locky | f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

V7bTrYJ4lbO6OS.dll
Size

159KB
MD5

7932ee5fa6f83b149569752c47e04b87
SHA1

6eb115feadc5808507fb5a666dd18aa89a45616c
SHA256

f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b
SHA512

17ba26e69f7536f5adaa52454fbd407338be61d97bc396baa591de9fa19aab3e539b4ca32059b2ddb1b901ac7ecd341dff9ead706fc0d058086e6b3795642f58
SSDEEP

3072:pusrpo1j49JvKa0ePbh37E6ZO78buZKxrF:ZQcvKpE37E6nmKhF

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

15 2472 rundll32.exe
25 2472 rundll32.exe
36 2472 rundll32.exe
37 2472 rundll32.exe
42 2472 rundll32.exe
45 2472 rundll32.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

rundll32.exe

description ioc process

File opened for modification \??\c:\Users\Admin\Pictures\RenameExpand.tiff rundll32.exe

flow	pid	process
15	2472	rundll32.exe
25	2472	rundll32.exe
36	2472	rundll32.exe
37	2472	rundll32.exe
42	2472	rundll32.exe
45	2472	rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\RenameExpand.tiff	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\TileWallpaper = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\WallpaperStyle = "0"	rundll32.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

1040 msedge.exe
1040 msedge.exe
2284 msedge.exe
2284 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2284 msedge.exe
2284 msedge.exe
2284 msedge.exe
2284 msedge.exe
2284 msedge.exe
2284 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

2284 msedge.exe
2284 msedge.exe
2284 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
1040	msedge.exe
1040	msedge.exe
2284	msedge.exe
2284	msedge.exe

pid	process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

pid	process
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemsedge.exe

description	pid	process	target process
PID 1796 wrote to memory of 2472	1796	rundll32.exe	rundll32.exe
PID 1796 wrote to memory of 2472	1796	rundll32.exe	rundll32.exe
PID 1796 wrote to memory of 2472	1796	rundll32.exe	rundll32.exe
PID 2472 wrote to memory of 2284	2472	rundll32.exe	msedge.exe
PID 2472 wrote to memory of 2284	2472	rundll32.exe	msedge.exe
PID 2284 wrote to memory of 3016	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 3016	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4612	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 1040	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 1040	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe
PID 2284 wrote to memory of 4760	2284	msedge.exe	msedge.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\V7bTrYJ4lbO6OS.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\V7bTrYJ4lbO6OS.dll,#1
2⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\DesktopOSIRIS.htm
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffded4046f8,0x7ffded404708,0x7ffded404718
4⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,282554306455358889,4114493695295343107,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
4⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,282554306455358889,4114493695295343107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,282554306455358889,4114493695295343107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
4⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,282554306455358889,4114493695295343107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
4⤵
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,282554306455358889,4114493695295343107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
4⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,282554306455358889,4114493695295343107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
4⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,282554306455358889,4114493695295343107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
4⤵
PID:656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,282554306455358889,4114493695295343107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
4⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,282554306455358889,4114493695295343107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
4⤵
PID:4744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
63e345650c41e7d18589e78bb7167d11

SHA1
1b9b15ca347a4b4d4712d55da419ff2254241193

SHA256
b60552ef0b8bb6c0c733cc73a53370fb422a2a1ac3d6fddbb0b086494bb1a67f

SHA512
d1a0a62a788ca44a7de6d483fc85623702bed81474cca86a8ab45fbe7b0012ecf4be719d0ca864f9af265a01e2cb3b042bf60b5169eede14665743388a89ef68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
51220d4ed2c7bb022eab190686da7c31

SHA1
83e08d52d5ca1ef3a722887edac7f9da353d4ad6

SHA256
2a03fc3c72d3a4bb627451dccbfcbd89215da60e380f52952ac1ac71476ffa60

SHA512
058fba9c741b5bafa9a7d558dc50300c670c7bff42248298fa52db660a000addb056178c1e5de3ebbb8c04800db65a78f4a98860dac0babea0f02398aeb199c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
99bb6d1edb0592a67d6f0ea8993fbeae

SHA1
64b02b362ab3183c7efaa11e95b3e54a65a5c61f

SHA256
918fceaea96bda5f081c5d79e5e05f040fbdc1a9b454c657550ef1036a0ff981

SHA512
4419c01145f0a415acf6a3c6bb686a51876b9e36d19cabc3cef10c22d49fc1ce5cdf87c3b761a451c3757b4f499e7cf1f9707cb8b648d870aa9661eb5dda9c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
8c58382f2fc57190e43ff4824a2f15ad

SHA1
9ecf189d2cfe4c57d63ed4048a9f84698514e54c

SHA256
397d614fa9c98209ad6f2bd1fbc0e7b8886ee89660111647d1fd890d645d73ef

SHA512
af2b7d8dad8e81d4eb2351f72b326c488e77bd889a62a567f46a64ca112cd3e3ca41bd05f4cb0ee005aab984c5ce6a3bbb351bcc62aec6076af4d2c8e32a1672

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
8a1aa671dcdfc2db64891c5fe4e52bb8

SHA1
1a9e967d0f2a9ada2d2842ab881c490d098e2a9f

SHA256
1d69d624ccb4b5c39b87625515484c70e9040d7a4282eeffaa0a157a3c3cb689

SHA512
0f608ae926031ae81800598a4e38f1a97a6ba90633ee67b27bad9e75ba02992bd4e723d56ec4d9cb072c39220451d6b8345ff576b0860dea4e9c9ca17d5312b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
a6a131e16d83bf6d4349f5340b9bc6a4

SHA1
41d4936ca6fa012df24c7ed9d8657a3cf84ce4cb

SHA256
917bc41bcafc74fc5f768671752af890192c4b634379ce6bd2a3046243a53702

SHA512
ca051c541b157c2708ef75a8b6fca05a55d14a2873ed9cc33d8c978ef66f56de0dd416475eb15289cb57382946f7a56867b446b6414bb492a528b67635c683c7

Download Submit
C:\Users\Admin\DesktopOSIRIS.htm
Filesize
8KB

MD5
71ef5b234b6290dda4f28901eeadd211

SHA1
bb579fdcaa3f268a014652dd3f6f11305b3e1bd6

SHA256
980e75a87ae5e391711c0ed98c43c3fbbe88a7f37b477f426e690d018e2dcdb5

SHA512
6e163cb236b4fb3e911fd54ea470c3425424a0631cd546b20c537040591f8f1b9b72cf47ec1ef7994eafa89f4d5fde744302ced8d1363f6552f4d35b21273c08

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\OSIRIS-87df.htm
Filesize
8KB

MD5
71ef5b234b6290dda4f28901eeadd211

SHA1
bb579fdcaa3f268a014652dd3f6f11305b3e1bd6

SHA256
980e75a87ae5e391711c0ed98c43c3fbbe88a7f37b477f426e690d018e2dcdb5

SHA512
6e163cb236b4fb3e911fd54ea470c3425424a0631cd546b20c537040591f8f1b9b72cf47ec1ef7994eafa89f4d5fde744302ced8d1363f6552f4d35b21273c08

Download Submit
memory/2472-144-0x0000000074B10000-0x0000000074B42000-memory.dmp

Filesize
200KB

Download
memory/2472-139-0x0000000074B10000-0x0000000074B42000-memory.dmp

Filesize
200KB

Download
memory/2472-137-0x0000000074B10000-0x0000000074B42000-memory.dmp

Filesize
200KB

Download
memory/2472-133-0x0000000074B10000-0x0000000074B42000-memory.dmp

Filesize
200KB

Download
memory/2472-141-0x0000000074B10000-0x0000000074B42000-memory.dmp

Filesize
200KB

Download
memory/2472-136-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/2472-146-0x0000000074B10000-0x0000000074B42000-memory.dmp

Filesize
200KB

Download
memory/2472-432-0x0000000074B10000-0x0000000074B42000-memory.dmp

Filesize
200KB

Download
memory/2472-149-0x0000000074B10000-0x0000000074B42000-memory.dmp

Filesize
200KB

Download
memory/2472-135-0x0000000074B10000-0x0000000074B42000-memory.dmp

Filesize
200KB

Download