jigsaw | 9dca05d456e7a2f665bc3d92c883574754718441a6075de6d09a918e67ae1035

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

files/Yasuo.Paypal.v4.5.5.5.exe
Size

436KB
MD5

3bee1d24189d4941f68b96da6e207be4
SHA1

dce911b1c05da965c8733935723b88bc29d12756
SHA256

a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710
SHA512

a40b01c630ff2c4b90a2e1bbf285c5d558193ee0fba79a3210a56408087ca828292269945e3202f65b8eb038a565b1ea8a18d185864ba9dc4073a3633c86ca29
SSDEEP

12288:5l9mnmYK1bcy9oNm3/oK14MfZGLBddXLA:cqzONmQrBM

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw
Renames multiple (4205) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Yasuo.Paypal.v4.5.5.5.exe

Executes dropped EXE 1 IoCs

pid	Process
2424	drpbx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	Yasuo.Paypal.v4.5.5.5.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif	drpbx.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.gws	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch-Dark.scale-150.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.gws	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg.gws	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png.gws	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt	drpbx.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.gws	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Pyramid.Medium.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\0.jpg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\PlayStore_icon.svg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated_contrast-white.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.gws	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\plugin.js	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\trace.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-200.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp_2x.gif.gws	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TinyTile.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\9.jpg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleWideTile.scale-125.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\ui-strings.js.gws	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileSway32x32.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-72_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-96.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W0.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg.gws	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreMedTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_24.svg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\outlook_whatsnew.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2424	4668	Yasuo.Paypal.v4.5.5.5.exe	82
PID 4668 wrote to memory of 2424	4668	Yasuo.Paypal.v4.5.5.5.exe	82

C:\Users\Admin\AppData\Local\Temp\files\Yasuo.Paypal.v4.5.5.5.exe
"C:\Users\Admin\AppData\Local\Temp\files\Yasuo.Paypal.v4.5.5.5.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\files\Yasuo.Paypal.v4.5.5.5.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.gws

Filesize
720B

MD5
9195babb88903ec828fafe337b76d0f2

SHA1
e0e39add32fb44fc9bd3cf4b4a3ac4638a7339de

SHA256
7deeb653bfe38b620d6fc6ca0fbdc4574f2a037ab7068f185d92d9b730f2f031

SHA512
0fd753ebad66626ff28eb2d948aa5d3162da26071c5b90cc460c7d4e1cabd0263108b4bf65007c43a7b005809b15a79dd9186c7def9921bcc67c9fea41ae8f26

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.gws

Filesize
7KB

MD5
2e258399eb4eb1a929c90bf2e3e90259

SHA1
90e9186422f3eacb47066431f233182becb663d6

SHA256
dea0b77cb4040e8bedce0b979dfa1a1e8fc5062d699961c78be9b51a293e79c8

SHA512
64270a446608e86361a1b3d3998c6e17f18a3d90614f11608c04462e601ce0dcb18687ea63dcf9419a674bfc8397dc069b38549bb2b3cabd2dbbbf47d3ea8779

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.gws

Filesize
7KB

MD5
b302ff685a7fbe2d5fa113ea3c4887ba

SHA1
ad401e158a4a13980b95d6af041f93832f9d4694

SHA256
afc755d89dbc70dc27eeb13ab80ff4ee7009c0135885864ffabd107e0318f56f

SHA512
a9966f7afc89585dacff48b1f58b66f2a1c490cf620dad87d0100cd60fcb40cf73ce70daa311e8bd97f4cf18646b6242ba0994e661ded3a48d4dd29ae1897cb3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.gws

Filesize
15KB

MD5
0e8b8abfd04a1668040d20e24dc9c51c

SHA1
f1ccc10cb526227dbc8bdf081c73460ead02243d

SHA256
df4236744db8166320d833091b964e8db7dff969c31c38d8b070848161c90358

SHA512
1399afd668efe263462cc88072dfb128730eeac253635af6561efb46df8f97e557727b6c826dde39215a7430d7fbe15405f0a8b4a5a2273e4166f23d89884a3d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.gws

Filesize
8KB

MD5
6461793e4d9ce8147f404890cb75f69b

SHA1
b7db8d5a202340af9e988c81e2cdc6f34d286e94

SHA256
d116262eae4db29fee337dd8888e0ab5bd54cd5080bd6e1b78653546926376d3

SHA512
88bbff83a9331017b624e74a66daac47981e96aa12fc86793a514e0d1495f4965720e8443532959ea95ad04dcf9055ca4d3ad759d1c41bcd62071ac644f4c1ed

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.gws

Filesize
17KB

MD5
b3cf517679639deb3c21ff8fd2d2c6bc

SHA1
6ca03f7cb27bcee1b950953294b72f159fbe9a2e

SHA256
31b9d9de8dd7fb2d594f6576cb1acbf14b5a977858f22765d7b4d88be6bd4a2c

SHA512
e812fcaa58f7aada8444dac583c09cd399921a2d0cd1852af16ae01d19539949f2a382f1f4f1427d656e73aa141106a54f4f66b5221f0535f20863e2dc9a27de

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.gws

Filesize
448B

MD5
22248b1821cf5dbe8c49c0cc98d1341d

SHA1
cb2c50d0a6c9a9b310f729fbeab62b6f281f4244

SHA256
5edf5ddf0e1014223ffcb1c59c92df6b8141b67e47d91cf246ca4a95f94dee6a

SHA512
02c23004cd3c84ad08ed2516586c752a0a5bfe1c67efd7308b6b8c6d9fc199b1600d893b927ee6a3f9d833de1ddadfeadabcd4de5f2bbd64aad98f838288944a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.gws

Filesize
624B

MD5
62a95a98a94edf4ad7b9d0bcd0ff7259

SHA1
e83683f0f49b6b274aff6d73c1447daa937135b7

SHA256
99dbfd770693af4b6abad1d2ccbfb05b16df49a9f208d68f7ae7e1f6ecc88946

SHA512
9ea6c8452028ab929b2e614cd7bb48e70fd493a114065fdc8a9d5aca91c8f923bbd440765cc17f7ea346c627342b2fe411b4aa7f7aaa20bf26055641cce321ec

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.gws

Filesize
400B

MD5
62bc1d19fcda5c6662f9243c113ad342

SHA1
d07e29f8bc79b97b88348080ef97a46bd2cba354

SHA256
c6ebf7bae976762bea7d3bfcc0b5c4edb5cd3edf274aa769b571376816baf08d

SHA512
16b083eb6447db1f55ce978eb2e6e561e7fcf8b2ec6eddc13b2f77127961cdfdc7e057fe2deee9fd48ecaddc33e7fe3a8be5e2b923a0c8e8d6799cde885980f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.gws

Filesize
560B

MD5
0b321dd2b5189902c72e6bc9f52ebf6f

SHA1
35b51e0af30cbe53e3549052d72c0a0e53c7ed11

SHA256
914f07c24cd5d64559c04ea01bb1167ac6d676f002de57ea1c6bb74ed35e80f3

SHA512
f7bd79e2ebb0c75a89778a712d01c044e66e0cb1ef448e22357429d60f9b8a88d133fea275a4064c525dffc7f036d0fcf4e73d5a39e1bf91160f665b43833cf3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.gws

Filesize
400B

MD5
d8ba28a1a8f4e3d61ca028274823aed8

SHA1
5b89830cb539349de30354c7fc2c940f184fa24e

SHA256
f3f5d4df195d8aacd187e73c3462923d539de1aa2b340c76acc48285389ffc84

SHA512
26cdd584a2054209aa3c6632f0e13a838f99448c299ff1028b08392f817be2cb536c4b1383c6784e0072227ab9d67421ae42ee7f3aa2ffaf1f58b981387144b7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.gws

Filesize
560B

MD5
5cb13824a91c20fe5a896db95ad0db3d

SHA1
8308c3774c94c10697f97ebe1bbd69b89de6e03c

SHA256
61ba3593b4e99ca4264d61520af7043fd306d90789757dcb1cd13dc134ec419f

SHA512
8743927af311913a89a0247ec9e9b1ee2fb2dca43484ae7a12c5cc0bf36ffc953ee3189687e5dc915fcabb5744d5db31d58b1a09a028d61fe5f74767180dd89c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.gws

Filesize
400B

MD5
76a0cae76df925d676aa0a66edb49d41

SHA1
24f80cf554a6bf04cf122f363721ccd163665244

SHA256
3aeb5965e29e9c4b7c707f4df94314fc679d750d834e2668b755ffc4a0e534c0

SHA512
02a35bd3770d1b65eeb77ce37f313d454e4cc47273b69e8a5e5443c5ca10ab3f4e97188a99111b23a76c2eb9a0452f5cd0e86df99a093a7d89b0f5d0f940f122

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.gws

Filesize
560B

MD5
13236effc7ba5c135e80417317c47a24

SHA1
a3c54d456f6d895fc8cfa6701235b873aaeca845

SHA256
75ca63c5a1f618d7a6ce1adcb50515188e4be822189ffd7a8a7b776db4c6397f

SHA512
56fe2c7a78b79a07ca15ef791fcc6861eb0d47033740286786498705504f16a170a3be5154a43b2e603dc9b1700826588ef5e023a27be90d2d9b50832f91699a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.gws

Filesize
688B

MD5
48427442e0177f8cdaf8d1e9ddfb21f6

SHA1
78c02b52a6d0d668d2bfd1e8a479ff43e66c0713

SHA256
176f86db5673cdb183673e78653793af1cb9f045355f741d3ecaefc8e1a46425

SHA512
90ae974e8860fe20db37771a2e4cdbada4160bd759b0ebca058b5669e4299614487fc88acf2e46649590b857e8a47efe806f96e83c9e7b3ef66be730b017487e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.gws

Filesize
1KB

MD5
7e285d75b28652fdf6b881c072d6b89d

SHA1
fe9acebb06aeeb7e98d1974c4198df592104ac17

SHA256
1c5547c483a251bc3a89ab4cc3c9dba027e9d9372d5e8115a948015c4efac10c

SHA512
df5e1638d9acc9ca5cb125b067b35c6a73d0593de12bee5bf75eeb11242f6216ba5ad2e0601678ddd9d14231d4b7d2ccb2abef7b5a6c1c40f35515f13256f733

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.gws

Filesize
192B

MD5
e8562f0ca25ac1b165e9061176f3a9fd

SHA1
b4fcf4b0244720b5bd441c5e6b5fd9982d5cdb65

SHA256
2dad421ee2f1ae878de8e09287e1074a50ddd9143d86f04a1ec640bee5363e58

SHA512
1333ad5c91b27bbfa00199c16610be604c0600a3afa1babff8933e00e88d07c340dbdb1659144bd2ab1566afe33dfdbedede59b17121fb495abbe1a72c9d0ab5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.gws

Filesize
704B

MD5
5565bc8bc1ab266bb7d5eae4a73ceef4

SHA1
afafa00b294b5d77fc529b51661d0ded91ceba2f

SHA256
7468618a4d4263671c03e6517d492b7692d37664e5f3bb00feccd827d33bbb4e

SHA512
299e961e147a93636b8308c2b38f2f6ff87f98c70a906a74ec5726c6468528393c91ad465ffbf817b4f716908c4c60345f5e7464ceecdbe506b836d494b28024

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.gws

Filesize
8KB

MD5
bde7908ce88d492fb59d3c3bda22e4f2

SHA1
0b3712d8311402d90c716690696b311bcfbc8e03

SHA256
97521de7a9139433f8ee9ed7548fe1a37772ab983982c065bffb9d4b56064d9c

SHA512
9c2a455e544634a0a77ac55a5ac35e5fccc70092e5e813dafb8b88f5b6b00e2369a546a288616d5372e1a6a3face0e53d4ac80a462fa6f23ca282ad15999ddac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.gws

Filesize
19KB

MD5
011c5d91fb53cedaa1549c56cec838de

SHA1
36338d82eed00905ce689945fe8c8f04ccf437b0

SHA256
db7409ddb4e3d494a5885628cfa0ed5f827b0b591b527ba22d4da828d03bb3b0

SHA512
c9f4c26930df21497df3aff3bf8495989bb439e04c98e5ee9becd8107a6a498c1101016be13ffec7a1e4e41d7bd559cfb0fb83e23ac6132d6e27bd89b98cd5f3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.gws

Filesize
832B

MD5
5db32fe374f7ce1e7ff5bd66941f6694

SHA1
512353068c8ab1fbd99dc0b1344df2133ca4f064

SHA256
cb5ae253bd31d0bc80a494049627347dfae43be10f0ce03787d36d07b3a88b13

SHA512
532d788a2dd32e106aabd8104204972c1f60f1edbe8c74de3a7d219fc82d00bde43ea212e749eb858408db028c9387f6863c84e83b3245966ac6e35e52e82117

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.gws

Filesize
1KB

MD5
3b3f035afc1a1134b77e5440a3d90de4

SHA1
99695d2bd5e5b641325ea6d3fd8ed9607f0fe79a

SHA256
cf28f076254df0547a0c57f56720d7dd0a6777459245e9250e7f737b8b67566e

SHA512
6936e4edc53afe1c5c73cba5fc2c16ea53d611685b26beffa894c109085ac8b9468dd8cda647d655053402415bbf5a7fe8db76931100bd4e42aaa1cc46fbe273

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.gws

Filesize
1KB

MD5
aafaf4da622af921e65db18aff47b94e

SHA1
a2ddec0206196c9f10bee3c0e8cba2630986cfc7

SHA256
bfb856384d589ce55f860463d822e40ea9c09e1c26acd45473ef7b5abbdb6f72

SHA512
c3f3ceca051a3599168b6b65d7624fa6089a3aaaab097787754b40fd4fb11494c5b9663c84d2ca519856203bf045e08ff19f3237132a253451ae4df337a559be

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.gws

Filesize
2KB

MD5
47471ed13f58e0c7fd240c0b8a26db6f

SHA1
bfd84b3bf8078a1e4c11520f7de3b91bcaa30eec

SHA256
8c01439e436fbfdfc1ace7426dc41fd16107f41d788c41c22c1e87d51b89f6d5

SHA512
1456e7c0aed0c585786fedd961fb76c36f7614a661390e514c99106379ecc47c8504b603be33d66d4f7245e1f1786de4549f8000fb17fcea8227ecb262b63532

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.gws

Filesize
2KB

MD5
dc8504577cfd34a04d2330919131de61

SHA1
0fa4d4d0e17492a11a8fab720fcac79c95b9c7d1

SHA256
b91ec2edcdb6bf6f110b66667497fa2c1a4146014acbb8e148f0fc22bffa9f54

SHA512
59455d1d395c6b14c15a99256cd6931ed43d381f390769e6ccbbbf9d0579b1c7765b32645e4d8e642cff4f747c37581e5b59ce35c7d7d4e54942a02880be45a6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.gws

Filesize
4KB

MD5
6e6016bc84deba55074da787c9d84427

SHA1
00954733451fba0c6214b7915d5463ee5c22be2c

SHA256
b674ac346d9812a166f1ece75744c02c1d9c77495413d75d15b3874f4a1a90ad

SHA512
0a15ac8a0b54a44b022c0a6e5e72bb75b38caa865987a0b903a874df2c05f3c5bbc0edfee46f642191a55de0c540eb52a23d9da1cf10e80069c6be242b13c3c3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.gws

Filesize
304B

MD5
28acecd51ca758dfe88cd646b12e93fb

SHA1
95343fd5639cbc36e46781a58f5e81c43661fc9b

SHA256
9fca2c44154dcd3163f34f9e3cb65ce79eae9319fc027d022beabf075d1fd5f8

SHA512
a1803b49358c2547295782683c1cb4d5352d356cabf83857b0f86d7872a4403ad3bb1ee1d4584708336634a26e5252b38d446bbc78a4a351867228c4ef0acbf9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.gws

Filesize
400B

MD5
e38b4af75143cf8788410ccb04d5b729

SHA1
215bf41e75ff8afc7d48f2193e087b5bfe305411

SHA256
fa48c4dc49de8be4f7b935ae9ed31eacf07af890430a2598e13ac2dae5c06ae0

SHA512
ecdbd98f15f446c0e5cfa3c6718459c1df9b075c6f987ce278d0a17028e549096d7fad53bbf2da4e9c68750aec6be4c1229ceed6c281ce28d4c2c0ca0d393b6c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.gws

Filesize
1008B

MD5
e399a057a31531a39bd6a4ffedf4977a

SHA1
d0cb7011364cbece4d61f7a775a302d92569815f

SHA256
34acd0127e4229f709236a7f97641ec46f3984fa3b83adabb01534f5e9049366

SHA512
b0be132e28bdd45e9ab1150fe0551eff52f2315c353bce31afe89993212732c993f22887a50ef9b9c36f752ff488a594fba14489b070d03bd336d7b638376038

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.gws

Filesize
1KB

MD5
dc5f49c3c6ae80a8dd9d0543b7aecf6e

SHA1
fdd5d859c980dccf41a5af18b4761a585d5eecbb

SHA256
dc1945093eda6a7b0ddb12b22e0e1237c2f707a04370f52cf419bf648d1d98be

SHA512
2cc57851ca05f35d9073d1cf70622aea0f6b917321b7312d0fb670b48e9e04ba6d70d748e4ac132c9e80674047ab7ab9b1a8cd07d12d171041b4fdb015b5f537

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.gws

Filesize
2KB

MD5
300eee88fe682535cca98094250f4696

SHA1
8b545844de4afd84082da0615fc6647e7731ad9d

SHA256
1441606a323724753c6edfbda12eca06bb26042c1e2b9ad5bb1ed21b5246c29f

SHA512
307e1537429d85895d8d86e606ad227bc44d7d3f4742b36b66c9d97f4492c5a56d9e13eb1433d5f06a108160f4fa03b5db5a8a1231cc817e9c2af14faddcffc2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.gws

Filesize
848B

MD5
15bf1ecfe6789eaa851d0f1abb7398b0

SHA1
797715eafb8dfd2af57a9d078422525daaa83085

SHA256
6029aaed6b91cbb63ec0bed01bddd5288b53a1271bd3327c1005f96a62b9ee54

SHA512
0211838b895defa302aa206803e0df8811ea243053cd671129e5000d81de5700759f72c095a6f0e7bb09894a06b0e8f76df2214bd12d87190c14372148d41ccd

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.gws

Filesize
32KB

MD5
ad8a20c3354cc9e1e977e15465823344

SHA1
ebccef3db400c7cef2996b3657f349a381cd807a

SHA256
2602bd92230180ce6746824e1c0e2266b1ed1643e6cbed712e23af1c88f5b811

SHA512
950f82cc355f6bbf01e581af6627d3dab31cb893fb9a036e0a7c8d0c3f097ba47ceef5b12be915d7164b69c5b1f2e1c52dfd6bb1304ec8eee33dd6b28a9eb62c

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.gws

Filesize
160B

MD5
4624905679a8c26eb3cbcf0bea34785e

SHA1
341765659db6ac5dca240a2d559f9767b5ce1252

SHA256
799474c262c09de278cab1562154797551483d7e4cdfad242bdf51df82136e06

SHA512
25abe41f1b7e95c1371c59d15c27850a207a6221e77413ae3cef50b4c49cb98174f2c6da57f0be62658a545840ae5b55f80f2d24a54bc183babe408369cbc907

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
436KB

MD5
3bee1d24189d4941f68b96da6e207be4

SHA1
dce911b1c05da965c8733935723b88bc29d12756

SHA256
a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710

SHA512
a40b01c630ff2c4b90a2e1bbf285c5d558193ee0fba79a3210a56408087ca828292269945e3202f65b8eb038a565b1ea8a18d185864ba9dc4073a3633c86ca29

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.gws

Filesize
8KB

MD5
02bcd4ccce238299d4b7279fabe1078c

SHA1
f086725a337c62e4dff2bd0e33115ad58b7a7df0

SHA256
935fe7ef1e5df94a769e677657e9a910748eba742d0e8fab219ccad10d55d48b

SHA512
5b3b1a99b5e8693369e3ed8c4ed7c6f92ed5f470af6163dece4e5c150339efa5afcb1c4124237ba0d115fb0b0274834a9a7ecb5062caf6edc835a88a582ffa3f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656242963023.txt.gws

Filesize
77KB

MD5
e3516b4b37b82cb55bf8d5dc2aaf33d0

SHA1
4cfbd835dbca0a9c276bde61bbf71ef5a6b0beeb

SHA256
b31aa9ce6e133ec87055ebe8f2083f4c1f9dec0358a946b9beb9b2de2b1dade5

SHA512
3831d7c8bbf899e98e986229235712ad77d8ca48d2dabb48093902f32b4335491f1401b58e58512fa657b491d6ee113e0b719e5cdc5e24cf325eef37ab1afd96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727657999741523.txt.gws

Filesize
47KB

MD5
5d6d7ed0f879148db5127a047098f1de

SHA1
89e08fb41d661f3c119eb091101b64f4d7753229

SHA256
0bfd2ba166cf60880a1501e176149a9e9e1ee1e9526bcf3a8553be647943c8be

SHA512
cf0dfdbbb1c4e159052994c4b8306020b68b84eb7b30e94501c0c98b2fdb3dae8f8ccb6b9c1115b26f7ea475a72b9bc0a34bd92665ac793055d04639d880e14f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664301340404.txt.gws

Filesize
65KB

MD5
1de71eab93a6e25a601dea5a4f0fd8ad

SHA1
d92322a61d8bebdb7270e39dc274c516eb911aeb

SHA256
de19656f40d03f6ac475d247e133110486216605ff88e7bbe59edc4e47608900

SHA512
dc189e5a0be596c42ea041ff937ccc56a79a6ed5bda180a85cae57286725a87e0113c36da06a247757f9ac50d0e4db1ea277271e256d9a15c3a9ed5151a9bc78

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727682254170760.txt.gws

Filesize
75KB

MD5
7216a1ae20fe964593431d5d5c527435

SHA1
0785340417bf5815ff18baac7765e197d40d9d96

SHA256
41ca636247aa5c5f5b0480cca29d805a75be51834f7b82a397dc0239215e9e21

SHA512
0ee7631d83cc0f093f067bfa3a4f9346f6dd6633ddee7cb945baec401edca795d2b814222f14aa49a75972a1c562baf0c9f8df89b4451d2db9892609bd0ea124

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C1D13415-A856-460D-8360-58125596388B} - OProcSessId.dat.gws

Filesize
16B

MD5
c3a747554556df614575dc417c3cf9d9

SHA1
2e71688b2013bc93b1c5c01e5fd902a32a62007e

SHA256
da1f992586145a03fec57464a38b8bb928cafd8fa9996386732e83a6de555ed7

SHA512
eb740b56bfc85d2c5be11af614cb413a0f0e055d6d2311d4790d86ad71c59a2ec4f13e09d04a180e3279c22ac320cfa38892bd0f6a5e8e04299ed64b2d514c2d

Download Submit
memory/2424-4236-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/2424-19-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/2424-22-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/2424-23-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/2424-4235-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/2424-4239-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/2424-4234-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/2424-20-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/2424-21-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/2424-4240-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/4668-1-0x000000001BB00000-0x000000001BFCE000-memory.dmp

Filesize
4.8MB

Download
memory/4668-0-0x00007FFFE1035000-0x00007FFFE1036000-memory.dmp

Filesize
4KB

Download
memory/4668-2-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/4668-3-0x000000001BFD0000-0x000000001C06C000-memory.dmp

Filesize
624KB

Download
memory/4668-18-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download
memory/4668-14-0x00007FFFE0D80000-0x00007FFFE1721000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads