Malware Analysis Report

2025-01-18 18:17

Sample ID 241203-h5p8zs1kfl
Target bc4a269ef127d108659149b6058ac7d8_JaffaCakes118
SHA256 d59141259753d70802bc521e85bd4226174ef73871aee39dc4d763290c33281f
Tags
locky locky_osiris defense_evasion discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d59141259753d70802bc521e85bd4226174ef73871aee39dc4d763290c33281f

Threat Level: Known bad

The file bc4a269ef127d108659149b6058ac7d8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

locky locky_osiris defense_evasion discovery ransomware

Locky_osiris family

Locky

Locky (Osiris variant)

Locky family

Deletes itself

Indicator Removal: File Deletion

Sets desktop wallpaper using registry

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 07:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 07:19

Reported

2024-12-03 07:21

Platform

win7-20240903-en

Max time kernel

117s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"

Signatures

Locky

ransomware locky

Locky (Osiris variant)

ransomware locky_osiris

Locky family

locky

Locky_osiris family

locky_osiris

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Indicator Removal: File Deletion

defense_evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439372248" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6a347ec6cffa84f8a405ef73ae83242000000000200000000001066000000010000200000001b61bc9ef1878f272067c7721678601c74c0cf3d5a5a7df4246b5dbcabefbbf4000000000e8000000002000020000000de57a62128f04eb54ba2689c3fccdc7694a4f718672966be19e45b46d6c1ab3490000000c2475c5f1217d404a265b60b897d0a25b223ffb870a0c40fadcafa52e72a647bde43dd838244e0cf8aa92878219957925b686f97a4de7d393c7a99920a59a7f4e2f470b860787ca38ed3789eea458ecafd75e91d0272728554702a73ce10dcf63ce8f348e78f613d992eac40c25b0a875ba5f3592a8309bee60440de76954dfa464365c32c90b559f5e6cd6ed9a28fa040000000a5b65ccc4a65d5d97bf3ea7b4236ab4c741b0f2e1abbafa8bcd981354f5809b7e59dc4ace9cb48f9048fb0447da0dac291319c49619f5e3eb74091d43ef5e509 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d18cca5345db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6a347ec6cffa84f8a405ef73ae8324200000000020000000000106600000001000020000000d549a287441f78c995e185850069f10830c38adca1916d6b652a8f6c5c34c89c000000000e8000000002000020000000ea839f74904ab36810061ec535a2fdb83fb88bb3dc27fdbae3cfa142af286c1220000000230940a77f694388ead4c526ae43cfab3015a5018fbeb4a76b71f79241c47fbf400000009a92dd931fe1d700ee990c6835571fed7257e7cf03188243eaf49c5c417bb861ee0816399bddb173454684b6c7f9934e5fee9beb935d3bae771eaa340763832f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5DE91B1-B146-11EF-BBA4-FA59FB4FA467} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2380 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2380 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2380 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2928 wrote to memory of 2796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 2796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 2796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 2796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2380 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"

Network

Country Destination Domain Proto
LV 195.123.211.6:80 tcp
RU 188.127.239.53:80 188.127.239.53 tcp
LV 195.123.211.6:80 tcp
LV 195.123.211.6:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2380-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2380-0-0x0000000002210000-0x00000000022A1000-memory.dmp

memory/2380-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2380-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2380-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2380-5-0x0000000002210000-0x00000000022A1000-memory.dmp

memory/2380-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2380-8-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2380-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2380-12-0x0000000000310000-0x0000000000337000-memory.dmp

memory/2380-11-0x0000000000310000-0x0000000000337000-memory.dmp

memory/2380-10-0x0000000000310000-0x0000000000337000-memory.dmp

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\OSIRIS-a000.htm

MD5 2a5f2b88b7531c38e573fa44d7470fc3
SHA1 6b08e5daa6e344180ce25723dc0301bb40c0090b
SHA256 c650c406857d566def82d83693968ec0455c162a9dc8665f5f38bab3cabead8e
SHA512 ba4c7246f86927f66032b217af632ded4bd568483fadf220992e2d4e897b024328b344f539d346e592bc3d5d08292247ccf3220477dd3cd7660fcb3b4dafa7a1

memory/2380-320-0x0000000000310000-0x0000000000337000-memory.dmp

memory/2380-325-0x0000000003700000-0x0000000003702000-memory.dmp

memory/1916-326-0x0000000000170000-0x0000000000172000-memory.dmp

C:\Users\Admin\DesktopOSIRIS.bmp

MD5 85022020b7b2c7467215662308f2f7ca
SHA1 9f61fef32a81c132a801b53e9c35b9995f44994e
SHA256 42919e49e1564ba676e13b7dad8cc30839a2b51e30b37a3c8b67441f4278a811
SHA512 b398f8abdd799caafb05841c6907961f7052d87013ce95935fc7e8a16822dc161bbf6faac9c0a7a021e65baf777df45809738dadcee637ce5f79eaf4eb46c8e5

C:\Users\Admin\AppData\Local\Temp\Cab403E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar40AE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0700ca993ef3c9ac7b7d30863795669
SHA1 57c248143790ed350de859c718080723dc0b5529
SHA256 49238497bc9cef92acb62cbca4b62def88280d63fde58113aa19dd7e5815f385
SHA512 f17704ef391d7df88fdc6f7cdd2a7e0dc4525bf8347154e48ee4493b564acd1842d8deeda06c0a0baf788d55e4badaab6c6a50f6c79cf171eade45b0d305dfc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c358932d8df279c3b7be5b189c45faa
SHA1 1395b4bbfacf276d576f59bd424de9ee78c46b30
SHA256 6e4ba35b4f487bf34edf3b79dfe9a20f7cbc8047120738444588eb4861884c8b
SHA512 b3a0a129b071180692ac28fc89070c358d0115e1b554afcacf7ca5248e14c7f1927b91e491732d10d86b9d760b1c963fafc4292c97bbcbf05e3fe71760904f4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2dfc4eb28345fa4146b588c69d23d802
SHA1 52908b1a6dbde50bc3d4893cfcaa984f48d26620
SHA256 78295bfd05ae12fe00ec0d68404eb57b6cf9a07366db1d8d321d22f2c2851307
SHA512 75005fcf46657d08dc85073ba22c84d31c0514677d2f5847bc0e7ad6d527b8db4b8e327da17ba876c32b6d5f8b9f98a0e152224fed53f6d237506ee26283d2ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cfb64d586ef492844ab6d05c027752b
SHA1 c9bdf4574427a1794e21c607a50059cfbed1a228
SHA256 73e9f7b690ac83ff5f33d8d972d64b4b05d4cc7a0aa00e4b54941263353fa2e3
SHA512 a53fd48c1485ca287c07388636069a7539eecd3dc3a0e9d4fbfddd622f8156ce32bf7e7b7a9f54444d7714f9452de699a80e8407d7d2d47b78598bd12b3d590d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 822cca7e712743690b55f5fcde8f9865
SHA1 c180de49a304f2f8132acc12dcba5a72af66a334
SHA256 442ca08e01260146c6d8b96091fa16dcfe420fe7f5b34626d6db88cb8f37057f
SHA512 184444d1ead5ae30e93314cd7553af84d9f7c5e388f9626ffc9b6d41e79defd84b3b2d8250d6f5ffe58c242c7965b99e6fcf0a01a13b1a01cc1e60ff90702540

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3c201acefa387353cfcdb531a129839
SHA1 d45dc86bf196d6a20c170b6ac8ff365264972bb0
SHA256 883add4c6036d91f5a9ed49a19a78a281fff784f78e40febbfd229e7264bd9c3
SHA512 173639be5453ac6503a55d01dba486d26413026b3a333718953f6c537702830fb55b32add1764c0be1790bdf7340f7a05de47d719d55becc25929ae367acbaa9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da8d936428c3f23bf8ef5af8d50d8416
SHA1 055e6b3acd8ffb47d88fc3980239d3eda1ccf0ff
SHA256 6dbcdc3a14ee8df85b31938a9f3e1423cb9e4a8e781555bd6db9f144dbda9716
SHA512 f9d7ffd48749727b6bc16bb718133459194930fe5e13c2dcb2b3fb0910cd2f55013cb3db092bd1319e804b8aa8879a438f2f487c46e0ded16923d5a9b37e6faa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e396f8128232e3dcb4f9537e0d00a93
SHA1 50fc23368d1e4edf0ef54533770075d36ffb9b6d
SHA256 eaa2cbd3c17d9683eba90d568faa7441f43c002c2426780c29e15818853444b1
SHA512 ced2f83cc75975ca182042846d503339af59fe518410d241e5b5951f98aa38b25b15e6fb9a217fad90fda0d6f0f3fa1cb0a01bd5fef666a80738d7744239e31b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bb4fea931f11ca8259138b9a3274fbb
SHA1 97e17bccb6a53a0286bb083cacab95c340f6af96
SHA256 6d1a8a70afe6aae58ad05bd83c8cd5e09498cfcb9fb32936276e0b7881257fd3
SHA512 50eb37e46728639f736b82a279bad3adac055868fad115158b8b501ef59a2821373da920869318d6bfcf04341c5266d6d163fb0a5d3d56dd7fa944839c8a7555

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0792cb9e2152b2387f08537f8f8f1d6
SHA1 590d7eefd6a9c28e77f4eff67ce29036dd7d4925
SHA256 83c001d5218273c252a3cf41415de9147bbbf145ff033a3e32b5dacf69bccffb
SHA512 e2b1cb81e0e98a95dd480a6d2e7994e8ed1625af534242299d5e727d446db33cb4fdbb31d67d0ba4d9f49b43217e018bce1c6a984cae689c628e8aa21d7de255

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa9ab741da339542cca046d6e9d4a96e
SHA1 54dbfe4a69d8e3815e53d9032c890f98f2c8cc82
SHA256 8a69f4440af8a6cd0fe5c718cbddb5bb061fe2daa9f74a04ff1b9880b594e66d
SHA512 3be24d0997e7f45a8f0f264de79dbe33abb21a1d011fe7bd796720ed40001468b19ff63fbd662e6903abc207dd9a80267160c2b5f20c2543f7c60947058d34fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 716823c433386727c8bc213470e85d40
SHA1 083952183df12a4922e51b274e54e9fab4cc6c24
SHA256 c8d662cf8c2300de1121e6b6bfcc18d04638668d4e541d29408821ff682c71af
SHA512 2a73ec6438c7632e59eeec8c587ad2fced28692cd1046e03e4ac6157c09c6612819c649ed1ea84707e49a5b82098e1c28b593c3ee9872cf7559a6630f13a611d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fd97fc9f8213c946de6764abf1645ec
SHA1 9d48b350a2e77110756aa369d2de5369397415c9
SHA256 a1f8bfd76ae6e6c7e76d0a004e971197991d2c155d7efb09960038c6049e4ef9
SHA512 ef7a0bd9d1f6df474c6c86fbc2d11a0a9383d5ab5e60c230b120cf238416450364bed01328f9decb66c4a30eea7daa25bb25319b836bfaeca1ba08c9b62bd904

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a925c99cc0b95ee4f33ee4491854817f
SHA1 b2ab43fc93bad81edadfe60d900faad9ffa6edff
SHA256 4e8f0fb06c67f380913d948f5b3567eba7b6c92f8ad6bdd61f82d175dc2b77c9
SHA512 ff965db02d4bff13ac77d31726fc2101e9b19397f9cd28161f5d69d73eaf6faf4ad04ee1eba2692e0f1b8e6ea637bf9052441f84ba8b90b9f1ad2ebf122fb722

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 435835d7e7bb18857bf7baea62b48df8
SHA1 e2c0ac8f9d924ba2987144fe2ec7a481b0cbc0cb
SHA256 d2d59a8181438abd76b8c85faf83b6fce5496c15bcefff19a446cd9fb1ef7631
SHA512 5724b9c139d542ac2e654e76caff4a96f43debeb25ebda00ff5e80ff53bd55bb4e58a8b292485fd28e3cd78458ff9568a8600bb8065cd95af74e4fc3b4127282

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92beb4b80b92175130272f500823950b
SHA1 d3292a233dbbac436613afac9046be8628dcc390
SHA256 3bf7572f0275e8c9416fd39b9d5cc18d6fd606a99a1b03e53efcbe3dc0d5b673
SHA512 b45603e17bdc64cf4f204645aa7526a851bbdfbe75d544e3616be73b29a1b229bfade64bd30abef76c36ec262ce62ef58cd1ea5b0c1cba74e57a330a98f0eabe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e87fa68c2b2e3aa714d4a2007b843d28
SHA1 e3a4e281f46f9ff077d99cc5b1014ffba0da49b0
SHA256 fd28daccc4b24f24a58e56e894145fd8da1597f0d2d411208b8a4d03825cdd2c
SHA512 ea26bbd55d0fad2d898c2d0f2504ae538e06d0a2336fa80c6f81c3163bd2100873b4457e925cba841767aed76e0bf7a9b459e3cff1f71249908994f094d0c9eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59542f108265f24abf980adcc23b4a26
SHA1 abc7cc57e83111046f531275542d5b734c5a76c3
SHA256 c33541bbbc65c5efb353a3ffe1da80163c823f30f9a279b1ce7f59aebd7c1cd5
SHA512 6ccc9758ec3f91ba317937354a482b7c3469aaf763a8fa2fd233fffee83bd33ee49340058d805145f559ec5af999705d781e2e117d05764329715e5e9332db86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d304cb1ee044164f3d0a599c78694d56
SHA1 baa3ef2bffc4d6181df7df0edce791e03714f7f0
SHA256 edfb39a7ec0f3eba7a2e59a966c74dec78e18b88fdc105bd37e83c78224d3434
SHA512 cacbe4017276da34e6e9ee6b4d671311ea6f2c3fa490290c598d347f90f2e2eb1e0538bedc46a799a4c7f8878db62ed759d31418c2d8eaaf5760c749b2502dda

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 07:19

Reported

2024-12-03 07:21

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"

Signatures

Locky

ransomware locky

Locky (Osiris variant)

ransomware locky_osiris

Locky family

locky

Locky_osiris family

locky_osiris

Indicator Removal: File Deletion

defense_evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3324 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3324 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3324 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\DesktopOSIRIS.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x48,0x108,0x7ffe58ea46f8,0x7ffe58ea4708,0x7ffe58ea4718

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 135.245.20.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
LV 195.123.211.6:80 tcp
RU 188.127.239.53:80 188.127.239.53 tcp
LV 195.123.211.6:80 tcp
US 8.8.8.8:53 53.239.127.188.in-addr.arpa udp
LV 195.123.211.6:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.245.20.2.in-addr.arpa udp

Files

memory/3324-0-0x00000000022C0000-0x0000000002351000-memory.dmp

memory/3324-1-0x0000000002210000-0x0000000002211000-memory.dmp

memory/3324-2-0x0000000002210000-0x0000000002211000-memory.dmp

memory/3324-3-0x0000000002210000-0x0000000002211000-memory.dmp

memory/3324-4-0x0000000002210000-0x0000000002211000-memory.dmp

memory/3324-5-0x0000000002210000-0x0000000002211000-memory.dmp

memory/3324-6-0x00000000022C0000-0x0000000002351000-memory.dmp

memory/3324-7-0x0000000002210000-0x0000000002211000-memory.dmp

memory/3324-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3324-10-0x0000000002210000-0x0000000002211000-memory.dmp

memory/3324-11-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3324-14-0x0000000002260000-0x0000000002287000-memory.dmp

memory/3324-13-0x0000000002260000-0x0000000002287000-memory.dmp

memory/3324-15-0x0000000002260000-0x0000000002287000-memory.dmp

C:\Users\Admin\Music\OSIRIS-2488.htm

MD5 10a9f01c9caa1ac167ab62adfa8106e6
SHA1 8f320301159cd7fcb041368af86dc4ff27963fb0
SHA256 375bf49117c36e801275f7274608056ba9a5d9946f73cb3ae745a5520e24f3bb
SHA512 ab269c268e4cb379564c782f9c2d7ff879ff6de827d1b7c58682c7b73ca0623c74b221fd512156a8f3b462f074541601b0bfceed0444162ba31988a45339f1f1

memory/3324-357-0x0000000002260000-0x0000000002287000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 61cef8e38cd95bf003f5fdd1dc37dae1
SHA1 11f2f79ecb349344c143eea9a0fed41891a3467f
SHA256 ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA512 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

\??\pipe\LOCAL\crashpad_1456_LCKVPKJOBUGWLTFZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0a9dc42e4013fc47438e96d24beb8eff
SHA1 806ab26d7eae031a58484188a7eb1adab06457fc
SHA256 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6e30bf4cd12bb65b04ba8d51b47ee6b7
SHA1 8bae8417ba7821ce89f8043952bd57456fc9b276
SHA256 5c39d2023dd7d9b59593740f96c8709775531076257bdbed4cc8c40dc3d95a81
SHA512 c3f8c4294b76dbcc3658ac45c95504c43cece543b3056bb1c5e30cef192a318a6c9f2ebe243ff6f9c1525f443571da72bc1ce37d0b9f5aa83f780e6526203f8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5985f94adb0f7920e6684b9a7dfdcf9a
SHA1 94e3189679241e40305d5ea320ad46d0a49927c9
SHA256 5f81bae9c313c04d160cf93f9b4f9e99452c6c56bbe3c47ef4d6c0d0106e9924
SHA512 8a5c997121832a2141079b15061d1b327571f0695e3c3f812c8384c239aa3ebb273f5950a082ae7894218f2f8f7a0aa7ddac6ab0ae39626033959b1dfe3325d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 93687e1505c1ec7b0035ee138a0f818f
SHA1 30e0aac75198771077bce9793b3a01e986a83c85
SHA256 740bd997b59ef1b56e71d849321ec4dc3e98e82763cdd15dc0e741e67411b314
SHA512 9f1cb21b6b8fb23d288db126ab5f2437d27cdca0c9dd0d4b679d4c83c0ed3206cef710246be1a10b342cdc363494e1cd28fd05dcadf3ed892cf282ff7ce37c00