locky | f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f

Analysis

max time kernel
119s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe
Size

329KB
MD5

b99c2748e46c0f8ed8da08fd933e0d9f
SHA1

b86e4150446e189259db650270edcc02296b4ca5
SHA256

f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f
SHA512

da239c429c2bc7e24f1a4ad1420d501a29e7abde4b89e474f290b4678d10a571c84b2cddb6994104ec2dc80d260122f3f8289e9113b2d0b54c483f249207167f
SSDEEP

3072:OODJbBMEjlrdbFDh2vR5w5HaP6yTEu2edjl5m5ejROBFNI4z8l+xL07HnkuTSG1L:JhF9h2f46P6yIu2hUROX4IAHDO9fs7

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe

description ioc process

File opened (read-only) \??\F: b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\F:	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "0"	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\TileWallpaper = "0"	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c04de4bbebc0da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7719831-2CDE-11EF-8A73-D2C28B9FE739} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424814002"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f34f3471c0b7347b06664cdfd53c3a90000000002000000000010660000000100002000000092ff71b0032476636c936c3e69adbe45eb71e5dbf3dbdf3631e6e1b033a2301f000000000e8000000002000020000000bd100618c40ff3b1dff11ae4cd0dcd7f3ade0b02c9e01734636ebae3bdf8a3bb20000000128f0380dfa011335e7d371fcbcf8756a9b962241d0959b5d903a483fa2305f740000000fe4ecc1c084b575d691d3c4045b7e2c30d8ca458a2fe534905fe1497fced56a004474cb4f6aac1c0a4e45e77100c33022e756c324952a6df631b96141521c264	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f34f3471c0b7347b06664cdfd53c3a9000000000200000000001066000000010000200000000733406a34d57c0ce8eb8744d17aade104563fa76438179ad265277f2d1d902d000000000e80000000020000200000000d82bc2ad32d63f692e9ced6f90186fc56ab2e6eb8658aa4ab07a6537fff743890000000784b3c0c71021aaf4b3d9956b357cea33f62540cc3a5da7b5c8835993caec1bc1510309c9cac3ad01ca24fcf0a29f47ba7a9f31429e7ecb4644c1bf68f99a5c91ba631dd2bde456a70953a9cea55f2007527d5a0e84cec4be969ae7d2fcb3422be753328731f2a2788718e312b75feab35261afc4b65584173581553b89a1b82135dab89d8417202f6cac542ef655c6f40000000939d63c8732307ad20d2c95e83c3ba875b166df3b5434ca7f2dd98acc01357fbb67f415904bd136002a18c82bab5c71b8cce3cdcde5767ffd470262f657e0b44	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

3004 iexplore.exe
2208 DllHost.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exeiexplore.exe

pid process

2740 b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe
3004 iexplore.exe
3004 iexplore.exe

pid	process
3004	iexplore.exe
2208	DllHost.exe

pid	process
2740	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe
3004	iexplore.exe
3004	iexplore.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exeiexplore.exe

description	pid	process	target process
PID 2740 wrote to memory of 3004	2740	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe	iexplore.exe
PID 2740 wrote to memory of 3004	2740	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe	iexplore.exe
PID 2740 wrote to memory of 3004	2740	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe	iexplore.exe
PID 2740 wrote to memory of 3004	2740	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe	iexplore.exe
PID 3004 wrote to memory of 2228	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 2228	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 2228	3004	iexplore.exe	IEXPLORE.EXE
PID 3004 wrote to memory of 2228	3004	iexplore.exe	IEXPLORE.EXE
PID 2740 wrote to memory of 2668	2740	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe	cmd.exe
PID 2740 wrote to memory of 2668	2740	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe	cmd.exe
PID 2740 wrote to memory of 2668	2740	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe	cmd.exe
PID 2740 wrote to memory of 2668	2740	b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\b99c2748e46c0f8ed8da08fd933e0d9f_JaffaCakes118.exe"
2⤵
PID:2668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\OSIRIS-4c2e.htm
Filesize
8KB

MD5
3426045425373b62b0dc3d294da65c93

SHA1
3524448aec5965603a64be9bf97d2d652c14002f

SHA256
44028e843befd7ca427c5d29be53f10c7c4c0312580cda1e33766bd672511baa

SHA512
cc6e7edb87d1d6549edaeca64b9a20ddc9722316f9f2eaa7787acf77e8f3ebb32b6159ef3367e4d35ada2604eadda56e90f896cc92f1f7426fbe96831565990d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
ca1ee48a78f2b8e02d6da144a88c7f49

SHA1
9e12bcfdb7891587b42226c060c0f9808c7cfcba

SHA256
46804ae8b16457e41fd57c341f7a9045af0ef538cff851de087089787f20401c

SHA512
d624189d62069d9e313a92517353a0fee688f012a376749135fa61d69c2edc1f3338e04e6ca630aab28c36fb6ea1e43cc5a6d53867674eccdbafc90f0b6072d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7977b4dff26de4c9f8c0a7713e59df1d

SHA1
51f16097aa73cad07e36e0c74495cf2cc4d4606a

SHA256
b21ad06111ee0ba501c30af7d24d48a3938ec1df1f12382eca823439ccd876ac

SHA512
78cea1faf7e34048478275e1618c332b1b310fb41ace8d6f9b13ee48b2bec4ec2156c324925961a9caee9ed029e40308a4e08e6a7ab2f80bdcbcb838771efeb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9b22ff2bc67cb4af64bed8a4552836ea

SHA1
80b76d06ca0dfbd61597f4be67f3c1ba5db1bdda

SHA256
5e5ec135e678d453742597433f1713b609082993e4e08f3a590510a2bb7826fc

SHA512
562a0b3a61ed1214c5cb9cf83676254c752c2fe60aa888285da11467efbdc39d9be84093880d276743ce15f6726bd63d91a23d3201b4936a5a51e6b22658bab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c47436a9ab208e3f113c6eb1c03a1dc1

SHA1
10fe06502dd715256df2f1165cdbba6e9c4fdfe4

SHA256
74d2d78d98c5e94c25b4b0c56fdc29f246833d9bc87ceecad9079e542ed732ba

SHA512
92aaac6fd92bd79f9a2137b0562ee9b328fc099a5fe9bae88daac6f4b065ab870aef5ca65bd638508cb7fefe00285f01a407bc9394f524902174dc9c654c04f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
384e534e354dae2206453e1b72ef0b9a

SHA1
aac7546398cefdb175c6ae90123a2f85e1328b31

SHA256
ce1d52a97bf59c7046f409221280a9f8e39234063dc8dc322bc1a706088e20cc

SHA512
25dfae8fba1ff72199e80e7cbde3a1dae627d4f0776801d417eb07759a8d0970ab935e68907ca76e0c8f0f1c6045cf76812fbd4b3fa71c504d00be4d0cc2c16f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fc081ec315a12288b097df174c56b3ae

SHA1
a6b1e648e41cd7ed61b3cac5ef98eaa4ae2bc134

SHA256
5905f080bb34dc84ce00bc486895c357cfba09c170bee5602773ce885c144c24

SHA512
5d47be12906ef418ae09ddaedadeca1517522712213d7e6bc269395a0db1baacc7a8f95f8418b0a576a1d1220b6ef88fdd4ddeac2ff9682cc7cb45521a795e3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2a182fe2fce63834f01baae7b0b83a03

SHA1
e6f8aad704b3d884c03f73297e35e4b1ce5b45d9

SHA256
7619eaf5422b836c805c5a980426e8f997712744f11d770f8a867a035048b201

SHA512
289bf8e06ca85c4ccd051920c5bc3268f9baa9760cb9a5613c2bcad8d04ab90129c196cb2c5da92a23454e3bd201e5b6fc60b76758b03a1f7f8abd878c8bbe9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5bd81de6d577ef11c4c5c7991f910e8c

SHA1
aa9faafed3bc44ad1c9d590f20c4a74ea42995a9

SHA256
72d9296bbc6442cad36c2ba72d9ac5852110acbb132f9c6e952813205b5b295b

SHA512
113d28d21c663e513004f626fd7ab5c56bb9952d6f10b011a43ed676807708fb44716271fbd8fa50b6788d7ce04e4c5537e5dac1c93c7f3047a270687338fc2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
869b6733ab0f3dd871c0d127b595b49b

SHA1
6ec6755573848aadb1fd49eceb6b8c2b6def7954

SHA256
7d910e4c246180dd07153c57c6c7fdbd4677127b5a99fd61bef76fe8170b4c24

SHA512
332ff26b2b3ac4503f4ec2d84ae7690d46f0a45567c04f18b001482887369b83ec736da16c8889729e88c0435aad00538ca25d704c13109a666fbd07c1064ed9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
76c3af356096c315eb8e4df8428aa89e

SHA1
d4810c69f20aab950359455d074782b70e065e86

SHA256
3af27aac62ff7d199a40b5c4cc2732d95870db16a11c536c5cbca2f3d4d8c9c4

SHA512
3a53a143d43f84816bead1a73ff6add265aeef39c67eedb0a9a78ee6b9fbef5c82fe9f3fc26f06f98f9745bd56b3757db97698463dd3d86fefca29927c49aecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b1ac4e59a263f49aa7d5c6b24adce6b4

SHA1
27b4f2bebabb3ea5f92d2fabc9c2954e506bae56

SHA256
d58fa62840ae971a49e0d28685e5635125a080a3b3f0a590607cfbcd82983049

SHA512
956e357f87e1b3a2238b84278eb7a7ec67eb2d93d1adfff24db01bb373c807bdb049a41257447df27ec3257286ec6452fc823f3f4b353a6ec66f29dcfc2dabd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0a3294c0649644394a80908841b382c1

SHA1
d6d9e08a22129f125e2683ffa15cd9fea4b93b62

SHA256
a0c911b9b6d14694d38eccb4f3011553743fba4f437b1d08a669a389d1cc44cd

SHA512
6e3e29829f626431516d64a7b2719eb41cad473c497bcff98e53c2e2c61b7efcadd2dedd9761049ecd89109241b6ae6faec204df81f5f82f2f849827696e462f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
71962655d06a1100a2d5db58ad7b8312

SHA1
47555ed6222a0ea9946f22b1661abbe6a901b8fa

SHA256
4b61f03383724c18a946bca7170d8b08799c9580fdbb679bc7318e4110eb7839

SHA512
9efeae5a56952258bcf70f09a3ee719c7e6308d16da036fd2ebdb2b213d50cdc1b0e498a6434121f85e6e6e1ee7ac3e6df0244c69bde0c6d6d354fd36bbb67b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1c485790e97b748e0dda525774b12582

SHA1
fc9dda4fd04b98364f4d0be9e7415657f1748c10

SHA256
4a38d565f8376b502462768fbebacfee04928a981777f347651a703d60d0c087

SHA512
d969515a82c413b8e6065bae4a8c0f11f509e5101b170400b899c3b50fa01b0eb80151bf5499cf880a38489ae3fff8b5fd9212274d830ca649056d32e7233c84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0d5eeecf64103676921e65add82a4d1d

SHA1
f7dad129f06034e3ef04ed6c914e7b7ec107513d

SHA256
bd640f265876326b6284acb8bfb31d7bc458f7d91c07b6f2774f417d4642a801

SHA512
452dcbf6476449e5298dd7d2178d66a7675fae98bb6081c82072578e9db6e4de793269d150bca436ac3aa62d8d6c40806db9b5aa3a920c2fd86ae69e599aed29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
05861be86e766277c4dff3e4b36feb23

SHA1
cab2c5a6dd556c2726ad6a413ab3ea5fbb003b4b

SHA256
2f64a380d7ffd33c29f59e6b3dac561cbd9e39b30f99172224fd9e20331047cd

SHA512
9ecd90b1b09539d1e6aa99201289239cd511185fa1839111cb0aec00beb8792ad3d658dff322b50db64e7e0b56554feaca77667351ea02129d11826212b9be8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0ed6f3da008da37dce6a81a972f68956

SHA1
0c43c7970cd54e59bddc656b8926116861957f5c

SHA256
d5b4b524d3b79daa1fcf09ef376050d5052d5d6948016bcdc85d32a796deb29f

SHA512
9a10ed3ac49b6d5b1d3c7695625afe83ca559e0dd510fd811c2cb1585757776037bd98e90c5daa060738e7737e2cdcd5e9cae0200e05638bd7fd078f771095bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cfa79b1752abecb13425bcee68626b8c

SHA1
b8062aee5a5f6c9f5be0252bcd19eba0a5bbe88d

SHA256
b4f6c725a785648c4e5c117827871992b1eef032985dab2a65707c46af941c9b

SHA512
4d9b99bf32a32c405fc9a883ebf3c58c957f5f25b50bd4c7c90b557886b97a434e1a16d47a5f49f4783cd02c8027cad5d7b55e46b6af56cfbfba3d9cc3bd0622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
145e61a6d37db55b0d6fde1757490e3d

SHA1
0c29202ee70ca95c284b689287ff31bf5b73b527

SHA256
e7779c2e3c00151dabdbe01aa7f6c31627411f1c7b5496c3ffc60058dc24a1ca

SHA512
0145ff89a46b319a95cd869efecb6c974153bc4091d7315d4450db184f7aa11098631ec38f1b8e0e86e8e4a6d9410684071ddcc9a3ba84e4027ee2ca723e337c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b66263a7fa3f99b34b55dcf2569c3c41

SHA1
fcc9a699cc4469bfda3f257608973d02ded14955

SHA256
ff087490b350b829dd3a05becc90d2de8f1215a4bb5f51f4ab40580392f00f23

SHA512
ea1c74032c9a7eb000f01f588933f3662eb4114ff50e9638c3ed3706346d8419cbcfc31d4401334aea93fe1e262603a44927ecf557f14ce0843e7cad8ba76cb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
a5288d52b1b9e4398b091af527e78bb6

SHA1
3e7eca6008a9a27521ecaef1c55250b28383f57c

SHA256
4bcde66fd41bf2f8f3135213f19576616d1e5df3d44d89c115388378805f5fcc

SHA512
f7f21819f212e115d735cd87a4512337c3d1a193c1ae389b17addde0dfc4bd69a90b8dc06659ff9a4872c5a133abb0f9ade751a75144f8c6a6025339790ae7d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4550.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\DesktopOSIRIS.bmp
Filesize
3.7MB

MD5
05cd6ca7cdfacfbce77e7390181f1035

SHA1
e2222a835b6d6f3eb5302d8eb89b106682c06b08

SHA256
45ad1320962d4d1cf0446c3305e385b1c78b7c9363328ddcd44c5d23da3e9a60

SHA512
72d98cfe1f1ec8974051161dcada6616b16644f6468f7b363db9a250517071cf372f7a8b002e107ba1aae71487ca279900596098c62615b545f06fe46b0492e4

Download Submit
memory/2208-320-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2740-314-0x0000000002860000-0x0000000002887000-memory.dmp

Filesize
156KB

Download
memory/2740-0-0x0000000002890000-0x0000000002927000-memory.dmp

Filesize
604KB

Download
memory/2740-319-0x0000000003B90000-0x0000000003B92000-memory.dmp

Filesize
8KB

Download
memory/2740-322-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2740-9-0x0000000002860000-0x0000000002887000-memory.dmp

Filesize
156KB

Download
memory/2740-10-0x0000000002860000-0x0000000002887000-memory.dmp

Filesize
156KB

Download
memory/2740-8-0x0000000002860000-0x0000000002887000-memory.dmp

Filesize
156KB

Download
memory/2740-5-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2740-4-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2740-3-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2740-2-0x0000000002890000-0x0000000002927000-memory.dmp

Filesize
604KB

Download
memory/2740-1-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download