Malware Analysis Report

2024-10-18 23:53

Sample ID 231009-neemfscd6x
Target tmp
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
Tags
jigsaw persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

jigsaw persistence ransomware spyware stealer upx

Jigsaw Ransomware

Checks computer location settings

Loads dropped DLL

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-09 11:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-09 11:18

Reported

2023-10-09 11:21

Platform

win10v2004-20230915-en

Max time kernel

156s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-400.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp4.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-24.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\176.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\plugin.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileSmallSquare.scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-high.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-30.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_backarrow_default.svg.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\dictation\SpeechOff.wav C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\27.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_field_grabber.png.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\ui-strings.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W2.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\over-arrow-navigation.svg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\Ringlesscalling_360x120_2x.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-48_altform-lightunplated.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
PID 1152 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
PID 1152 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/1152-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1152-1-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/1152-2-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/1152-3-0x0000000002460000-0x0000000002470000-memory.dmp

memory/1152-6-0x0000000002460000-0x0000000002470000-memory.dmp

memory/1152-7-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-8-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-10-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-12-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-14-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-16-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-18-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-20-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-22-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-24-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-26-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-28-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-30-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-32-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-34-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-36-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-38-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-40-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-42-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-44-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-46-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-48-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-50-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-52-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-54-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-56-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-62-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-60-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-58-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-64-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-66-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-68-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-70-0x0000000005050000-0x0000000005084000-memory.dmp

memory/1152-165-0x0000000005100000-0x0000000005101000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

memory/1152-180-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1152-183-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/5016-182-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/5016-186-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/5016-189-0x0000000002140000-0x0000000002150000-memory.dmp

memory/5016-188-0x0000000002140000-0x0000000002150000-memory.dmp

memory/5016-344-0x0000000004F70000-0x0000000004F71000-memory.dmp

memory/5016-345-0x0000000002140000-0x0000000002150000-memory.dmp

memory/5016-346-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/5016-347-0x0000000000400000-0x0000000000454000-memory.dmp

memory/5016-348-0x0000000002140000-0x0000000002150000-memory.dmp

memory/5016-349-0x0000000002140000-0x0000000002150000-memory.dmp

memory/5016-350-0x0000000002140000-0x0000000002150000-memory.dmp

memory/5016-372-0x0000000002140000-0x0000000002150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{ABB3A1CF-D3EE-410D-9694-063772272A73} - OProcSessId.dat.zemblax

MD5 cfdae8214d34112dbee6587664059558
SHA1 f649f45d08c46572a9a50476478ddaef7e964353
SHA256 33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325
SHA512 c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif.zemblax

MD5 000e8c41d4a15fb34d0be0dbb56e3778
SHA1 00c4eae64ee6239d7c65d819c6ce1ac329224f8c
SHA256 8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28
SHA512 775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zemblax

MD5 bd42ba47ff97fd7e395c90f79e0f9508
SHA1 c2d8069ff6d72f3c63eeeac23933e5620f649d9d
SHA256 3ad6f0a5c15cd3e24aa59e9687649e0d8d8b85789f3feef68e22b61a34a183e5
SHA512 4eb6b58c46225f6e96bf41177892131384507cd8437e314426b797797c10960db52b84abd1fbf3cd845d1ed4bb8c67d2be3099a9ff5379a04d059b0557ef7fca

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zemblax

MD5 29c6678d44aa7966ae163d70dd9f3661
SHA1 04e2608b9497905befec2c9c74931cdd14c754e8
SHA256 f7634f4769d57b1fd7ff257cafd60a0b309194e610202dfd26fc5113d0abf834
SHA512 e80a6a0270d20e255f84ee6ef285b610b79731058f88272b8246e4f0c97222cebf2113d7ae70a1a145c0bec2a94fea5cb5abff0203a8be64c634a9b9b6a3b1b6

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.zemblax

MD5 aec7bd7c96948d97d13c7df53988e89c
SHA1 7b906b88009e7509324ae92dc8a32ae4fb38626c
SHA256 15fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0
SHA512 27d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803

C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.zemblax

MD5 420960c4b17842a24bbf117222c60e47
SHA1 4e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d
SHA256 e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174
SHA512 b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392319932846329.txt.zemblax

MD5 0975a7d1e82a07e116ef545dadfcb45b
SHA1 a4a19c22072c685415cda6eba5176295ec38fca4
SHA256 f9dc9df57e6c460079b7c035b1b48d43018e389b8eb54dae43a1ba4034747c1a
SHA512 372762fdf18c96c8568bd15cead3f62beaf828f413647f44d5817aed71483bcaade075e72fddaf551bd47b408dad921495cbc71ce7abb8eff7fb4d9972c9e300

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392329142043254.txt.zemblax

MD5 1b14fc6e725cbecfc35517db6ce0bcd0
SHA1 1392f958004596266e0e3365e3b9713646306661
SHA256 7c87a27509e5ee131fc9a1a0429b6a8f9a32866ac7f16b71e0e6180f8cc77d96
SHA512 e9096938bf6fc98898b7cd7a13a72021699209a05f492fd37aa449b0d61c73c72dd715c14f63b72c59fd89f2f926306ec4d1443593548b8438172a2ad8d72d42

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133392353713451249.txt.zemblax

MD5 1ba511addded4e44a88b9d51b0ee9179
SHA1 b035fc9ebfe9977cf7fc89d2fe664bb163f149f3
SHA256 bc33fb372dc7721605a9ba908d63c4df8dc0bd01b9660c96dd266bb7ef385c04
SHA512 1b5255a572e4be9f8e30d1eeddfd8b9f24fcea552b173592e2312ffe7dc49acc22c8c2a60d389f60ebb566f2b8e0250a32dd21147fd7dc6c9142cef386d5ad34

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{9991a220-33b6-4d09-8ce0-42b0623f997c}\0.1.filtertrie.intermediate.txt.zemblax

MD5 9817c637ea440822e5d3ff2144d17467
SHA1 84080fede70d3544aad82976cec9b51c83c472ec
SHA256 df1b3b60351e48245d6ac589c68ddf77dba1aa9ba12427405b90daa9143d8252
SHA512 399bd0074e50829c3f5b5000c5e6da863de969adab921b5244da53ae35661ffbc24687176ecc1411f0da78d6a186c999846d454c365500f9833607095a0f2373

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{9991a220-33b6-4d09-8ce0-42b0623f997c}\0.2.filtertrie.intermediate.txt.zemblax

MD5 2a89b7646b4d795f4bfc5bb4269138e7
SHA1 ff1ffe4b11ab6094419b961bcdc9b923369293bf
SHA256 9dd722337fac6f6363c0697082384f6866d27ad7f5f3d541cb494c91afe14c16
SHA512 4a2cfc5c842227c576b3f93962fa38001db85ae56f5989880e6938c31cc77718b69d94c900cbe150d2126d1952242450981bf2f3f148909b5e056d69579bf3d9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.zemblax

MD5 61947d0907c945a6df0f1d86b894e4c7
SHA1 fd488589b551ef61957bc329d1a10a4dd20481db
SHA256 cfa663ff1da533b46726d1761848a327ff515ee7dd4bb395a9430f6cbc568bdd
SHA512 296a37e91d1fbce5e951413e09b240db31eef5ff88ce783a506cb40151dfc394465e0ba617f8d2ce4310a1432b969d88873e74905012b65492cdccd11a874981

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.zemblax

MD5 cab6c8585046fdcc0b2600cef0cb22aa
SHA1 2b0ce8b6523310938dceeec9fb9c9d864acc2f6b
SHA256 628b2ec6f6336318df443543de6a8a1d16e3b3400753e75a54e7a68cac604720
SHA512 8a88ceb9ec69d8f3cb6ac5965d7498fecb83e9c64f18d96c385ffffd9eae8fcebdc382c8a2c4b4b45581995fd1bc77e0afb0d3c568a6ce2907543092b3e6f992

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.zemblax

MD5 363b1b98d976980f0af736f587e99651
SHA1 4c9dbdd0523152e757c445a0495cb0572306b5f9
SHA256 bb70106809438ed5d550b69ae3d5119ecb46c75f7d8e0dddddd18e2967df73d0
SHA512 ca1c0b3690e7c9ce985a7f6ff2af321685d365d5ce61d700d2d17afd231cce067c01372faf43e2634414e3e6aa0c1ebdcadbdcab7c46eab759d6e4e584030e7a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.zemblax

MD5 355f9c4064151c7089fbe1126af0cb77
SHA1 b138c3b0563efc29dc3ed24180dcd46cec5819b4
SHA256 0d8584a9d9fbf7c7b0b54f69b308da3204281c93aa1bf2f83c02e129c73a987e
SHA512 cc39d40c5058cee42fd451210b64def65499a5e2abe1475426aa88b65305e3b0a7572b7a0de15756ab68660d899bfd0c28fb62c2b6920c98d0a7e1896e292905

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.zemblax

MD5 296b9b5580cc931820d1a1e62c29c41a
SHA1 484d786dc7196520072ec4a4952ec96d88ed6e26
SHA256 a36df9606a73c204e04696b1930d23c3581d33876d2b1510c9d324996186247c
SHA512 58e4b6c8014c9413540733003a2075c74ce9170bfdcfc27db79b795616988d91f58b7f3234183850a24a6b38ef2b4befdc61bae828a0d50bb79e729e51e458ca

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.zemblax

MD5 27c2ae5ec13d9be007de8f3bd3577b19
SHA1 0b4fb7f92ed8c9a72bb48a2b6ff4dd0eeac45f5c
SHA256 9bc2e43816cd6586b50b94902b7beac1291a4123b9ca38fa2f3cb6bf647cb9a8
SHA512 832d67e486247748c3eafff6c9c0b3a039203c349c31677d26361e0f66c1e0e1e671f637be9c6dc22687b7ec77cd3ac4bc1a2d7eeac3e67204b79dfc2f664e4d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.zemblax

MD5 79928359f473ca412b6619daa126ea4a
SHA1 55d1f1d741b2327b2853a26b9c55712460ab6433
SHA256 26bc3338fa8e8f825c0e8fef85c572df98afa06dfd09dcbf6be0be93a0e7644e
SHA512 6e976147cec5201ed7d9543db2b335d007dc159f571e7df373d4efd28625255c53e47d76e21ff514de08887b15995111ba68ae0b047678d5c64387465729e52e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.zemblax

MD5 254e6e1f919c82e7e6386148f4fd8b85
SHA1 4b16f83c625875047f0e397bd22c318e3dc401f5
SHA256 6fd7ad452179754ac6fe6ee17a1e9ca7277173e23096153ab776cb5c572f19f5
SHA512 b9d8f88e89da06a98685ef2dab1f85115defd342d09527fcdf81712b000800fa1350db0ba085e2fc9df29ba0da394346a9d2c68395a3f9509d525e155d986ca4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.zemblax

MD5 c8df49bb4bbdc9da2bcab074f61beb09
SHA1 7bec3ca11d7533d9853d2a9a6ba2dfeb7d8201a8
SHA256 ef67108356c94c9c8826ab0a667fb88add02381715a352f9be62ee92ad781647
SHA512 53b472bdc116931819173f7385d23a8becfce39f63fcd451962bc3c6d0e117fc5f2e7ae6dac3297bf778bb35b06d5d514c10dc882ed3a5d958f8f5cdd979a213

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.zemblax

MD5 a842db7ac1990b29e2c453d22188eafc
SHA1 562adae12978c15a03c541c86a930d306d1a3618
SHA256 577aceff95acfa55f729b8c56d5a5848d55d76ac0664b7ad4e32f1ffbc6729f3
SHA512 21639cb95779a49f24fa1fc74e2c26eba8040800b2f3fcba8815b41a915cb7710d2d528d00fb9d3acce8a74ce155a83e0f1b24fd7f4614934405d10211a19554

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.zemblax

MD5 f13b68445c6a611c58b69d0663adcd41
SHA1 f4405939a8ce9d73be0b9e95bc694c0e3187d4f5
SHA256 dfa70d2305ea3cc4ceedf503877087e358697aba61f28e6afe310af68dddfcee
SHA512 c2e8e3fda0588bf6bf8385c654a245a597ba146e5877943db63d0f2177833de3a1e0f6118d318071f07a2c0a107001bfeac901119e036b15ebf5dfa6b7795f28

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.zemblax

MD5 c8fc25207f8ceecd9227242be2efbac3
SHA1 46f774b5a0f7cbd381d4434ce8e50de84c3c0c12
SHA256 bab54850e29f9ebc93b283187ef71904745c380cf99f7b2fa75de22a59ed3d97
SHA512 8ebfe4584beb21ad2a82da8ad799aebb00e52b5c819775f4df6dbf6dd2435f45514cbb15747baaea6018d476f43ea2c7ba66f6103b551ccf55ae3642167bc653

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.zemblax

MD5 b5d8672c3a1c0c03ea94ed8e7545b730
SHA1 95dc280bb5e13b9979952cc20f30f6830f184901
SHA256 fca20ec5c665941480e92223fc4719aac0b3235a7f115d2574d7129e7e6ee348
SHA512 de8da4e24416eda326404a717e77a8d810aa6f995c5fd545c9da1ef8cb47fa9786628d3ac3273f165167e4ea4f63532303f07518c85f8198adbfd89f0342f7c3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.zemblax

MD5 ce629e483860631759ed4b212ade9bfb
SHA1 f5b4a74fcd8a4c203febcbcf808d2581959ab442
SHA256 5091a8ca0d8b0b72af4059110ad2197a423e2ddf8c8cc15e6a7f468c3fb2a78e
SHA512 d530e96e76b674605c4cf5ec30288ad4ea93399021ba88d68961cee3b158aed0e56729925a025ab355a888dda8d668780723aa3decfdebbeabfb6d5109504b42

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.zemblax

MD5 b9928ad5ffa158894354df8b8ff6b23f
SHA1 e228563a9873a502801dda31c3d33be880080251
SHA256 e1a2e7cd9fe8586b95860da7c13d7b9407797ab253573c24fe423c8bc4485cf7
SHA512 d18f4fe5500a0cd70092f22f414895782cb8f3f3040c627a21ddafb1295faa146bf158e8b71ed4741f53c096b13d24d1046f7c6d6753fe0fe9a72b496f1093a6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.zemblax

MD5 2e7765187796a13a10d805e0ee978a6a
SHA1 c7a8e4989068703a552b2cfe13e2411a621114f2
SHA256 cf050c014f972d74e2e9ef5aab5dab5ca46fb1344d07539aa4071305f51d2b9e
SHA512 73fd7b93efc84fb8a7c63eca4b51c85a33c85db58c2e98161bb2045ad06fc60479a0cf672346a0fd9ee30ed4cd28e565310921315180400cab56561ce0f9ed40

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.zemblax

MD5 d86ab3c169ebf736f5109312a9ce1c27
SHA1 513eacceed79aeba7c7ef521759d65e73edb368b
SHA256 aca7c25306834d60e990bbff5a59d35171811a4cd764cd6f19ed7f3d60678a6c
SHA512 ae27bd93e06be3c9e392ad9ed852e5b06828ab298a7e91ea58411b04cc7997858f6d3e891212a044dde51307f9cf759fb18e90c6d3afa7e78ed8f404116ec0c4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.zemblax

MD5 ba92eb229413a4997d609cb7c32a262b
SHA1 7e3d458cb15bdd2b4dfb48cd636b915f1e216d69
SHA256 307ed4b76842f00b9b5ccbdfee3dbe845027badaf9fefa0f270ffdb37d053195
SHA512 4d532be35dbee30672cc2734717c827cc1ba3e9961fe5068bc21b0826edfceaabbf9e8511ed60b03522fa8f02f3c028c5c815727628a29217a8a843200ae3925

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.zemblax

MD5 a967c33396482152971c0a3dd54053a2
SHA1 2d8cf663746ad928d0ebfcf87af685988f540aca
SHA256 107c2a1239238755e33ce29ef7b000935ede80dc9fdf544182d01e5c330a5a6e
SHA512 63e990a4d044c2414571481e6fd40bf30d1bc59c009b6b497eef062c9b2b3443005caf0dd014055d2da08e2f7e8a12d7c324f6c63430b1bfd95d14088c9b7162

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.zemblax

MD5 840221d27a09a3080a93c1f4bb265f5e
SHA1 6ed12d47df1500f7ad56ce0e3e43fa803dc040c0
SHA256 9999fa3e8b7b136d9688bc0bb42a144fab43263998c28850facdcf0def8d6360
SHA512 cc4afa07c610dba58ac80779196edaf2a745c733bcbb3b1a581ddf36c0a3f4e79a70e93ee448074d3f06f25362919140288ba59e71fc21a89ba46688434db7d7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.zemblax

MD5 a48c79d6485aa84f70909e0deac5afc6
SHA1 5885dd3d8553862554312632d40b04ecc583e09e
SHA256 02f138096bc96757a83a6b42e855007d6f4fd1c8390c220fb5f428219253d573
SHA512 3615eba5102df9ad4bc8aafa4c43ad3a43afb617f49607789c8a6c0fb80d0fc4f5a625ba27600b5e7f6ef302dfdedee3022d61ae202dfa6c319762befc31ca46

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.zemblax

MD5 a5b25141ae69df8e8627814bc7da55e7
SHA1 862ab0471f3d3415ded16e77f2542f84023fe8ad
SHA256 bc2276d83723961e25e621e4400a2aadefb95f1e38642ba2fd8c4e7f83dda6a1
SHA512 b9b0b0c3e5bf9026e684ef38ee576aab142ccb9a19759834d30771df121a0f87167d298bfda2d341055c1949e203102e88d5195a53ab96eb18ec2c6e70d614cc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.zemblax

MD5 f9d942430d103eb14bb89a8b06dd354c
SHA1 28c8f183fc1c03eb2f69dfc662c0d47f25dceb9c
SHA256 30f745264662bb65ea8e073548faa9cbb594394fe6bb8f238fd463cd4b19a16b
SHA512 51994cfee07ebe1f030eb609f5d70c42b15f7f4d7a7e7e82c44682048b405ccc52cc33aed16ac21ac189d378eb93db093e32c50ece0d1c6bb5687fa1451ffea5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.zemblax

MD5 5a7c257c74c8c7d5352b57cde2f0b55c
SHA1 ef9cac32cb1329bef6857173abee2fff4cac3ac6
SHA256 b2a557b40c73eb81ca22b167c4a6ac1f43622c59b2d85e5f43119769c6d6b6f5
SHA512 031764f3fb1194d778a84a294df4e0509ba00e50ddefe3a6cf7a655f48219cc38e53f5c47a56646d6ea63275ed56d19328c7b82f14e717a688d6181093764928

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.zemblax

MD5 2ac07813a74d6adaa3e44db55e899e09
SHA1 a0447b0b95d442c2d770987b1e007826cdae98a2
SHA256 b770a96d153a9e662d5a586e571ba9687a0995b9dccf3f50afdb5dba8da465d9
SHA512 940e4a99d233d99b1b342c4a8d032ce70f66ef0134d57b3c13f1cdde780453e32f54f442fe9255cfe73cc9e478f72f707a383a156aa924a95ffbd3cfc840a94c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.zemblax

MD5 2613b34bca30302406bbfa57c93b6c0f
SHA1 04a4e32759eb78be5d4397916bc9e51090fa4333
SHA256 53bbcb949a287d7ac25e7a31d671cd9eb11ac609f7344a38aaa5c2f165dc4093
SHA512 4c170f25c9d3238cc6572ff5522495effab28c7e0047a44eaba8939d2da46950ff9f8f1329b923d82b0b8a3e28de735dd41ebaf83711eb20b2fa52ba82f23855

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.zemblax

MD5 e4e7837a4f0c71864f2ed00e23aae8e0
SHA1 c35796c887fb94fc2112caf3921ba504570dde1e
SHA256 e69aa05159c50cb7dc9083dcd34a21f811aa80ca24e67eda8fca86c244d9a483
SHA512 296817bbf0f9faafa16577edb105f560be7a27ded19370efbbe9e14657fca5c202d3f19d0f001de5d9119fdef304e099bafda922135f679b487afe05e36d4fbb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.zemblax

MD5 30c5fafcb889cfdfef7a7373c623221b
SHA1 e4a12b7ef07ca5780ebe205201be538a34fc6154
SHA256 b2bf549220418c47e80507084b43eeccd85c0a43f4da74de6858fc96dd3020af
SHA512 4a621fa79335711dab7dbde3bf0fd30979b15c2f48eff9b867a0cde99ddc67a97d612ea0472db9903c5cb5555800907b8a183cf499f55d186a42fe0ad6fb023b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.zemblax

MD5 3c501b84ed7912d164470fb2024d29ba
SHA1 f54ec8a32fe7a67acfcbd48e789c0b5d2c0b6816
SHA256 d1ba5eb730cc20b906290b76d64d2697896cc25ab4d782588f98c62c9b7ea1bc
SHA512 cf9adc56a6685c7f5131d703238752700cfe9b32133ee38f6e828b658dbd64af9732509a47abee3958c5cc22f3685f10cc27a1d5d76f7459b99498310fb6cdb9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.zemblax

MD5 242c795c3e07e4f7e1db97121e007727
SHA1 c0704070f2026d817b82f71878e334be06bab551
SHA256 2ab2f7f6b540d3bcab915e7626db8db6ed71736ba7da94ce2ca4366d440cd822
SHA512 8b990d5a35b324ebbd5ee6d6d88d74e783e211f3c778162dfdf1577e2d3c6cc32693117fbfd1175ad34d7bb46e05504e8ccdcdc116a6895eee31f50d583289cb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.zemblax

MD5 a06ee81cc9009bcac3c9a5af0dab2b1d
SHA1 b95ada870dd0ebfd4058b6710076d750186ca151
SHA256 c82b8a9a8fa45f93bc000a754e07e9922fc1788f9d54bcdd0b4c6869145c613e
SHA512 b4271b58a89b37e2c48584778eeb08668e2d32026f98990fb017215e854a7006184f09149e478bd95a5b15027e308b61982f5a2275b998174bdf281736edece8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.zemblax

MD5 fe2afee9fcdf2d43940944ebd1145480
SHA1 986b8b7ce80ec8b8e223f95b508532e69cd49c05
SHA256 116b7fbce50c3c08cc73efca3439106f4f2e00012794fbad81ebff4598066a42
SHA512 b66aec41ffabc4d1566b2316de80efe3528d2ad5dd8b0030d1a127d58c0f9257c8b76ca7c301199e92213eb35f1d557a85062dc8c432e5c554590f0a91d2ceaf

memory/5016-5159-0x0000000002140000-0x0000000002150000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-09 11:18

Reported

2023-10-09 11:20

Platform

win7-20230831-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Jigsaw Ransomware

ransomware jigsaw

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid_over.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_VelvetRose.gif.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageScript.js.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.zemblax C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe

Network

N/A

Files

memory/2408-0-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2408-1-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/2408-2-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/2408-3-0x0000000002160000-0x00000000021A0000-memory.dmp

memory/2408-4-0x0000000002160000-0x00000000021A0000-memory.dmp

memory/2408-5-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-6-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-8-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-10-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-12-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-14-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-16-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-18-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-20-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-22-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-24-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-26-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-28-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-30-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-34-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-38-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-42-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-46-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-50-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-54-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-58-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-62-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-66-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-68-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-64-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-60-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-56-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-52-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-48-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-44-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-40-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-36-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-32-0x0000000004570000-0x00000000045A4000-memory.dmp

memory/2408-163-0x00000000020F0000-0x00000000020F1000-memory.dmp

\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

memory/2408-170-0x0000000004BF0000-0x0000000004C44000-memory.dmp

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

MD5 33862bca1fe73d44277e9ad4f0aa81e1
SHA1 e900bf9dc2ad2b18e362c8d42ae8e8ce74fb3ff1
SHA256 053cec40ef1b8c148c4c1f798509e8b33e0f86f81555307b65e9fdffd670b9fa
SHA512 08c0ef71dcab39f772abf17b2c714bc89fe2add6fa61f734ea04c05770ad93a68e5fd9caf73d740c3c17dce1ebb0563b0bd82b20fc6a7e508a778bccbbf8384c

memory/1932-173-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2408-174-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2408-175-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/1932-176-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/1932-179-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-181-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-183-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/1932-185-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-187-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-340-0x00000000020A0000-0x00000000020A1000-memory.dmp

memory/1932-341-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-342-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1932-343-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/1932-344-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-345-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-346-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-369-0x00000000020D0000-0x0000000002110000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.zemblax

MD5 000e8c41d4a15fb34d0be0dbb56e3778
SHA1 00c4eae64ee6239d7c65d819c6ce1ac329224f8c
SHA256 8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28
SHA512 775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zemblax

MD5 bd42ba47ff97fd7e395c90f79e0f9508
SHA1 c2d8069ff6d72f3c63eeeac23933e5620f649d9d
SHA256 3ad6f0a5c15cd3e24aa59e9687649e0d8d8b85789f3feef68e22b61a34a183e5
SHA512 4eb6b58c46225f6e96bf41177892131384507cd8437e314426b797797c10960db52b84abd1fbf3cd845d1ed4bb8c67d2be3099a9ff5379a04d059b0557ef7fca

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zemblax

MD5 29c6678d44aa7966ae163d70dd9f3661
SHA1 04e2608b9497905befec2c9c74931cdd14c754e8
SHA256 f7634f4769d57b1fd7ff257cafd60a0b309194e610202dfd26fc5113d0abf834
SHA512 e80a6a0270d20e255f84ee6ef285b610b79731058f88272b8246e4f0c97222cebf2113d7ae70a1a145c0bec2a94fea5cb5abff0203a8be64c634a9b9b6a3b1b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\container.dat.zemblax

MD5 cfdae8214d34112dbee6587664059558
SHA1 f649f45d08c46572a9a50476478ddaef7e964353
SHA256 33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325
SHA512 c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

memory/1932-2451-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-2452-0x00000000061A0000-0x00000000062A0000-memory.dmp

memory/1932-2456-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1932-2457-0x00000000061A0000-0x00000000062A0000-memory.dmp