jigsaw | bc6c2a22cf086bb9f18e100866c83377a2c8cfb4f3b9cbc0330194d58edde7df

Analysis

max time kernel
54s
max time network
94s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware.Jigsaw.exe
Size

283KB
MD5

2773e3dc59472296cb0024ba7715a64e
SHA1

27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256

3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA512

6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
SSDEEP

6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

Score

10^/10

jigsaw discovery persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Renames multiple (986) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

Processes:

drpbx.exe

pid	Process
2320	drpbx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ransomware.Jigsaw.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	Ransomware.Jigsaw.exe

Drops file in Program Files directory 64 IoCs

Processes:

drpbx.exe

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	drpbx.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_cs.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar.fun	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Manuscript.dotx	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js	drpbx.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg	drpbx.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
2492	chrome.exe
2492	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe
Token: SeShutdownPrivilege	2492	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	Process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	Process
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe
2492	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ransomware.Jigsaw.exechrome.exe

description	pid	Process	procid_target
PID 2408 wrote to memory of 2320	2408	Ransomware.Jigsaw.exe	30
PID 2408 wrote to memory of 2320	2408	Ransomware.Jigsaw.exe	30
PID 2408 wrote to memory of 2320	2408	Ransomware.Jigsaw.exe	30
PID 2492 wrote to memory of 1156	2492	chrome.exe	32
PID 2492 wrote to memory of 1156	2492	chrome.exe	32
PID 2492 wrote to memory of 1156	2492	chrome.exe	32
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 2120	2492	chrome.exe	34
PID 2492 wrote to memory of 1060	2492	chrome.exe	36
PID 2492 wrote to memory of 1060	2492	chrome.exe	36
PID 2492 wrote to memory of 1060	2492	chrome.exe	36
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37
PID 2492 wrote to memory of 2356	2492	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\Ransomware.Jigsaw.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.Jigsaw.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Ransomware.Jigsaw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7059758,0x7fef7059768,0x7fef7059778
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:2
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2248 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2748 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:2
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=284 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3816 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3936 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2696 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2456 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1244,i,16081376247829488773,10635135009503236568,131072 /prefetch:8
  2⤵
  PID:2024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1548

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
580ee0344b7da2786da6a433a1e84893

SHA1
60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

SHA256
98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

SHA512
356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7fbfbb60-cc80-4edf-a489-7e1d5cef1b23.tmp

Filesize
155KB

MD5
9e2ad99c4c30f065e0219000dd841e9e

SHA1
cc85f78280e5cd54f1d6d0b489ab18cc969f7d26

SHA256
13e497a5cf5d6d969056e634d2b04b7cb405d3bbc3479874f9dde2f8482456b7

SHA512
bbcb6cfae854d7a3ad08edb657ddea7b91607aebaced58fd532b93c67b995c3603302bc3f4545da54a3815c02ad102c320e169a7c4dea455241275d67bf5554a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
f956de956cddcda63d6d9df45c0c463a

SHA1
0e4903dc7cd96445215d305e980cff550c725983

SHA256
2d78531b24f16c12409ad3a8528ce5ab18b4898cc11bf6a159edc02f11f86088

SHA512
0e4c73d55986be7d548101a336fe8596335cd43bd7121c13c272eecd7c7078a37674a5bed7ac0d72a0061a6f3d53b5ca02c2d5d06276f7b4dcf7866d9614b196

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
db9d62ce9b731132f9a6035dface7bfd

SHA1
9147e575477bfe6a9b261822bdc5e05808785f73

SHA256
7d403615248b519c8698142e51796811cf375d13cdded94e1b70486e5d87dee9

SHA512
7eb0d2a58dc467be70d3073f6df091375b65bd9ab1608f324a9546a1ee936986e6a595ffc07f5f0dd52dc16660f94ce465c9ab7a7d43fc10d3a706878514b540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cf2489617f7c0cbf8d8336723b5e8dac

SHA1
d390d5ddc2ce8eeceaf18c1032a7785529373e79

SHA256
22acf6183034539cc2711f2abed3b7ab3b3fd859da4d3ed855f996fd3f2365c5

SHA512
ea3a3b60ca90b1ae4da1bf820ca7a73c47cd1436677fb97f2e1da5f6cb76292d3b452b18e399c3a0d973088d4afa66ef60d0c33e6367ea992095e2b09cf1b445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c82a400ae151cc93219b513d3e30021f

SHA1
b8f9663ba693683cd6910feb29ffa0da6b5dbf21

SHA256
0dadebba8f37ae394b2061b5099afe9b71611f71996513984e9b40d50e93ee3b

SHA512
6ec1e668f05f3329d015ebbc136b59efde035261f7f6e4eba8447b6420f5b10136391f779aa901033a18bc398093880becad907d6431f44430064a77ff0ec864

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ca8e0ca5a8b0f1a65ea531de1d5f8061

SHA1
3680872640da0089a7beb562ef5242b7c746ffda

SHA256
01841a801ee7ffa5bbe35f3de1dab02d5c7bfaee574bf0f1ebd39632445b4eaf

SHA512
f3091868510e3106e8c5ee830c601adec6c1408ffb6e2adb03ccf352e68a9717d1dcb6babe21ef757dbe7dff4eb3101612106321ab58d22b28afab75078d1c41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
c2942ef3aeb7ba3809378c2c4765ce84

SHA1
3d15d5c37ea34d70c9abd3cc887e6e56e743a638

SHA256
4fb300d8ba6fb7e08e0bb77308334f4f8bc2d39a8c600fcd7ade4524b6ea5af2

SHA512
91420dd6d39fd8bfba3a9f05782743b19c4d5883be954b9798f21e4b7e54c23a2497721c7fcb40a036f66d5adea539e542a236960e5e30bcb66c117aecb157c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.fun

Filesize
16B

MD5
8ebcc5ca5ac09a09376801ecdd6f3792

SHA1
81187142b138e0245d5d0bc511f7c46c30df3e14

SHA256
619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

SHA512
cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

Download Submit
\??\pipe\crashpad_2492_GQQHNSUUXCPWMTGH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2164-2115-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2164-2110-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2164-2109-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2164-2114-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2320-12-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2320-10-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2320-11-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2320-9-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2408-0-0x000007FEF665E000-0x000007FEF665F000-memory.dmp

Filesize
4KB

Download
memory/2408-8-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2408-1-0x00000000006B0000-0x00000000006E8000-memory.dmp

Filesize
224KB

Download