locky | bd9a3d09c31a034a9434a5f182624b70e418ed4421ee991069d3b47a156bd6ba

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe
Size

371KB
MD5

fbe08cc20207d5c4f61757484568b9b0
SHA1

6d8e0490a7cb768fa0895c5a907b0e0b722e1eb9
SHA256

bd9a3d09c31a034a9434a5f182624b70e418ed4421ee991069d3b47a156bd6ba
SHA512

30dd24627b78e5281d34fbc5ddd95adb6280515ca5c6479930552303e06af7f451b49e7f598966ae25a9ad1105f402c0e5ea440aa0e15561266d1baa548744cd
SSDEEP

6144:axXJ/Kda/zF8OgQaXhbD2ZuV6L3hXmUBpbrdmc/klwQBG1LznBHDTBrEpt4IQXZo:axXJ/6GFTlaXZ6L3IqJJmc/SwQg1LznU

Score

10^/10

locky locky_osiris defense_evasion discovery ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DllHost.exeIEXPLORE.EXEcmd.exefbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\WallpaperStyle = "0"	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\TileWallpaper = "0"	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433673368"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000943ed99de7e73f39e73ff020e1eca385fb01acd3694d5c33b078c0eb586aeb36000000000e8000000002000020000000c673c1f7df08d393f0c8970edfdd3c9e418de01ef307ffa7004ae37a8af690de20000000c9b5e3b85b45a2237ced6f340a1febada9a5d437160feed991b576822f535c654000000002bbe879d20d5d8aff7952ad937cc895e61e7f5855a61824ba5fe45c97198d4ffcf0c4a2d13fb8d7d06ce41bfd50fb0c7c1de94df3308b80d6a738caca3c82b5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38DC9291-7D72-11EF-91DA-667598992E52} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a05d0d7f11db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000224f2ba436092e62e1cd36344ee6bac6da64b8735affb9d50b0b9db8e81b9971000000000e80000000020000200000003822f7d753cb2aa732e3059434635dd8afcf549e137d412ba20c1fe832791181900000006b1d20d4a09966b6c190c15f1e8b61f5ab551c35a65c141eac0138c218a323068974ea1fc032c612cf5bd941c95dff7c7e8147d0ac34097303e5cea44f5c7a7904099c10ba726f8c6abc5a335c7875a2ed611f47c9878d1b2ea0a43afe0b98d73f59a0ea036ff42cb33e8f9ba106c9a8dbe65ddc2f5ca157e7903931fce33f510bd3f6e5f965f2b7d413b08a62794d47400000008f49ceed7ffc0270618b698d47d00c50c898a5ef2135585aa4cd6b1c12028b865e3eb7c8c03aac6cfd7c0360d2f3257a4b95da63867d2e68adcad36f22fe6fd6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2196 iexplore.exe
1996 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2196 iexplore.exe
2196 iexplore.exe
2820 IEXPLORE.EXE
2820 IEXPLORE.EXE

pid	process
2196	iexplore.exe
1996	DllHost.exe

pid	process
2196	iexplore.exe
2196	iexplore.exe
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exeiexplore.exe

description	pid	process	target process
PID 1196 wrote to memory of 2196	1196	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe	iexplore.exe
PID 1196 wrote to memory of 2196	1196	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe	iexplore.exe
PID 1196 wrote to memory of 2196	1196	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe	iexplore.exe
PID 1196 wrote to memory of 2196	1196	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe	iexplore.exe
PID 2196 wrote to memory of 2820	2196	iexplore.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 2820	2196	iexplore.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 2820	2196	iexplore.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 2820	2196	iexplore.exe	IEXPLORE.EXE
PID 1196 wrote to memory of 2836	1196	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe	cmd.exe
PID 1196 wrote to memory of 2836	1196	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe	cmd.exe
PID 1196 wrote to memory of 2836	1196	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe	cmd.exe
PID 1196 wrote to memory of 2836	1196	fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\fbe08cc20207d5c4f61757484568b9b0_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSIRIS-b2b3.htm

Filesize
8KB

MD5
896f7903593aa2bf78e8804dba0b443c

SHA1
8c2e1d74c8d8ae829ac9d5e7b1fedee74392e510

SHA256
1a791c215673c3ea056d9e9cd5f78ce3407e3673d885264193795eaf91256e04

SHA512
e8fa34662c6d4548bd9bbd509cb1e3a67b54046100162c0a610d1352aaa2a8278f6bd933797518090081459fb4fb4ff169d09fe0d9b45e1c4c32490b0af67b36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fa2b2a1838fd6c8d8e3493f48f7954d

SHA1
b94bad63d99371bcf2dffd86ae4f43d22f1de66c

SHA256
7f100d6cc560236f9d937e8485d005e84a0d67455853935fefaf138c2c08189a

SHA512
a1b2665f56f2bf4bd4a3099bfc0d1f03980e07550cef3445d52dd5a5d6edf74ed6615cabc0e0fdae4ffdaf71b93b9ca9a960d2298538d7fba922ff9dc635b70c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8019a840f585b23239498b3d16f99c3

SHA1
3bcb59509419565a4763b800d160f28f83f9d507

SHA256
8e190671ed53e1c3c674a8ca856e113fd2197f73fee872860850996375363f14

SHA512
5b2337bb5e7c50a73d726c6e6ee792e3ce4c0f568a9c64ec107b1e5524feed5c768388972933fc4af89ce2839b796bfc303722485b303e6c7dea57981baee884

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bb6c2b2460b5c89153a431ff09a7639

SHA1
e4ace84cb09e8f5588c4dd4c280791312fa36eec

SHA256
ac6aafcf6de6051d44209fc034ebcf4160a7591009e301ed0417dbd86541afe4

SHA512
88f341fef0b49f04d55c34e26dba44ec4ed5bc43090e2437ad4278e0deb489bd00fae3fc96c406480f82448ad798277c27bd026becdb7cddf972932ebd45a11a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c48db5c5ec1a0cd725812d90551d2841

SHA1
d46193f73f013448abf0f5bb9752a8cf2377f463

SHA256
2e5c09959fe05bbdd24c2ee26fd58d5ee8d9e8fd28b364e2a3dedc2f73f8cfe4

SHA512
975d63382a225e2f027ffe88d3aa7145876572457b3ff343a6b332dedf8d0795e51f192f244ca43c244ece8b6c41c4f748d6e994b6c5503e8f9cb05d4fdaddb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfe0035fbcd235f648d80dd78a723b8a

SHA1
704fcea548e2f36d43d89c7b89fc4f2dd6170790

SHA256
93728c68a45797886b48dd2e24b67f40081a694cc508007b4d517a29fe2ce255

SHA512
e131e1d0ae27127f01055c35401a1519158d13f68612ad02f9bbec05d978606eff41511d21c7d589b4689b3d357bd306e23dc21c5a13ab0fb82a4dbb1c228ae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
542d85e86ed9b19dce4c8b3ec466c493

SHA1
084b7c773209e5004238da50e1685b076cf18225

SHA256
cbaa353705e2e6f1a3d9bc6b9c224704c43c5595094f552a95cb20577ac56afb

SHA512
497fd132cdc08c8fea6e78f2596f1a308e8b15b8ec470feed8b976ad79709540a6593ca5f3726c7c98f7b48a54848612646237e19500198a7bf3bbdb480a9bd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c67039dec815ee979bbc78528345c6ba

SHA1
9336e80442ad6a4d8c3416c425de4049265a65e9

SHA256
3a375393abbf78d367d237fda6ca5000dc19d7d36afccaf288d0534335da74cd

SHA512
7ef94b302b0cc9eccf2bfd0052c4c8a4700b989c303b12a6362c07ad3912ae83988593f7d2fbefe36b572a3f43899664097d240ff6402cf668611e272618cbaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04f9c1b6fa8feda9de77a5e1982c3b5f

SHA1
cbbcf0b675435c874d8afc565160d2e297b57d9a

SHA256
407ae2d7fecdbcc7536efe207fdb18406ff98e56f94f19ecc635eb423ae28f38

SHA512
cfbc12e96693845189b881b91370e3df9c8ddb6d4dcccd78611547d299c3d9556c9c8f59a9c9d09de9efeaaef85f080331f968c00f41e06ac62acc9d908a942e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ace4daf81d5f7b5a336a3bf3350b9c0b

SHA1
ea435bbd128d24e49e52da58c27c52f9f81d975f

SHA256
8ea96ff3245f1e407492a602f1b5ce0871d043165f7336365531bf1af3abde1d

SHA512
641b12d0703e4a7e4df9880baf1b495a70649da582ef4ba4e93ce8e1df014cfcf4f3c7ba984f2fafb941235b3809e63eee07ac810d9f0e530d5e0f648a2e0be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
379c2b5d77edeba357df7224c937929e

SHA1
fa2a5b5660eba33a4e6216f9226262557a4819cc

SHA256
fb999da399e071cac0ea4b9ce81d53ad8a14d3514f65200c32b79c593fc2cd22

SHA512
87b92e2278b3b48dd36b3389b75fa23863cc2dabae0c38316be76c0bd37a19cd8e648e023ec995060fe78f6b7e8b3d7190035dd0f79b33344c834f0874d512cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb4daea03d3b7943726a41e1d076d1ee

SHA1
96405ba0bbb5c623542ba765428331be8a48ef97

SHA256
1cf60db3b28f90ab018b7ef9418d0d7a97e17c5bf8e25a1245fb8f7aa76d0120

SHA512
fa88c4aaf2205b98d61c0cd45726175e2b158d46e30f221766092ffe63bb818d6fb7f3541fef5efe06bf647607ba6ce3ad655119b365d3f7f50cf4a7ceff71f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
590d35feb1d06ffc6efcbd2f25d8f860

SHA1
e99e89e3d49c49bfd7d680d9bda0c848a6eaf527

SHA256
92850d0a48f7c686c38b6cfd4ff4958e85c3d8614d783b55b7a20fa55e6df45f

SHA512
0d3b79cebcf7f70d5c2a55cfcd9dedc6b200c8f4e025be34144bfb559629f6fc86024fce1ac4d052538e6d34965615f43551c5da0b1e0bc773ef8a2731b12dc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
648e3d0ebdf6b95f67749cfa95b9b254

SHA1
69eba2b2279e44a3a4ca45588004ada75928915a

SHA256
ba701dcbc8bd3b1a31601c1e9466bc9f51b6c5a77c4bfddf915ac7ecab53944d

SHA512
ce2cab10df2f2dac4ab0f8112b6da7afcd4dd412a24c11f1c384ec9c78290c3db4dca5b87bd824b1877300e5e538611f44e0e64cf7f1eb0ca0a9bc7729ffdbbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b618498f088dd071b522d3be2c5b9f2

SHA1
5adc6adda4491b7a0bdc3f09d8dd65389ae4da5f

SHA256
e1ce5bae1761011aababe9f6d087ee333aa9ca4dc3f64da386f9f18c726f0b5a

SHA512
3be587d3ceebbfee27c8390ff4024034fbdfec9fa3f5924833efb1e7f6c4e982f2f8f8c84b3523bd1541df0581b394e22514489e70900c7ee4f796ebfb924d26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e76b108d9b6e20a22288731572521ff

SHA1
e40ce08439d7c3d122c1944808ab8f059dce4709

SHA256
9ee3b8229455fc335f506e860deffb070ab6e386573faf7333db28ffac32d029

SHA512
e7332411a3625d4947b0c8de8dd9e7b318c71c734336dc6f9f7711531182ac30095dace792ebe9c9e2ed57d59f9ab637ed074e3590d057773baeb3cdfe9ac985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95157d3379841539369d2d9a62bdc118

SHA1
0eb66b9515a06ec906dcb3011ba566a831706fef

SHA256
eb02a9d088204f29dedc9237651ba8b30fef5d9b7ac543f8f50a481d899e54ee

SHA512
551f126d5405dabf3eda3744d4a53c84eda560bdcdaa8ceeed4e01787b471d3e1abefc958ea596728707f48f30c52b55da2823483ccbb54292e897e9069f0017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e026285480acd876272cde06f4f965e

SHA1
0d9755bf895d96a675184f198432be926aa2520a

SHA256
71dbcc2cebead3d736b7a9ae6bbb41ed2e5af78844656dbac7933e0d9eb4c6d1

SHA512
b854aee37494d64fbe88f68abd18e7fe3f5f630b1bc275d1ecdf4d533040e06db2a11386f4bd05c71ab66524ed8cba0fb41c199d44556dfc6e7ef349bb843954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84e48506da065ed75e7aedbc8ac488f9

SHA1
5f2496bf80900f707482e9133d5f94f3ddd0a0b9

SHA256
af899121771b570e75ff6fceab5746e590bd9eee286fc9e34c977853509b6b2c

SHA512
ca3ff0b84c71c4d76f2614f0fff8fe8796fe6ccac65dc9514a40edf7a2ca01b6701f654985be9c14d5c63431e4dd0d05a612a08fd6d887f3b7e82b638bc12f1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b67bfc3ba2bcfccf56c745acbdbfe40f

SHA1
bb7fb0d7dc792a09596d43a400108771e55765cd

SHA256
b5f3e96da5df4e8f47bc000395ffdfa04cc93323aa7af40d907b7d6772fce15c

SHA512
ec9480561122c163f305eec56196ab6ac0c93ed55df82e075a9c5f9a5d953c05d84ea1591700dd8c8314eee182b74fcac48c6bab91ad145df53de69e66fdac63

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF173.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF222.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\DesktopOSIRIS.bmp

Filesize
3.5MB

MD5
d2e4b8f28ae74598d63da560f62cf099

SHA1
5d8f8e63fd17b0dc33a60ffaac8f3f5de134cb3b

SHA256
b6df7e21d54b8b188da12668537011cd5c334b70c91457ef57d855277577084c

SHA512
aeadc6e0be0e7d812ebb3ee9981639f1bf36f13364c3e8f3f1ed03f9493530df6fe5fb0b82a93dccbb4350781716833352e184fc57543d72ac0efb68107e7e0e

Download Submit
memory/1196-11-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1196-9-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1196-337-0x00000000049D0000-0x00000000049D2000-memory.dmp

Filesize
8KB

Download
memory/1196-332-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1196-188-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1196-12-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1196-14-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1196-13-0x0000000001DA0000-0x0000000001DC7000-memory.dmp

Filesize
156KB

Download
memory/1196-0-0x0000000002580000-0x0000000002618000-memory.dmp

Filesize
608KB

Download
memory/1196-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1196-8-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1196-7-0x0000000002580000-0x0000000002618000-memory.dmp

Filesize
608KB

Download
memory/1196-6-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1196-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1196-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1196-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1196-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1996-338-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download