jigsaw | 4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b2843a576c2cc99cdda72304b3b67c9_JaffaCakes118.exe
Size

137KB
MD5

6b2843a576c2cc99cdda72304b3b67c9
SHA1

d1be9c2e7130ddc7649966a1fc691b9e4f90681b
SHA256

4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71
SHA512

9cfd6248401ab04bc67c6695f9d60d9dc050ef93bb8fda321cc0ed808c86e69fca3a36bac69de4f8e3f185c31c9ba3c744c6a646105e8a8306725194934e0365
SSDEEP

3072:gLSypkVCjHgCl1YERTwBl2kZUYxYID6KN4WWEEb:guCc1K1YERTeIkZVxYgT

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Ransom Note

MZ��@�� !�L�!This program cannot be run in DOS mode. $��PE��L��]��"�0�� v8�� @��@�� @��$8�O��@�$��`��6�� H��.text�� `.rsrc��$��@��@��@.reloc��`��$��@��B��X8��H��K��tT��*��h��{�� *{�� *V(�� }�� }�� *��0�;��u�� ,/(�� {�� {�� o�� ,( �� {�� {�� o!�� **� ut� )UU�Z(�� {�� o"�� X )UU�Z( �� {�� o#�� X*0�X��r��p��%{�� -&+��o$�� %{�� -&+��o$�� (%�� *{&�� *{'�� *V(�� }&�� }'�� *��0�;��u�� ,/(�� {&�� {&�� o�� ,( �� {'�� {'�� o!�� **� i��u )UU�Z(�� {&�� o"�� X )UU�Z( �� {'�� o#�� X*0�X��r9��p��%{&�� -&+��o$�� %{'�� -&+��o$�� (%�� *0�� p��((�� ((�� s)�� ro��p(*�� r��p(+�� r��p� ��r��p��r��p��%~��(,�� ~��(,�� r �p��~��(,�� ~��(-�� -~��(.�� &��r%�p��d��ru�p��(/�� r��p(+�� *�(0�� (��{��~��o1�� {��o2�� *�~��,*(?��-*��(��s��(3�� *(B��**z,{��,{��o�� (4�� *�0��s5�� }��{��s6�� }��(7�� {��o2�� {��s8�� o9�� "��@"��PAs:�� (;�� (<�� s=�� (>�� r��p(?�� r��po@�� s8�� (A�� (B�� *6(0�� (��*0��(C��oC�� +b�(D�� r��p(E�� (F�� ,%{��oG�� %r�p�%�oH�� &+#{��oG�� %r�p�%�oH�� &�(I�� -�� o�� *��oz��z,{��,{��o�� (4�� *�0��sJ�� }��sK�� } ��sK�� }!��{��oL�� (7�� {��oM�� {��oN�� _��%{ ��%{!��oO�� {��oP�� {��sQ�� oR�� {��r�po?�� {�� R�� F��s=�� oS�� {��oT�� {��sU�� oV�� { ��rO�poW�� { ��r_�poX�� { ��oY�� { ��2oZ�� {!��r{�poW�� {!��r��poX�� {!��oY�� {!�� oZ�� "��@"��PAs:�� (;�� (<�� R�� F��s=�� (>�� ([�� {��o\�� r��p(?�� (]�� r��po@�� s8�� (A�� {��o^�� (B�� *6(0�� ()��*0��(_�� (`�� (a�� (S��{(��}o1�� {(��o2�� {'��r�po@�� {)��~��o@�� {)��ob�� {*��oc�� {*��(��o@�� {*��ob�� {+��ob�� {,��ob�� {.��ob�� {-��o2�� {/��ob�� (��, ��(��*��0�'��~��r��p(,�� (F�� ,*r��p(d�� *�0�P�� (C��oC�� +"(D�� 3�2r��p(E�� (e�� X (I�� -�� o�� &��*�� /<��LL�#��0��~��r��p(,�� (F�� ,(f�� *sg�� (6��J��%(*�� oh�� (��+oj�� +(k�� ol�� om�� &(n�� -��o�� ~M��%-&~L��W��so�� %�M��(��+(��+(d�� *��I�$m��f(r�� %%os�� `ot�� *Rou�� r�p(v�� &*�0��~�� {'��~%��ow�� r��p(E�� o@�� ~%��X�%��~%��ox�� X.*{(��o2�� {)��ob�� {*��ob�� {+��ob�� {,��ob�� {.��ob�� {-��o2�� {/��ob�� "��*��0�� (:�� (��(;��Zi~��1Y{-��oy�� {+��oz�� {+��({�� o|�� {+��r��po@�� r��pr��p(}�� &r��p(H��(@��+F1"{+��(~�� o|�� {+��r��po@�� + {+��(~�� o|�� {+��r3�po@�� #&{+��r{�po@�� {+��(~�� o|�� *��#��2s��o3�� *��0�� ~"��1B~"��Y�"��~"��<[ ~"��<]{.��(/�� r��p(/�� (+�� o@�� * ��"��#��?~#��l(�� i{/��(/�� r��p(E�� o@�� ~#��X�#��(��*2r��p(�� &*z,{&��,{&��o�� (4�� *��0�F��s5�� }&��(�� s�� s�� }'��{&��s6�� }(��s�� })��s�� }*��s�� }+��s�� },��{&��s6�� }-��s�� }.��s�� }/��s�� }0��s�� }1��s�� }2��s�� }3��s�� }4��s�� }5��s�� }6��s�� }7��s�� }8��s�� }9��s�� }:��{1��oL�� {9��oL�� (7�� {'��o�� {'��(�� o|�� {'��r+�p"��pAs�� o�� {'��(�� o�� {'�� k��sQ�� oR�� {'��s�� o�� {'��rI�po?�� {'��s=�� oS�� {'��oT�� {(�� s8�� o9�� {)��o�� {)��(�� o|�� {)��r+�p"��@As�� o�� {)��(�� o�� {)�� l�� sQ�� oR�� {)��s�� o�� {)��rc�po?�� {)�� s=�� oS�� {)��oT�� {)��rw�po@�� {*��o�� J��%r��p�o�� {*�� p�� *��sQ�� oR�� {*��s�� o�� {*��r �po?�� {*�� #��s=�� oS�� {*��oT�� {*��r��po@�� {*��&��s8�� o�� {+��(�� o|�� {+��(�� o�� {+��` ��sQ�� oR�� {+��s�� o�� {+��r+�po?�� {+�� "s=�� oS�� {+��oT�� {+��rQ�po@�� {+��o�� {+��!��s8�� o�� {,��(�� o|�� {,��(�� o�� {,��5 i��sQ�� oR�� {,��s�� o�� {,��rm�po?�� {,�� s=�� oS�� {,��oT�� {,��r��po@�� {,��o�� {,��"��s8�� o�� {-�� o1�� {-��#��s8�� o9�� {.��o�� {.��(�� o|�� {.��o�� {.��r��p"��$Bs�� o�� {.��(�� o�� {.��5 ��sQ�� oR�� {.��s�� o�� {.��r��po?�� {.�� Vs=�� oS�� {.��oT�� {.��r�po@�� {.��$��s8�� o�� {/��o�� {/��(�� o|�� {/��r�p"��@As�� o�� {/��(�� o�� {/��A L��sQ�� oR�� {/��s�� o�� {/��rE�po?�� {/�� s=�� oS�� {/��oT�� {/��rk�po@�� {0��o�� J��%r��p�%r��p�o�� {0��(�� o|�� {0�� p��4sQ�� oR�� {0��s�� o�� {0��o�� {0��rr �po?�� {0��oc�� {0�� _��s=�� oS�� {0��oT�� {0��r� �po�� o@�� {0��'��s8�� o�� {1��(�� o|�� {1��(0��o�� {1��(4sQ�� oR�� {1��s�� o�� {1��r� �po?�� {1�� -�� s=�� oS�� {1��o�� {1�� o�� {1��o�� {2��o�� {2��(�� o|�� {2��r�p"��pAs�� o�� {2��(�� o�� {2�� |��CsQ�� oR�� {2��s�� o�� {2��r� �po?�� {2�� s=�� oS�� {2�� oT�� {2��r� �po@�� {3��o�� {3��(�� o|�� {3��r�p"��pAs�� o�� {3��(�� o�� {3�� u�� sQ�� oR�� {3��s�� o�� {3��r �po?�� {3�� (��s=�� oS�� {3��oT�� {3��r �po@�� {4��( ��sQ�� oR�� {4��s�� o�� {4��rB �po?�� {4�� ,��s=�� oS�� {4��oT�� {5��o�� {5��(�� o�� {5��$ y��sQ�� oR�� {5��s�� o�� {5��rT �po?�� {5��Ss=�� oS�� {5�� oT�� {5��rb �po@�� {6��o�� {6��(�� o�� {6��r�p"��@As�� o�� {6��(�� o�� {6��[ %��sQ�� oR�� {6��s�� o�� {6��rz �po?�� {6�� s=�� oS�� {6��oT�� {6��o�� {6��r� �po@�� {6��%��s�� o�� {7��o�� {7��! J��sQ�� oR�� {7��s�� o�� {7��r� �po?�� {7�� s=�� oS�� {7��oT�� {7��r� �po@�� {8��o�� {8��(�� o|�� {8��r�p"��pAs�� o�� {8��(�� o�� {8�� u�� i��sQ�� oR�� {8��s�� o�� {8��r�po?�� {8�� ]��s=�� oS�� {8��oT�� {8��r&�po@�� {9��(�� o|�� {9��(1��o�� {9�� sQ�� oR�� {9��s�� o�� {9��r^�po?�� {9�� 7s=�� oS�� {9��o�� {9��o�� {9��o�� {:�� p�� sQ�� oR�� {:��s�� o�� {:��rv�po?�� {:��oc�� {:�� #��s=�� oS�� {:��oT�� {:��r��po@�� "��A"��As:�� (;�� (<�� (�� o|�� `�� s=�� (>�� ([�� {:��o\�� ([�� {*��o\�� ([�� {9��o\�� ([�� {8��o\�� ([�� {7��o\�� ([�� {6��o\�� ([�� {5��o\�� ([�� {4��o\�� ([�� {3��o\�� ([�� {2��o\�� ([�� {1��o\�� ([�� {0��o\�� ([�� {/��o\�� ([�� {.��o\�� ([�� {,��o\�� ([�� {+��o\�� ([�� {)��o\�� ([�� {'��o\�� (�� o�� (�� r��po�� t��(�� s�� (�� r��p(?�� (]�� s�� (�� s8�� (A�� {1��o^�� {9��o^�� (B�� (�� *��0�'��~��i.+�(=��s��&(�� &��*��##��(�� *�~;��-r��p� ��(�� o�� s�� ;��~;��*~<��*�<��*j(,��r��p~<��o�� t1��*j(,��r�p~<��o�� t1��*j(,��r8�p~<��o�� t1��*j(,��rJ�p~<��o�� t1��*V(,��rZ�p~<��o�� *j(,��r��p~<��o�� t1��*V(,��r��p~<��o�� *V(,��r��p~<��o�� *~=��*(�� *Vs8��(�� t ��=��*��0�x��~>��r��p(E�� s�� o�� (�� r��po�� ,o$�� r��p(�� ,o$�� s�� zr��po�� r �po�� r �po�� r* �po��+*0�e��~>��r6 �p(+�� s�� o�� (�� r��po�� ,o$�� r��p(�� ,o$�� s�� zr��po�� rX �po��+*.rh �p�>��*��0�M�� -(5��(�� &*9��@��r� �pr� �po�� (�� ,j(F�� ,bsX��(�� (�� o$�� }N��(�� Y��s�� (��+� d(�� X ,d2� ,��(�� -(e�� 3~��~ ��(�� &~��,(�� *~�� ~��,B((�� ~��(�� (,�� ~��(N��(�� ~��(�� ,*(�� (�� ,*~��(>��,(>��&(�� r� �pr� �po�� (�� &(�� *�(�� (�� ,*(�� o$�� (.�� &(�� (�� *B(�� ~��(�� *��0��~��-(�� ~��(Q��sg�� %~��(�� om�� &%~��(�� om�� &%~��om�� &oC�� +(D�� (-�� ,(�� &��(I�� -�� o�� (�� (�� r� �p(E�� (�� s�� r� �p(�� o�� , o�� (A��&�(�� *4��[�l�#��Q�)z�� 0��(E��s�� (�� ~P��%-&~O��\��s�� %�P��(��+o�� +o�� r��p(G��o�� -�� ,o�� ~?��(F�� -~@��(��+~?��(�� *��:�W� ��0�9��sg�� ~?��(F�� ,%~?��(�� +� om�� &X�i2�*��0�s��~��r6�p(,�� (-�� -(.�� &r`�p(,�� s�� rx�po�� ,o�� r��p(,�� s�� r��po�� ,o�� *��1� >� ��Z� g� ��0�p��sg�� (3��J��%(*�� %r� �p�oh�� (��+oj�� +(k�� ol�� om�� &(n�� -��o�� r��po�� &*��2�"T��>�sc��%}[��*0�H��sk�� }_��(F��{`��%-&�l��s�� %}`��~Q��%-&~O��]��s�� %�Q��(��+~R��%-&~O��^��s�� %�R��( ��+~S��%-&~O��_��s�� %�S��( ��+~T��%-&~O��`��s�� %�T��(��+~U��%-&~O��a��s�� %�U��(��+~V��%-&~O��b��s�� %�V��( ��+o�� +!o�� (I��,~@�� om�� &�&��o�� -�� ,o�� *��0��-= ��0�Q��(C��oC�� + �(D�� (E�� %(J��(e�� &��(I�� -�� o�� ~?��(e�� *��*��-8��0��~��, ~��o�� -r��po�� , �_s�� r��p(�� o�� %�F��(�� o�� (E�� (K�� ,o�� & ��(e�� & �**(��-�8e� ��qq��w��#��0�n��o�� -�box�� Yo�� s�� r��p(�� o�� %�F��(�� o�� (L�� ,o�� &��(e�� &��*��(�� 2R� ��^^��b�j�#��0�i�� s�� s�� o�� s�� io�� , o�� -�� , o�� ,o�� ,o�� *��(��)�!J� ��9T� ��K^� ��0�i�� s�� s�� o�� s�� io�� , o�� -�� , o�� ,o�� ,o�� *��(��)�!J� ��9T� ��K^� ��~~��r0�p(,�� ?��sg�� @��*0�"��,3�~��(P�� &(O��(O��*��~��-*((�� ~��(�� (,�� *0�#��~�� r\�po�� -*(�� o�� *�0�#��~�� r\�po�� -*(�� o�� *^o�� ~C��(R��&*2s�� C��*.sV��L��*(�� *^o�� o�� {N��o�� *.s[��O��*2o� o� *"s� *Jo� o� o�� *o� *6s� s� *Ro� o � ��j�*o � *z(�� }W��(� o� }Y��*��0��{W�� , ;��*}W��s � }\��{\��{Z��o� 8��{\��o� }Z��{Z��(� + �{\��o� X �i2��(� o� ��{Z��(� �(� o� ��,\}]��}^��+5{]��{^��}X��}W��*}W��{^��X}^��{^��{]��i2�}]��{\��o� =!��*��L�.z�#��#��{X��*s� z�0�<��{W��3{Y��(� o� 3}W�� +sc�� {[��}Z��*(i��*{_��*BSJB��v2.0.50727��l��#~��p��#Strings��\9��#US�I��#GUID��$I��P��#Blob��W��? ��3��c��l��U��/�� q��!�!�� m�� P��[ !��U�� 8��U��U �t{�� {�<U ��{ ��{�#�o�� ,{ ��{ �o{ ��{ �D{ ��{��U�-�� n{ �{ ��{��U�BU�H U�v �� A��%o �� U��U��p�?��p��\��!p�,��p�U��p�+U�>��[�4 U��/ U��U��U3��kp�0p�p�kU �{�� {�rU�jo �{ �@{��o ��p �={�� { � { ��{ �{��o �b{ �{S�� i{ �� {��U� I��I�� 9{ �v{�#o �� U�9 U�aU��o �No �Io ��{ ��{�*o �� { �${��o ��{ �7{ �7{ �){ � {�$o �J{ ��{�� +� ��{ �{��U�<U�4U�!��U�NU�Np�y��2p��Z[��U��p��U�{U��=��=��=�� U��U��X�U�"��9�=�;�*��H�=�;�+��=�7��R=�>�:��R=�?�=��"R=�?�B��R=�C�N��=�F�U��& ��Q�G�U�!��=�L�U��=�N�X�!��=�O�Z��=�W�c��[��=�_�k�� Q�a�m��!d�m�!�Ga�!�ce�!�Ga�!�Ve�S��S��S�q�S�)�S��IS�� 5��%��I��I�}�� }��!��I��IQ�� I�}��f��<�� R��F��?��4��q��,��u � �X�1�Z�1�F Q�)�Q��1�zQ�_Q�T3�IV�� V� �V��V��6��9�"�'�6��-��1��<�qK��Y�5g�xw�� I��I�u��p��!I� �p��IV��V�Z�P ��8��X ��T�` ��L�x ��K�� 0E�� # ��X!��8��`!��T�h!��L��!��K��!��0E��!��# ��`"��"�e#��#��#��" ��#��;� ��#�� #��$��$��]��#��d��H%�� h%��>'��L'��O��0(��d(��U��(��G��)��j?��)��P ��)��*��6��+��+��#��I,�� #��"��#��$�V,�� &�x,��'��;��'�<��(�<��(�D<��] �(�K<��i �(�S<��S

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Renames multiple (3781) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	6b2843a576c2cc99cdda72304b3b67c9_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1048	drpbx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	6b2843a576c2cc99cdda72304b3b67c9_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\selector.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svg	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\packager.jar	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-400_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Silhouette.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\dash.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44LogoExtensions.targetsize-256.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-24.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.White.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-200_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_opencarat_18.svg	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nothumbnail_34.svg.locked	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\MobileUpsellImage-light.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_36x36x32.png	drpbx.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt.locked	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\ui-strings.js.locked	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\ui-strings.js.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\3DViewerProductDescription-universal.xml	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-white_scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\3DViewerProductDescription-universal.xml	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\ui-strings.js.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ShareLogo_15px.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-200.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Confirmation.png.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-colorize.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png.locked	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg.locked	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-white.png	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1048	912	6b2843a576c2cc99cdda72304b3b67c9_JaffaCakes118.exe	84
PID 912 wrote to memory of 1048	912	6b2843a576c2cc99cdda72304b3b67c9_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\6b2843a576c2cc99cdda72304b3b67c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b2843a576c2cc99cdda72304b3b67c9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\6b2843a576c2cc99cdda72304b3b67c9_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.locked

Filesize
720B

MD5
61947d0907c945a6df0f1d86b894e4c7

SHA1
fd488589b551ef61957bc329d1a10a4dd20481db

SHA256
cfa663ff1da533b46726d1761848a327ff515ee7dd4bb395a9430f6cbc568bdd

SHA512
296a37e91d1fbce5e951413e09b240db31eef5ff88ce783a506cb40151dfc394465e0ba617f8d2ce4310a1432b969d88873e74905012b65492cdccd11a874981

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.locked

Filesize
7KB

MD5
a842db7ac1990b29e2c453d22188eafc

SHA1
562adae12978c15a03c541c86a930d306d1a3618

SHA256
577aceff95acfa55f729b8c56d5a5848d55d76ac0664b7ad4e32f1ffbc6729f3

SHA512
21639cb95779a49f24fa1fc74e2c26eba8040800b2f3fcba8815b41a915cb7710d2d528d00fb9d3acce8a74ce155a83e0f1b24fd7f4614934405d10211a19554

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.locked

Filesize
7KB

MD5
f13b68445c6a611c58b69d0663adcd41

SHA1
f4405939a8ce9d73be0b9e95bc694c0e3187d4f5

SHA256
dfa70d2305ea3cc4ceedf503877087e358697aba61f28e6afe310af68dddfcee

SHA512
c2e8e3fda0588bf6bf8385c654a245a597ba146e5877943db63d0f2177833de3a1e0f6118d318071f07a2c0a107001bfeac901119e036b15ebf5dfa6b7795f28

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.locked

Filesize
15KB

MD5
c8fc25207f8ceecd9227242be2efbac3

SHA1
46f774b5a0f7cbd381d4434ce8e50de84c3c0c12

SHA256
bab54850e29f9ebc93b283187ef71904745c380cf99f7b2fa75de22a59ed3d97

SHA512
8ebfe4584beb21ad2a82da8ad799aebb00e52b5c819775f4df6dbf6dd2435f45514cbb15747baaea6018d476f43ea2c7ba66f6103b551ccf55ae3642167bc653

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.locked

Filesize
8KB

MD5
b5d8672c3a1c0c03ea94ed8e7545b730

SHA1
95dc280bb5e13b9979952cc20f30f6830f184901

SHA256
fca20ec5c665941480e92223fc4719aac0b3235a7f115d2574d7129e7e6ee348

SHA512
de8da4e24416eda326404a717e77a8d810aa6f995c5fd545c9da1ef8cb47fa9786628d3ac3273f165167e4ea4f63532303f07518c85f8198adbfd89f0342f7c3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.locked

Filesize
17KB

MD5
ce629e483860631759ed4b212ade9bfb

SHA1
f5b4a74fcd8a4c203febcbcf808d2581959ab442

SHA256
5091a8ca0d8b0b72af4059110ad2197a423e2ddf8c8cc15e6a7f468c3fb2a78e

SHA512
d530e96e76b674605c4cf5ec30288ad4ea93399021ba88d68961cee3b158aed0e56729925a025ab355a888dda8d668780723aa3decfdebbeabfb6d5109504b42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.locked

Filesize
448B

MD5
cab6c8585046fdcc0b2600cef0cb22aa

SHA1
2b0ce8b6523310938dceeec9fb9c9d864acc2f6b

SHA256
628b2ec6f6336318df443543de6a8a1d16e3b3400753e75a54e7a68cac604720

SHA512
8a88ceb9ec69d8f3cb6ac5965d7498fecb83e9c64f18d96c385ffffd9eae8fcebdc382c8a2c4b4b45581995fd1bc77e0afb0d3c568a6ce2907543092b3e6f992

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.locked

Filesize
624B

MD5
363b1b98d976980f0af736f587e99651

SHA1
4c9dbdd0523152e757c445a0495cb0572306b5f9

SHA256
bb70106809438ed5d550b69ae3d5119ecb46c75f7d8e0dddddd18e2967df73d0

SHA512
ca1c0b3690e7c9ce985a7f6ff2af321685d365d5ce61d700d2d17afd231cce067c01372faf43e2634414e3e6aa0c1ebdcadbdcab7c46eab759d6e4e584030e7a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.locked

Filesize
400B

MD5
296b9b5580cc931820d1a1e62c29c41a

SHA1
484d786dc7196520072ec4a4952ec96d88ed6e26

SHA256
a36df9606a73c204e04696b1930d23c3581d33876d2b1510c9d324996186247c

SHA512
58e4b6c8014c9413540733003a2075c74ce9170bfdcfc27db79b795616988d91f58b7f3234183850a24a6b38ef2b4befdc61bae828a0d50bb79e729e51e458ca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.locked

Filesize
560B

MD5
355f9c4064151c7089fbe1126af0cb77

SHA1
b138c3b0563efc29dc3ed24180dcd46cec5819b4

SHA256
0d8584a9d9fbf7c7b0b54f69b308da3204281c93aa1bf2f83c02e129c73a987e

SHA512
cc39d40c5058cee42fd451210b64def65499a5e2abe1475426aa88b65305e3b0a7572b7a0de15756ab68660d899bfd0c28fb62c2b6920c98d0a7e1896e292905

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.locked

Filesize
400B

MD5
b9928ad5ffa158894354df8b8ff6b23f

SHA1
e228563a9873a502801dda31c3d33be880080251

SHA256
e1a2e7cd9fe8586b95860da7c13d7b9407797ab253573c24fe423c8bc4485cf7

SHA512
d18f4fe5500a0cd70092f22f414895782cb8f3f3040c627a21ddafb1295faa146bf158e8b71ed4741f53c096b13d24d1046f7c6d6753fe0fe9a72b496f1093a6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.locked

Filesize
560B

MD5
2e7765187796a13a10d805e0ee978a6a

SHA1
c7a8e4989068703a552b2cfe13e2411a621114f2

SHA256
cf050c014f972d74e2e9ef5aab5dab5ca46fb1344d07539aa4071305f51d2b9e

SHA512
73fd7b93efc84fb8a7c63eca4b51c85a33c85db58c2e98161bb2045ad06fc60479a0cf672346a0fd9ee30ed4cd28e565310921315180400cab56561ce0f9ed40

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.locked

Filesize
400B

MD5
d86ab3c169ebf736f5109312a9ce1c27

SHA1
513eacceed79aeba7c7ef521759d65e73edb368b

SHA256
aca7c25306834d60e990bbff5a59d35171811a4cd764cd6f19ed7f3d60678a6c

SHA512
ae27bd93e06be3c9e392ad9ed852e5b06828ab298a7e91ea58411b04cc7997858f6d3e891212a044dde51307f9cf759fb18e90c6d3afa7e78ed8f404116ec0c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.locked

Filesize
560B

MD5
ba92eb229413a4997d609cb7c32a262b

SHA1
7e3d458cb15bdd2b4dfb48cd636b915f1e216d69

SHA256
307ed4b76842f00b9b5ccbdfee3dbe845027badaf9fefa0f270ffdb37d053195

SHA512
4d532be35dbee30672cc2734717c827cc1ba3e9961fe5068bc21b0826edfceaabbf9e8511ed60b03522fa8f02f3c028c5c815727628a29217a8a843200ae3925

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.locked

Filesize
688B

MD5
79928359f473ca412b6619daa126ea4a

SHA1
55d1f1d741b2327b2853a26b9c55712460ab6433

SHA256
26bc3338fa8e8f825c0e8fef85c572df98afa06dfd09dcbf6be0be93a0e7644e

SHA512
6e976147cec5201ed7d9543db2b335d007dc159f571e7df373d4efd28625255c53e47d76e21ff514de08887b15995111ba68ae0b047678d5c64387465729e52e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.locked

Filesize
1KB

MD5
27c2ae5ec13d9be007de8f3bd3577b19

SHA1
0b4fb7f92ed8c9a72bb48a2b6ff4dd0eeac45f5c

SHA256
9bc2e43816cd6586b50b94902b7beac1291a4123b9ca38fa2f3cb6bf647cb9a8

SHA512
832d67e486247748c3eafff6c9c0b3a039203c349c31677d26361e0f66c1e0e1e671f637be9c6dc22687b7ec77cd3ac4bc1a2d7eeac3e67204b79dfc2f664e4d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.locked

Filesize
192B

MD5
840221d27a09a3080a93c1f4bb265f5e

SHA1
6ed12d47df1500f7ad56ce0e3e43fa803dc040c0

SHA256
9999fa3e8b7b136d9688bc0bb42a144fab43263998c28850facdcf0def8d6360

SHA512
cc4afa07c610dba58ac80779196edaf2a745c733bcbb3b1a581ddf36c0a3f4e79a70e93ee448074d3f06f25362919140288ba59e71fc21a89ba46688434db7d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.locked

Filesize
704B

MD5
a967c33396482152971c0a3dd54053a2

SHA1
2d8cf663746ad928d0ebfcf87af685988f540aca

SHA256
107c2a1239238755e33ce29ef7b000935ede80dc9fdf544182d01e5c330a5a6e

SHA512
63e990a4d044c2414571481e6fd40bf30d1bc59c009b6b497eef062c9b2b3443005caf0dd014055d2da08e2f7e8a12d7c324f6c63430b1bfd95d14088c9b7162

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.locked

Filesize
8KB

MD5
a48c79d6485aa84f70909e0deac5afc6

SHA1
5885dd3d8553862554312632d40b04ecc583e09e

SHA256
02f138096bc96757a83a6b42e855007d6f4fd1c8390c220fb5f428219253d573

SHA512
3615eba5102df9ad4bc8aafa4c43ad3a43afb617f49607789c8a6c0fb80d0fc4f5a625ba27600b5e7f6ef302dfdedee3022d61ae202dfa6c319762befc31ca46

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.locked

Filesize
19KB

MD5
a5b25141ae69df8e8627814bc7da55e7

SHA1
862ab0471f3d3415ded16e77f2542f84023fe8ad

SHA256
bc2276d83723961e25e621e4400a2aadefb95f1e38642ba2fd8c4e7f83dda6a1

SHA512
b9b0b0c3e5bf9026e684ef38ee576aab142ccb9a19759834d30771df121a0f87167d298bfda2d341055c1949e203102e88d5195a53ab96eb18ec2c6e70d614cc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.locked

Filesize
832B

MD5
f9d942430d103eb14bb89a8b06dd354c

SHA1
28c8f183fc1c03eb2f69dfc662c0d47f25dceb9c

SHA256
30f745264662bb65ea8e073548faa9cbb594394fe6bb8f238fd463cd4b19a16b

SHA512
51994cfee07ebe1f030eb609f5d70c42b15f7f4d7a7e7e82c44682048b405ccc52cc33aed16ac21ac189d378eb93db093e32c50ece0d1c6bb5687fa1451ffea5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.locked

Filesize
1KB

MD5
254e6e1f919c82e7e6386148f4fd8b85

SHA1
4b16f83c625875047f0e397bd22c318e3dc401f5

SHA256
6fd7ad452179754ac6fe6ee17a1e9ca7277173e23096153ab776cb5c572f19f5

SHA512
b9d8f88e89da06a98685ef2dab1f85115defd342d09527fcdf81712b000800fa1350db0ba085e2fc9df29ba0da394346a9d2c68395a3f9509d525e155d986ca4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.locked

Filesize
1KB

MD5
c8df49bb4bbdc9da2bcab074f61beb09

SHA1
7bec3ca11d7533d9853d2a9a6ba2dfeb7d8201a8

SHA256
ef67108356c94c9c8826ab0a667fb88add02381715a352f9be62ee92ad781647

SHA512
53b472bdc116931819173f7385d23a8becfce39f63fcd451962bc3c6d0e117fc5f2e7ae6dac3297bf778bb35b06d5d514c10dc882ed3a5d958f8f5cdd979a213

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.locked

Filesize
2KB

MD5
5a7c257c74c8c7d5352b57cde2f0b55c

SHA1
ef9cac32cb1329bef6857173abee2fff4cac3ac6

SHA256
b2a557b40c73eb81ca22b167c4a6ac1f43622c59b2d85e5f43119769c6d6b6f5

SHA512
031764f3fb1194d778a84a294df4e0509ba00e50ddefe3a6cf7a655f48219cc38e53f5c47a56646d6ea63275ed56d19328c7b82f14e717a688d6181093764928

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.locked

Filesize
2KB

MD5
2ac07813a74d6adaa3e44db55e899e09

SHA1
a0447b0b95d442c2d770987b1e007826cdae98a2

SHA256
b770a96d153a9e662d5a586e571ba9687a0995b9dccf3f50afdb5dba8da465d9

SHA512
940e4a99d233d99b1b342c4a8d032ce70f66ef0134d57b3c13f1cdde780453e32f54f442fe9255cfe73cc9e478f72f707a383a156aa924a95ffbd3cfc840a94c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.locked

Filesize
4KB

MD5
2613b34bca30302406bbfa57c93b6c0f

SHA1
04a4e32759eb78be5d4397916bc9e51090fa4333

SHA256
53bbcb949a287d7ac25e7a31d671cd9eb11ac609f7344a38aaa5c2f165dc4093

SHA512
4c170f25c9d3238cc6572ff5522495effab28c7e0047a44eaba8939d2da46950ff9f8f1329b923d82b0b8a3e28de735dd41ebaf83711eb20b2fa52ba82f23855

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.locked

Filesize
304B

MD5
e4e7837a4f0c71864f2ed00e23aae8e0

SHA1
c35796c887fb94fc2112caf3921ba504570dde1e

SHA256
e69aa05159c50cb7dc9083dcd34a21f811aa80ca24e67eda8fca86c244d9a483

SHA512
296817bbf0f9faafa16577edb105f560be7a27ded19370efbbe9e14657fca5c202d3f19d0f001de5d9119fdef304e099bafda922135f679b487afe05e36d4fbb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.locked

Filesize
400B

MD5
30c5fafcb889cfdfef7a7373c623221b

SHA1
e4a12b7ef07ca5780ebe205201be538a34fc6154

SHA256
b2bf549220418c47e80507084b43eeccd85c0a43f4da74de6858fc96dd3020af

SHA512
4a621fa79335711dab7dbde3bf0fd30979b15c2f48eff9b867a0cde99ddc67a97d612ea0472db9903c5cb5555800907b8a183cf499f55d186a42fe0ad6fb023b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.locked

Filesize
1008B

MD5
3c501b84ed7912d164470fb2024d29ba

SHA1
f54ec8a32fe7a67acfcbd48e789c0b5d2c0b6816

SHA256
d1ba5eb730cc20b906290b76d64d2697896cc25ab4d782588f98c62c9b7ea1bc

SHA512
cf9adc56a6685c7f5131d703238752700cfe9b32133ee38f6e828b658dbd64af9732509a47abee3958c5cc22f3685f10cc27a1d5d76f7459b99498310fb6cdb9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.locked

Filesize
1KB

MD5
242c795c3e07e4f7e1db97121e007727

SHA1
c0704070f2026d817b82f71878e334be06bab551

SHA256
2ab2f7f6b540d3bcab915e7626db8db6ed71736ba7da94ce2ca4366d440cd822

SHA512
8b990d5a35b324ebbd5ee6d6d88d74e783e211f3c778162dfdf1577e2d3c6cc32693117fbfd1175ad34d7bb46e05504e8ccdcdc116a6895eee31f50d583289cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.locked

Filesize
2KB

MD5
a06ee81cc9009bcac3c9a5af0dab2b1d

SHA1
b95ada870dd0ebfd4058b6710076d750186ca151

SHA256
c82b8a9a8fa45f93bc000a754e07e9922fc1788f9d54bcdd0b4c6869145c613e

SHA512
b4271b58a89b37e2c48584778eeb08668e2d32026f98990fb017215e854a7006184f09149e478bd95a5b15027e308b61982f5a2275b998174bdf281736edece8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.locked

Filesize
848B

MD5
fe2afee9fcdf2d43940944ebd1145480

SHA1
986b8b7ce80ec8b8e223f95b508532e69cd49c05

SHA256
116b7fbce50c3c08cc73efca3439106f4f2e00012794fbad81ebff4598066a42

SHA512
b66aec41ffabc4d1566b2316de80efe3528d2ad5dd8b0030d1a127d58c0f9257c8b76ca7c301199e92213eb35f1d557a85062dc8c432e5c554590f0a91d2ceaf

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.locked

Filesize
32KB

MD5
aec7bd7c96948d97d13c7df53988e89c

SHA1
7b906b88009e7509324ae92dc8a32ae4fb38626c

SHA256
15fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0

SHA512
27d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.locked

Filesize
160B

MD5
000e8c41d4a15fb34d0be0dbb56e3778

SHA1
00c4eae64ee6239d7c65d819c6ce1ac329224f8c

SHA256
8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

SHA512
775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
137KB

MD5
6b2843a576c2cc99cdda72304b3b67c9

SHA1
d1be9c2e7130ddc7649966a1fc691b9e4f90681b

SHA256
4962712045bc6709a91f746b14ae6473ca1936b1caaa907f0391035f8c139f71

SHA512
9cfd6248401ab04bc67c6695f9d60d9dc050ef93bb8fda321cc0ed808c86e69fca3a36bac69de4f8e3f185c31c9ba3c744c6a646105e8a8306725194934e0365

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.locked

Filesize
8KB

MD5
420960c4b17842a24bbf117222c60e47

SHA1
4e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d

SHA256
e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174

SHA512
b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a071ad59-d4f9-4b90-809d-9a64b4020cd6}\0.1.filtertrie.intermediate.txt.locked

Filesize
16B

MD5
9817c637ea440822e5d3ff2144d17467

SHA1
84080fede70d3544aad82976cec9b51c83c472ec

SHA256
df1b3b60351e48245d6ac589c68ddf77dba1aa9ba12427405b90daa9143d8252

SHA512
399bd0074e50829c3f5b5000c5e6da863de969adab921b5244da53ae35661ffbc24687176ecc1411f0da78d6a186c999846d454c365500f9833607095a0f2373

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a071ad59-d4f9-4b90-809d-9a64b4020cd6}\0.2.filtertrie.intermediate.txt.locked

Filesize
16B

MD5
2a89b7646b4d795f4bfc5bb4269138e7

SHA1
ff1ffe4b11ab6094419b961bcdc9b923369293bf

SHA256
9dd722337fac6f6363c0697082384f6866d27ad7f5f3d541cb494c91afe14c16

SHA512
4a2cfc5c842227c576b3f93962fa38001db85ae56f5989880e6938c31cc77718b69d94c900cbe150d2126d1952242450981bf2f3f148909b5e056d69579bf3d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086821031652.txt.locked

Filesize
77KB

MD5
cf075b3a0ee3f1a3277a1e35984ed5a6

SHA1
1a82916a8a5f5648a4a206d7d166a07bf35eef81

SHA256
abbf60f9f69c02ad9160d4ee4c072252ba7ba8aeae3db70c8d7fbcef933a04d2

SHA512
1598b7628c330b5c0ad8f5a89eed32fb93465c02700189e76fe8e333bdb00824db3677706f25f3b1b0883ac2bb237434b6d957aefe4e7a2574bc2fe3a2d1b388

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092380013040.txt.locked

Filesize
48KB

MD5
f25ac2da94a57accc21e1d03c7da66ab

SHA1
930f724b574f63aabcc15ae1712eff1396ab806a

SHA256
5dab01dd61900dfca1def5e70586bb4d8dfb69194a1c525bb8f0734b67a0ff46

SHA512
c261448ce54ef33f5721dc6fd8400e1c538aec9d3ebb580c32bf617373c8efc3ef34c1dc554a6b29f044dbf740e9306a53b7a7b52553e5740ca0d5c079c7efa5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095412638284.txt.locked

Filesize
66KB

MD5
c78e97985bdccc06dad7cbd0eba8e289

SHA1
1568390cdcaba8285002cec36d7a0e466b681ab3

SHA256
a5f2cfeb672eea234f8d35ef047299bb66c80e3bd04a08096ab9f7f7d6774e2a

SHA512
e7f66a3d5615c0f7a96a7d808dadab2f26fd247fa2d58fa3c72c6a4040795b75dfa9ed17e8699f7ac174c28565e17308420c11262f2e89d91198cb4ea86f06da

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586106168254286.txt.locked

Filesize
75KB

MD5
7fd1dc362d08fe698f9485a82f40e19a

SHA1
124022c2695618bfe5909672035f5f2355edb0ff

SHA256
ac7b20638151ea1a3932dd03b8c695503e2b4d8d348107b8a3189a9af7306cc1

SHA512
3ad4d97642daf06a028286385528a6001b60d53e9c7094828ab2908a0f19998dda0718e3a8b8765dabfe21d735f63629d821a4373d0c05ae604c0194c7ad2bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{404CFE34-FDF2-4E70-BDB4-887A0896C32E} - OProcSessId.dat.locked

Filesize
16B

MD5
cfdae8214d34112dbee6587664059558

SHA1
f649f45d08c46572a9a50476478ddaef7e964353

SHA256
33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

SHA512
c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

Download Submit
memory/912-3-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/912-18-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/912-0-0x00007FFB22FD5000-0x00007FFB22FD6000-memory.dmp

Filesize
4KB

Download
memory/912-2-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/912-4-0x000000001B9C0000-0x000000001BA5C000-memory.dmp

Filesize
624KB

Download
memory/912-1-0x000000001BF70000-0x000000001C43E000-memory.dmp

Filesize
4.8MB

Download
memory/1048-22-0x0000000001670000-0x0000000001678000-memory.dmp

Filesize
32KB

Download
memory/1048-20-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-21-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-19-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-283-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-284-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-285-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-3812-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-3813-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-3814-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-3817-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-3818-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download
memory/1048-3819-0x00007FFB22D20000-0x00007FFB236C1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads