jigsaw | 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

Analysis

max time kernel
419s
max time network
389s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23-10-2023 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jigsaw.exe
Size

283KB
MD5

2773e3dc59472296cb0024ba7715a64e
SHA1

27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256

3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512

6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
SSDEEP

6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Renames multiple (1976) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2412	drpbx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png	drpbx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jre7\README.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.fun	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg.fun	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png	drpbx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar	drpbx.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse_1.1.200.v20140414-0825.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	drpbx.exe
File created	C:\Program Files\Java\jre7\lib\ext\zipfs.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{86927D01-7158-11EE-BC26-5E9DF4B4F3C9} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{929D11A1-7158-11EE-BC26-5E9DF4B4F3C9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b019195e6505da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = a0a6905a6505da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_Classes\Local Settings	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2544	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2412	drpbx.exe
548	IEXPLORE.EXE
1536	iexplore.exe
2656	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
548	IEXPLORE.EXE
548	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
1536	iexplore.exe
1536	iexplore.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
2656	iexplore.exe
2656	iexplore.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2412	2932	jigsaw.exe	28
PID 2932 wrote to memory of 2412	2932	jigsaw.exe	28
PID 2932 wrote to memory of 2412	2932	jigsaw.exe	28
PID 2580 wrote to memory of 2824	2580	wmplayer.exe	30
PID 2580 wrote to memory of 2824	2580	wmplayer.exe	30
PID 2580 wrote to memory of 2824	2580	wmplayer.exe	30
PID 2580 wrote to memory of 2824	2580	wmplayer.exe	30
PID 2580 wrote to memory of 2824	2580	wmplayer.exe	30
PID 2580 wrote to memory of 2824	2580	wmplayer.exe	30
PID 2580 wrote to memory of 2824	2580	wmplayer.exe	30
PID 524 wrote to memory of 548	524	iexplore.exe	42
PID 524 wrote to memory of 548	524	iexplore.exe	42
PID 524 wrote to memory of 548	524	iexplore.exe	42
PID 524 wrote to memory of 548	524	iexplore.exe	42
PID 548 wrote to memory of 2544	548	IEXPLORE.EXE	43
PID 548 wrote to memory of 2544	548	IEXPLORE.EXE	43
PID 548 wrote to memory of 2544	548	IEXPLORE.EXE	43
PID 548 wrote to memory of 2544	548	IEXPLORE.EXE	43
PID 1536 wrote to memory of 1988	1536	iexplore.exe	47
PID 1536 wrote to memory of 1988	1536	iexplore.exe	47
PID 1536 wrote to memory of 1988	1536	iexplore.exe	47
PID 1536 wrote to memory of 1988	1536	iexplore.exe	47
PID 2656 wrote to memory of 1520	2656	iexplore.exe	51
PID 2656 wrote to memory of 1520	2656	iexplore.exe	51
PID 2656 wrote to memory of 1520	2656	iexplore.exe	51
PID 2656 wrote to memory of 1520	2656	iexplore.exe	51

C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
"C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:2412

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:2824

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:836

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\HideStop.docx.fun
1⤵
- Modifies registry class
PID:3068

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1600

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
1⤵
- Suspicious use of WriteProcessMemory
PID:524
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:548 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2544

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\LimitClear.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\StopRequest.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
580ee0344b7da2786da6a433a1e84893

SHA1
60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

SHA256
98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

SHA512
356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
69ccb306b3a7112476d989336168b541

SHA1
d2c897ce5ade7cabef476eccaa76ec8396b66201

SHA256
dcd9fdbbf8166b65277dbce2d52f37272dc8f60cfe9e40d8747dd3443fa0d2aa

SHA512
4e0adac2635b33ca46cfc7b269f928cbd4e6ead8102022c476086743d6e1985de1104e51201005272eaeb103cf8a1a4ffb852a3f26f84239110db3006f2e076a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3b1a0520430d9d9a717f8ea2e2433508

SHA1
2022a2e7fbb9bc3371cbd3a41c5519b15bfd7ea0

SHA256
4ad259a909c8c5f2bb3595849103562b259563135d5ed7ec5f11ba798bd3480a

SHA512
50b22363d82ec8e21cb2aa458890e7c09f781762fd81d66b68ebbec4ee3510842b3b2be0dda61689f564861256798ea1b4b926093fc5b48318207da2dfd02705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a60be03b7bed92b92748a03c608b3699

SHA1
f7d4005a58a7a508f820d8f5edf3423f30ee21fa

SHA256
5f19e6c787c4105a0571858902be79ed63876f018d74e3455feb00d1761bcf89

SHA512
01429463d4fbd7da7786c6ca5dc35658d6acccba711fb60dadd893a2e0520a5cc1642f967dc0681e82579b2cdeaacbcaeeeaf24b41fde417e078ab96efafb574

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6a2a012d31f97877b7af4cbcffcb9b2e

SHA1
b5d50c1733b8831950b29f010c8e9e051be26c46

SHA256
a4e6778c0cbd144af2c529aeb1b28911a1fe0cbe1709394ce950361dc1fcbaba

SHA512
000efe42e232f558c1960400c80e5dad528554cd986b29484b2d3619ee13f14920851cc76198f4871ed60edc586c82e412771fd0e6ed475edd8b8d7bc6c017fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8644ed103f2b46d9e4537fed877fce54

SHA1
e8aee71ffc40316a68c9226f6601d17b85161207

SHA256
c29899f5045133f2bfa2782fcb8d103a57263590d0e31eeded9630b07185e7dd

SHA512
a90c9dc66fa2b78f980bfce7f5eeffcf850f554873a4282c3d4e03c1a45fb33a2cb13ba7c8b398552d6e0f682a40dd66f1c64e3e6943d54b639906184acb7ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2a802dc6f7e7c923695bb89891c391aa

SHA1
d49f10748f829412302a552ea90494ad6a247191

SHA256
9de1515ef2a4e5bf872c006325dff18535f6ceeebef626f3ddb99c1fc97ee881

SHA512
412d21d6508cad1d4aec1d8b29b810943810852ff82484ada2b651a75795b5dc12d8104db222d95bc92c98baceef66a2002c76d9c42278f28da6fa1b2725ea95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
be8e50d84958097bd07433a0effb1f23

SHA1
c8984724fd1012942a3f49e2ae1478217afa7049

SHA256
d63f0dd4d99227a49a02aab9afe53285681001099beef0c3b9c6bb476150e965

SHA512
7620f70eebc67cf004be96f97ebdae9d2f45a0172714b350580c186facba54b45312a004a1ba6ddac24f3d9971441c37e72fbcabd8658b142700fce0410b41c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
529852da9256490e144fadac5382aed2

SHA1
49760d6de1fe1104378508f1e875a72d5d60d536

SHA256
8beafde017f25a26bf45dbfc76379657f772f2f635de420d190e9e50e3e65b25

SHA512
f7960187718cf4b3b0239f44a67935a45322e1f503689a6c9e5f978ff74e1e3d06c12b43731f98e2972efc7d4ad328b5947db2a9bb30781e57e076496541b8b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b2a77678a11e58081deaa328e5a52ab8

SHA1
e98f1b29b7f9c35a5533df0c4e67e5eaee3edc72

SHA256
0f295c90ba1cc7ad043b2ced260b1a5a96f60353e41fcdaae00d86b2f96dee44

SHA512
35707eb9b7d2dab7179047bd50140d0978b1013dd6ee19e9511e9a21ee2dc4a246fd679c03097b2771044a2f367d3e48fe72fcc94209c5d6844a768fa6817e1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0659f96e9456f77c46666b51222ac92a

SHA1
2cd95e0d42b1ce470d2c247761adcf73c14d91b2

SHA256
ac8fd189617370fab02828c28bc3bfc9843273503623fc575021b97c5f546f72

SHA512
b3ac606d1206370ce71e826f70d9e45dceffa7de62a669b2db273c9c32e5e66bcc9fbb6a7617ca8dd28d51e80561d54df793ecc1bcc4def342153f72b58b6005

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
19b14735cd381624c50bbe08fcd45513

SHA1
17e958a371cbf29937178689af7e7cfd8fdafa5e

SHA256
14046a44d841303a64f5091b44507691cf707e06dfdb8b24a67fc50ba9fe750b

SHA512
873716b44d500cf2d8dcc08c815f1daf374ee19e06e3c128e560573eb1d585a95f2a19f78878c08ce14252947dcb21a801821f6c3aab29ffa09d7d42d29cfdd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
986a23179c71fb9364210d22a9df0c4d

SHA1
e4661b3e90a77c25debe1e635cc9a474349c2d36

SHA256
6a7124ba6c9b4c7b4b0f3a5b74426cb92d914d66a6e7dddbdf2654c917e733ca

SHA512
acc0a0fc29975cf0deed9def5ce4d2223a02e357015b55c8466611c70cee68771928bcb397eadcd5067d1ed829030f3f00e647e14ab7afaaf9ae1aa9d5975b1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
82d68595ca6cc0e1481c90631305d5ca

SHA1
58a46707d9f29b48b5206e77aa94278124de89ec

SHA256
266f1ec7669e1fd7ca4cee77073f0a192430aaf24c5af61544ead43a4b8a2059

SHA512
e75bef74768f5a74ef7aedef2a0d04941337c997cf40c3f8463fa644211387f6eeccf346da4527bf88615767dc5bb1289fa68fea6684653e9d1688c334fd1807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c7cf8b8f4df87dcf4ed92e0469a43860

SHA1
0405cbbf65c7f8ad9f2da754263f75daee1968e4

SHA256
993a8f6ad1f8f83016276d2909d647ae951252be525fa01bebe40a6c79ba1e4d

SHA512
4297cf4f716555c609eec0fa128a6b5bf15251efd8022088c5930bc52c39d1146db9f54465dee1c986ce2dba38ce062d7425f876d05bd73c0875536d1ae1f0d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
13a09572976285bdfeaa1169f8192abe

SHA1
c9de76d714af8c81113bb28d4f6b9732d1b2543d

SHA256
47cb735e61164ea1ddafac751009bea9636b9fe14b4184106fb7226a60eeb312

SHA512
227deb7d68b04dfa5319160930b811c69aa5e85b2a38d1df553693a56c77cf51ef230e2cba0445490b1a1a15c34efd97d8610d8c3d5318735d96c4f9bf2bfa8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e64606aae719885cfc21219ff391fe6d

SHA1
184ce7ebecb9eb5ed6de79229ecc3fbd147cfb6a

SHA256
ba09ba96a60ec55c2296e8469a749694917a37c8fed9389dd0137205b39e56ce

SHA512
7c5982b751a260f06fe6324a31b510b95899999c3154afa19614d261206863499c7d0d0f41855c56df93bc4cfb3964f7c4f3d90f1b093f68dbef53645ed11073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f8457de26fbcaf58ce7321fc2b978cae

SHA1
1aa4d4fa6a3b0a865e6499166bccf340f04d176f

SHA256
f9390d99e681586160e4efc85f0339ee2005f6c27771e3597ecb027fdfdd6e08

SHA512
83322b4e33bccf53dfe1b110ee0451560fec3a2f1c6f88fc463b21452896b0db49c54402a066b89051e656f98e8f6ee086b08ac671f80a1be5ebd48836bcd011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
84f3415e9dba074bc5b68c1f85da7502

SHA1
b271d339908bdceaef0ab1381259dd20d281d759

SHA256
e7baed4078b4c96c06a4b344e963a6a1f767505ea36c0ad4033c48c707a1dcfc

SHA512
daf88e2782abf232bb30bebf2858c90cc94e28b49a192bdceecc2b0350784e96d61711359689c15a3b568e56e380d59793ef3a17c4c7f0ad12b72d748e93a549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1f15a4b5cd78fb9cbc8314321f21b3ee

SHA1
7d2130957876494ff7230e761a9b5ecb3386ba13

SHA256
d98d047f8528b9b47854194c14fd7705f44842a0c8f9dcbdd9acb26da52bb97a

SHA512
3bd0b4557b3cb1c401a45cbc4015d69cdd2e3c893559c02d912b3e4833b438b41a681fd68d9f5ae2ff396d5d54401661bcaec428b6b267f572d9692a0f41ae7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
95b835f7cd957f07ef0f17d1d991a955

SHA1
2741696e8c901d5bf831b334043597e38893b7e5

SHA256
77558d1e8d4d6d9734a9842e2ad54656187e06ae084a1c88e6e296beec0a08ed

SHA512
776569d8026b10d8b0e16d7678843140f182f83fa3983c193f14fe420cc11aebb1854c48e79b05b99a79e040e29767217262260d1d2524a5f7930627fdb26cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
22683d023317ee7905770fea0d9caa0c

SHA1
e9ee31af0966c12112adc9e041b6372b152e5833

SHA256
bcfbcbb3058d066cead78cc715942a63e1e1f0281b149e80ed3a7e256dcc4a1e

SHA512
6574b387915d15174aa889b87b3afa25386f44fdf78a64d470f52d8a1cfd36808a69e311f85c82ca466ebc19e3e6fe7a6bdf3143df323d7bf6d3abefd4f0b636

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86927D01-7158-11EE-BC26-5E9DF4B4F3C9}.dat

Filesize
5KB

MD5
ac739abeded00e40ae79455e43d16300

SHA1
0c352e4c16a79d1da1ae49293fa02cace91d45df

SHA256
edf6da551b585db36fcb55f9104afb44b500e6a78ae3571d7c1de1bfc0f23997

SHA512
dd58966353e497b5c5aa58ce4bb3ffb8255e6b30be84931e84689a339024e67332b80d9a693de1a9345fafe05230f351969984d065319bf26eb7bb146056fcf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{86927D04-7158-11EE-BC26-5E9DF4B4F3C9}.dat

Filesize
5KB

MD5
67dfd7546be9f4cad46311d75ceb4cd5

SHA1
e285c9082d69f42d9dfae5a844e6f5c705ba3557

SHA256
86410012310481109626bfd8b02e404f0693e20ad8130f8336d0b79196757a06

SHA512
d8f7c4c21f92bfac760ab0dcbf8a42880ac24e6ebd18391702072098aee647769057d9f682173c820b2446a745a0f63212f479a9603c5b9e83c396c868bc3b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{86927D04-7158-11EE-BC26-5E9DF4B4F3C9}.dat

Filesize
7KB

MD5
60a57d0ad746e4fef31cea817dad4b7e

SHA1
dcd77826b6dc4bcc4272c2d700eccef73cfb0198

SHA256
210f18ce6b5d4558f7bf9345c699bb71eb9dfe3158db7582a1fc62321983e5d2

SHA512
37fde3a257bbed8b3f67a17df256e696c4c06b83b24de390e7c4f3e35c10e6422fbbdb31d98bf51d66c91e3c51de9d0caae37a7c12946b35ebba2a0099279b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{86927D05-7158-11EE-BC26-5E9DF4B4F3C9}.dat

Filesize
4KB

MD5
098c380690422a8c6bdc0711666ef92b

SHA1
78dd5ca7eb7b84e2cdf0258314c19ba7bcc4a329

SHA256
010edf99764b44406e88aaacd9f49038055826622630569b05c226d8907709b1

SHA512
6c405a7b20f8b603617fb044113c04979d6bf8f4a832aa8ba1baaf736877aecf5e6074e25fb34d2ae38814a1a4ad34b940d8c47c4694111dd95a5e81b6f68da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{929D11A5-7158-11EE-BC26-5E9DF4B4F3C9}.dat

Filesize
4KB

MD5
a1a95900650316f238beb67eb419de39

SHA1
52b3cb71792e6bca42d37bcb41df9cb8386da985

SHA256
59ad380b27c02a98a53459e727e357613558afca9124b1dd50d352da17e8b720

SHA512
9feac249f2a0d4d7f347308c9906f363553fe6248914934557809da7065999c51e340593b9d66bce47e37c442373af5a39e8ed49efbaa41f84ba7db4d1be53e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7EC2.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7F73.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp22939.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24343.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF9139619CE697DA3C.TMP

Filesize
16KB

MD5
35c28324347ca266734371ee31abdfbe

SHA1
786e041922292601df2a42f6b8f0092741a73929

SHA256
6a657aa51d87326e1cecdcc35303350fb23d1b8eeac14a8f7db3754d4c35274a

SHA512
92db67f430468d0ab4c1b1c5bcd909e0811d9358e51b97e96aaaabc0b925b43e369e7928853abd5b7fa22a55a98f1fc2269862b1b65ac455b8d2809d4ab98a54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.fun

Filesize
16B

MD5
8ebcc5ca5ac09a09376801ecdd6f3792

SHA1
81187142b138e0245d5d0bc511f7c46c30df3e14

SHA256
619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

SHA512
cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

Download Submit
memory/2412-2018-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2412-10-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-11-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2412-2012-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2412-12-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-14-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-15-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2412-2015-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2412-2019-0x000000001B0E0000-0x000000001B152000-memory.dmp

Filesize
456KB

Download
memory/2412-2017-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2932-1-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2932-3-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2932-0-0x00000000020E0000-0x0000000002118000-memory.dmp

Filesize
224KB

Download
memory/2932-13-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2932-2-0x0000000000850000-0x00000000008D0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads