d8069ff6d72f3c63eeeac23933e5620f649d9d
SHA256 3ad6f0a5c15cd3e24aa59e9687649e0d8d8b85789f3feef68e22b61a34a183e5
SHA512 4eb6b58c46225f6e96bf41177892131384507cd8437e314426b797797c10960db52b84abd1fbf3cd845d1ed4bb8c67d2be3099a9ff5379a04d059b0557ef7fca

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zemblax

MD5 29c6678d44aa7966ae163d70dd9f3661
SHA1 04e2608b9497905befec2c9c74931cdd14c754e8
SHA256 f7634f4769d57b1fd7ff257cafd60a0b309194e610202dfd26fc5113d0abf834
SHA512 e80a6a0270d20e255f84ee6ef285b610b79731058f88272b8246e4f0c97222cebf2113d7ae70a1a145c0bec2a94fea5cb5abff0203a8be64c634a9b9b6a3b1b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.zemblax

MD5 cfdae8214d34112dbee6587664059558
SHA1 f649f45d08c46572a9a50476478ddaef7e964353
SHA256 33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325
SHA512 c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

memory/564-2438-0x0000000006150000-0x0000000006250000-memory.dmp

memory/564-2437-0x0000000002240000-0x0000000002280000-memory.dmp

memory/564-2442-0x0000000002240000-0x0000000002280000-memory.dmp

memory/564-2443-0x0000000006150000-0x0000000006250000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-08 17:05

Reported

2023-10-08 17:08

Platform

win10v2004-20230915-en

Max time kernel

157s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\networkmanifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\OpenGroup.3gp.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\logo.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\offlineUtilities.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\VideoLAN\VLC\AUTHORS.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\AssertWrite.pdf.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lt.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Paint_PDP.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-cn.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\7-Zip\Lang\sa.txt.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\webviewCore.min.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.tmp_JC.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/1232-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1232-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/1232-3-0x00000000025C0000-0x00000000025D0000-memory.dmp

memory/1232-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/1232-6-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-7-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-9-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-11-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-13-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-15-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-19-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-17-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-21-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-23-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-25-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-27-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-29-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-31-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-33-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-35-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-37-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-39-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-41-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-45-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-43-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-47-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-49-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-51-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-53-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-55-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-57-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-59-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-61-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-63-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-65-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-67-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-69-0x0000000004C60000-0x0000000004C94000-memory.dmp

memory/1232-164-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 79b6d4f066d1875b18de19ad54177fa7
SHA1 d99188afd625268875b1050bd561a72c51d51d38
SHA256 95b7cfcdbe25fce19e887510d5da55ffdff66b3ef6db7400977f9bb94f9fec2c
SHA512 365ac763dfd0986ad06acfc6b5d6a1c124ec8816d5a5ddc05f4145a91bb6fd50b7e97b4fa3d309adfe4995f57375583c619d919ecdcc1b3c792cdef9e6414cd6

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 79b6d4f066d1875b18de19ad54177fa7
SHA1 d99188afd625268875b1050bd561a72c51d51d38
SHA256 95b7cfcdbe25fce19e887510d5da55ffdff66b3ef6db7400977f9bb94f9fec2c
SHA512 365ac763dfd0986ad06acfc6b5d6a1c124ec8816d5a5ddc05f4145a91bb6fd50b7e97b4fa3d309adfe4995f57375583c619d919ecdcc1b3c792cdef9e6414cd6

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 79b6d4f066d1875b18de19ad54177fa7
SHA1 d99188afd625268875b1050bd561a72c51d51d38
SHA256 95b7cfcdbe25fce19e887510d5da55ffdff66b3ef6db7400977f9bb94f9fec2c
SHA512 365ac763dfd0986ad06acfc6b5d6a1c124ec8816d5a5ddc05f4145a91bb6fd50b7e97b4fa3d309adfe4995f57375583c619d919ecdcc1b3c792cdef9e6414cd6

memory/1232-179-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1232-180-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/4728-181-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/4728-183-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/4728-185-0x0000000002630000-0x0000000002640000-memory.dmp

memory/4728-187-0x0000000002630000-0x0000000002640000-memory.dmp

memory/4728-343-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/4728-344-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/4728-345-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4728-346-0x0000000002630000-0x0000000002640000-memory.dmp

memory/4728-347-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/4728-348-0x0000000002630000-0x0000000002640000-memory.dmp

memory/4728-350-0x0000000002630000-0x0000000002640000-memory.dmp

memory/4728-370-0x0000000002630000-0x0000000002640000-memory.dmp