locky | b65f63f75a0b88ac2fb0612cf8e2298447e2080b67a2d016b5e6e50c61f1d517

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe
Size

313KB
MD5

8ab71e1a19ad7cb1e79fb8b1bc3cab97
SHA1

711473b4cfa62d4d0243c598ef47ce4c481c274d
SHA256

b65f63f75a0b88ac2fb0612cf8e2298447e2080b67a2d016b5e6e50c61f1d517
SHA512

5cda8dd5de270e3400f21e903b4031d33bcc095b7ace742b7b48cb183692986968022e9cd32463f2390b10c6facca9ae74d16b965b28741a7933930ca343cafb
SSDEEP

6144:N7S6tMIBchObFAYh3qqMx9HELXNKQ5m6Rvx:N7SqMIBIIFzQqVbNK9ovx

Score

10^/10

locky locky_osiris defense_evasion discovery ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
Locky family
locky
Locky_osiris family
locky_osiris

Deletes itself 1 IoCs

pid	Process
2232	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "0"	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\TileWallpaper = "0"	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000008935c2b9c2f7970cf8084f40517ece90a3cf052b80db3474dc6ba7a928da41fd000000000e8000000002000020000000311f3d68bb5cae479f23a729560acbff3d840c474fb761b9542527673337564e9000000002652dbe0ac79ba4cccdd45726cfa9edeb35eb34d997895b667b9f49dfd7cc1f311ad5e98da4f7a33ff4cf5c352836ce5e3b9262c037807fbd50ebaba48f231b6933900e6563ad877567bc97a4080e24e7800a0b06dfc53a0703106fca0e9282bd8dd0c9534949373b0490f27278f3c68a286fb6a7cf359f68151a646cfd5a2a89ba204686f1430a99ea7cc359e77d1940000000f23f79b9b8fa77a3c0ad590c57ea4b952b1c120533aa2eacee00cd225c9df68fe67c8371cd5986fda7117f7241d5c620e0ca59cf0f356ea1512904e1edaf27dc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1010ab4ed12ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79ABD1F1-99C4-11EF-8B1E-52DE62627832} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436787331"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000273c8cd64256db734f6e537aea0e8e7edf1f231d471a464911ad9484a2c07eee000000000e8000000002000020000000e1a208d66ed10191a6c693ccc93c39d9f09ccde204a609765000cc61c40fd25f200000005a03564c8d1ee632351873bfb5df2f2cf2f0c187909746706c795d3598c35bbc40000000b5b168f23a40f0375b5295758015ebb9d88ff79d7c61947ea8487bcf4b0a93ad221576aade66d7430d7f30ae70c981a8eca9de1b03d31a03ec86a969b69564e9	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe
2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
436	iexplore.exe
1324	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
436	iexplore.exe
436	iexplore.exe
896	IEXPLORE.EXE
896	IEXPLORE.EXE
1324	DllHost.exe
1324	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 436	2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe	31
PID 2884 wrote to memory of 436	2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe	31
PID 2884 wrote to memory of 436	2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe	31
PID 2884 wrote to memory of 436	2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe	31
PID 436 wrote to memory of 896	436	iexplore.exe	33
PID 436 wrote to memory of 896	436	iexplore.exe	33
PID 436 wrote to memory of 896	436	iexplore.exe	33
PID 436 wrote to memory of 896	436	iexplore.exe	33
PID 2884 wrote to memory of 2232	2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2232	2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2232	2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe	34
PID 2884 wrote to memory of 2232	2884	8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:436 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\8ab71e1a19ad7cb1e79fb8b1bc3cab97_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2232

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSIRIS-168e.htm

Filesize
8KB

MD5
500fbd48418c86a7e25cf936d1a9e5dc

SHA1
99feed896e073b4f6720cda345152e587e39cb23

SHA256
3a9c71560c3f8e124a6d6a4052229264fd1baed30c49da89990d7ca4c3364141

SHA512
35513c0c8c0958a67fa1dc3609dfc070021e9ee23555358020166a6910c09f7cddba579e55ebfe370979fb37fb7c343c1349ebcb20e6f758731f2b7a0fb9a103

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae8fa514b141ce7d35bb6868c74c2dbf

SHA1
ea26ccba4d76e13c2e604e704868e74e9f4180c9

SHA256
2fade8e5e10b7d1b670492a32fa04de83aca48c9bb7c2316eae0a43bbd4391ff

SHA512
0d8175a738678117e1191cbca90d0e2f62988e1d22b8d7789c5cc9c046bd15f8a3b39059de4f2b669b4d4209c6d29201445d5d6a60941fceb062cf8de22210b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2041e04852c83494bacfe13b4724665a

SHA1
07ace05e29ca79c3ecf60a0910b5dc3457b2a5e1

SHA256
a3aba93e408e2fc855b2f4093f685c3c2040c6583bd6aca5fa4fa7dcafb44b0d

SHA512
fc13756c80467cf1adbf8e9bc5f634f13853cb04aaf39fae4c28c8225ab441885bc2702da636021bd3ec27181f252777d4179e80598f3a168444c48ff57482eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a683f86c83eb0b47b6bb5c2dee5b1d2a

SHA1
2708630cfa986041e6cd0319856a54e9f7fbef31

SHA256
1781a1f007d261c2f3a84c20488a661d3eb8fc5abee3bf41649c6670a60b8fc5

SHA512
74221e68369583257d6fb780027e4e22cbc046aed2ef6c4ab3f1e9b25155c5cb9f68adb8d2ee0b2bac16188a1f0b1a1cea5c688ded59801521824f9276c865bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a045fc4c78bdf8349a4e5bb00116ceba

SHA1
99996f4b26f516fcf74a78312a116b6070543c5f

SHA256
4c421296e1a917ab78edc98a249652a6bcda9d84a0cd96ff1b7908f641a6673d

SHA512
261f82ed7eda0be43d314ec30c7b1f9ba9f9d400295b9adcdf15ab20f4d999586a250bc877f553090f3bd4d3ec62ede7dc7e36cce9af1ebfa3ff0f02968a99a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd6ae358038cd18f975b007e3a815e92

SHA1
7397e91808b687e4562e004d45274454377a6c23

SHA256
c17e3d36ccb0f2263729bafbcbcf1b4c116047f956ed6d438d7c4d6ea7a69a00

SHA512
d699ae3c761bfff219fda2471a22e9e74d7bb36392848eaa1700414a677db21ee4a358dbd42714fdc6e845f6f0688b48fa7dddcc595c265db4f44ed7bbccec3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96726429bea8f7d5f173d0110402fa33

SHA1
971481a5d7fa75dfb7807dacee8ab1cacf6e6fe5

SHA256
2d4c234df46f35022caa0d2111ef2f6702ca7877603562e08d890be4490e5141

SHA512
86a25f83ed1e1644111b69976ecf8a4cd86e8b232ce5f5b85c1bc596aa08c99bc5114fb677a8a3de34dae6660d51f0ef87b09642c0d75ab7be3bd9e45541e530

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40158ba0c2bd52eb1bebd53ceafdc76c

SHA1
35cf6fa38ec22920116014595ff22514d61c2f8a

SHA256
42b5a93a6334f5cdb64556f1f2536382245067fe5e854d2aaf1de62d189233ea

SHA512
fa2626c06e4309d581000c2a399bc2cc25c0c1f192d6be3fad04f9bc72095d05aed500066ce466823980d76e75c3f801f0e834806f1bc301894b8c233f34e020

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f32fce357a4fb12aaa679c83a8725034

SHA1
8f0ba9ee4358352bb525c2c118d56b694afb9969

SHA256
8978a7e545114562072c3b92c5f9cf91c27e2c17d211dd02399f9cbdb3616576

SHA512
bea23ab204fd28a6298b129d6cdd115d66228aa7b2c46f45aa4b5fb15fa3df5bcc01d3be7c16bd3fca694b307ab0a718429dde70158f2adeeb58a56bcb665249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bcf54909e5a8b043feb73ba1893c729

SHA1
b97020f66224072fa17669bd063a0cde965850ce

SHA256
5b3af2d12e8e366222c6b40ab44f8f2ead609d3bc946f4909062abba7c5b3e19

SHA512
1278d5625ed029a0a8270f985011a35034f0c7232c99130095003a0f56940820a2c1b2d042ca4f4072e431e662d851ad745b98b18ed1cea12dabe7388a3277cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f98aced10c0127a697f617b534e9d252

SHA1
3451252e35371e0f0ee14ef65db0d15c2201d6ed

SHA256
3aaaf82b911c534bf7afe03ac926ace98069fb2f4f2846bbeec4a5b909d5e951

SHA512
aa11149c5608b885a387e33cb9a1d4c9e3b1b5cb906ffd781fbe4ee7634374db7228403850602b24c952d2b73d77e5ed8a713a4bbe9a64ce08c79b3680bd3c24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7f68498a244806a4e5c73f6cd7dabca

SHA1
d85dce6b4277016af4db6de7679c91ebc789f6c8

SHA256
3506090ecad74766fa170956f0888c1872bb40edc908d8a8b105b71818fdf5b9

SHA512
948b560412e2e18fdf51af3769910f8cc1db031946d858ff02a03816c52812826e6a2e2925e00a6f7f41f04d87ff77f477154f6c7eefcdc9c4c9faf482629500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9841afec6b6e64f3c79beb45d0fb5725

SHA1
035d705288782078e5a47099f0b6ccd7b15f9798

SHA256
92e50584f18bf5c975a48901b44a50041d1d0c7577c4bf135fe614264475a162

SHA512
7b26e2b0a978f96ce279fbe59ca077a4d391a570ee6878506afef4e323bbd489e2bf3a834c85ba9fb4a32888d947788921dac8f8e41be7e69860eecfcfb645b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0e8466315ec12f4331029bc656ea0fa

SHA1
ec7552f35d7723c867b8f57ec78707b493d1183d

SHA256
98a2f7ddf70d72dc011bb03a82f74417cbb5483efaafbe7037900ff127c990a3

SHA512
3bd8db0f6993da49659b70bd144de75ee36dba8128c9e96a884484da1b53dffeb9a72a565bacf2520e3648eac174499280fe8e913119ad04b7ca661db7429aec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e092d32a8d1f878eaab0295df2f033cd

SHA1
71f355314e736d88e14184403e52a55e1b6cd909

SHA256
58dab8ee67f4b5dc47b7ef15d3d19f5b7ece41f8e9d9377509495811868dd1f6

SHA512
341514dceedf216e08602446647a5f8dcb51d164ee5471170492a7f81362d724447671ee5757d9d15cf099910df335881711a909f88e05f86827d04a82a40368

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e11c92d9f40452412cae3383723ab0a

SHA1
62c33088d764f582012c859f92ed2f67e4fe008f

SHA256
1e2659a68201e21b56292e798b8fd4a2a069662fd8771d43747eccaef96c2569

SHA512
1721730a66d16e8ded6967809bdda6461c010cded5a55b270fbbe8170b372708d32cfbe121bca81b9cfc1d1a61bf177daf22a5607a630ec5b64977adbba7440b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c705fb6ab897a5d80c0309084951f41f

SHA1
e44be7dc4adbc56aaf08df61ee78e0118a59780d

SHA256
1a2be5996ea986267f13a379cb57d96b3f10a4c130fcb36b681b6f4a0e647e45

SHA512
842b2ac371604dd86b26af7256da0f543ac45ec5e2c4fb06e5695511e34b49eb5aff6a9b5782df181ff6f77c348491cb75d7a0708f8796bf29b20a2e7aeaa28e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bec89bff47497fea0e30d100c7c96714

SHA1
a6d6b5c9617e1e7021612697b1c7954c072c7967

SHA256
72a95de4ec7b05bd3d9a0faa60bb145e1449fa6c5e92e6cea2f9ce733b6dc27a

SHA512
538dba098dcc7dc594720017f1f569c444c0ed9ee48083f2df942c8fab806d781ab1cbe4b43a229357fdb3642b1cc6c7353c88cb4acdc7a79c02edf2c0088b6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e18113cb47a6e3a4c33475a887560716

SHA1
e24feac3e66347b52237a304980071dcaf62252c

SHA256
45b375a25235f1323388c8cd7da97c6a68f338f8eae13d5d0582c8b45f764d35

SHA512
c400b2ac7603692fc5a6a4626f2597e4c7a8281c2b38dca75059ae6a05b8c63030f8edeca4e8410af5cfbf6f49749daf17a91142f9db72a62db3fab6fec00edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDC6D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDD3B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\DesktopOSIRIS.bmp

Filesize
3.8MB

MD5
ada83311cc079f7f92e2c181d7fa0b99

SHA1
a3ecc933e23805ac54c304eb82f9cb79dcc2a58e

SHA256
1021a80689d2adc408a90d6d594ecff8b62741ffc67cef6a2f07e0b585a3195e

SHA512
ac201b8debe16cbff3ff4630a48d60141c3a3e0a1b0d3c474c55fcc258905bae1ef2fb7c949653c2153a1980ee3c5ed33b872af665fbb5a6daeaba84ad97f40f

Download Submit
memory/1324-349-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2884-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-348-0x00000000037C0000-0x00000000037C2000-memory.dmp

Filesize
8KB

Download
memory/2884-343-0x0000000002020000-0x0000000002047000-memory.dmp

Filesize
156KB

Download
memory/2884-12-0x0000000002020000-0x0000000002047000-memory.dmp

Filesize
156KB

Download
memory/2884-10-0x0000000002020000-0x0000000002047000-memory.dmp

Filesize
156KB

Download
memory/2884-11-0x0000000002020000-0x0000000002047000-memory.dmp

Filesize
156KB

Download
memory/2884-0-0x00000000026A0000-0x0000000002705000-memory.dmp

Filesize
404KB

Download
memory/2884-8-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2884-6-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2884-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2884-4-0x00000000026A0000-0x0000000002705000-memory.dmp

Filesize
404KB

Download
memory/2884-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2884-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2884-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download