Analysis Overview
SHA256
d59141259753d70802bc521e85bd4226174ef73871aee39dc4d763290c33281f
Threat Level: Known bad
The file bc4a269ef127d108659149b6058ac7d8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Locky_osiris family
Locky
Locky (Osiris variant)
Locky family
Deletes itself
Indicator Removal: File Deletion
Sets desktop wallpaper using registry
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-03 07:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-03 07:19
Reported
2024-12-03 07:21
Platform
win7-20240903-en
Max time kernel
117s
Max time network
142s
Command Line
Signatures
Locky
Locky (Osiris variant)
Locky family
Locky_osiris family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Indicator Removal: File Deletion
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" | C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439372248" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6a347ec6cffa84f8a405ef73ae83242000000000200000000001066000000010000200000001b61bc9ef1878f272067c7721678601c74c0cf3d5a5a7df4246b5dbcabefbbf4000000000e8000000002000020000000de57a62128f04eb54ba2689c3fccdc7694a4f718672966be19e45b46d6c1ab3490000000c2475c5f1217d404a265b60b897d0a25b223ffb870a0c40fadcafa52e72a647bde43dd838244e0cf8aa92878219957925b686f97a4de7d393c7a99920a59a7f4e2f470b860787ca38ed3789eea458ecafd75e91d0272728554702a73ce10dcf63ce8f348e78f613d992eac40c25b0a875ba5f3592a8309bee60440de76954dfa464365c32c90b559f5e6cd6ed9a28fa040000000a5b65ccc4a65d5d97bf3ea7b4236ab4c741b0f2e1abbafa8bcd981354f5809b7e59dc4ace9cb48f9048fb0447da0dac291319c49619f5e3eb74091d43ef5e509 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d18cca5345db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6a347ec6cffa84f8a405ef73ae8324200000000020000000000106600000001000020000000d549a287441f78c995e185850069f10830c38adca1916d6b652a8f6c5c34c89c000000000e8000000002000020000000ea839f74904ab36810061ec535a2fdb83fb88bb3dc27fdbae3cfa142af286c1220000000230940a77f694388ead4c526ae43cfab3015a5018fbeb4a76b71f79241c47fbf400000009a92dd931fe1d700ee990c6835571fed7257e7cf03188243eaf49c5c417bb861ee0816399bddb173454684b6c7f9934e5fee9beb935d3bae771eaa340763832f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5DE91B1-B146-11EF-BBA4-FA59FB4FA467} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| LV | 195.123.211.6:80 | tcp | |
| RU | 188.127.239.53:80 | 188.127.239.53 | tcp |
| LV | 195.123.211.6:80 | tcp | |
| LV | 195.123.211.6:80 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2380-1-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2380-0-0x0000000002210000-0x00000000022A1000-memory.dmp
memory/2380-2-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2380-3-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2380-4-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2380-5-0x0000000002210000-0x00000000022A1000-memory.dmp
memory/2380-6-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2380-8-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2380-9-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2380-12-0x0000000000310000-0x0000000000337000-memory.dmp
memory/2380-11-0x0000000000310000-0x0000000000337000-memory.dmp
memory/2380-10-0x0000000000310000-0x0000000000337000-memory.dmp
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\OSIRIS-a000.htm
| MD5 | 2a5f2b88b7531c38e573fa44d7470fc3 |
| SHA1 | 6b08e5daa6e344180ce25723dc0301bb40c0090b |
| SHA256 | c650c406857d566def82d83693968ec0455c162a9dc8665f5f38bab3cabead8e |
| SHA512 | ba4c7246f86927f66032b217af632ded4bd568483fadf220992e2d4e897b024328b344f539d346e592bc3d5d08292247ccf3220477dd3cd7660fcb3b4dafa7a1 |
memory/2380-320-0x0000000000310000-0x0000000000337000-memory.dmp
memory/2380-325-0x0000000003700000-0x0000000003702000-memory.dmp
memory/1916-326-0x0000000000170000-0x0000000000172000-memory.dmp
C:\Users\Admin\DesktopOSIRIS.bmp
| MD5 | 85022020b7b2c7467215662308f2f7ca |
| SHA1 | 9f61fef32a81c132a801b53e9c35b9995f44994e |
| SHA256 | 42919e49e1564ba676e13b7dad8cc30839a2b51e30b37a3c8b67441f4278a811 |
| SHA512 | b398f8abdd799caafb05841c6907961f7052d87013ce95935fc7e8a16822dc161bbf6faac9c0a7a021e65baf777df45809738dadcee637ce5f79eaf4eb46c8e5 |
C:\Users\Admin\AppData\Local\Temp\Cab403E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar40AE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0700ca993ef3c9ac7b7d30863795669 |
| SHA1 | 57c248143790ed350de859c718080723dc0b5529 |
| SHA256 | 49238497bc9cef92acb62cbca4b62def88280d63fde58113aa19dd7e5815f385 |
| SHA512 | f17704ef391d7df88fdc6f7cdd2a7e0dc4525bf8347154e48ee4493b564acd1842d8deeda06c0a0baf788d55e4badaab6c6a50f6c79cf171eade45b0d305dfc2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c358932d8df279c3b7be5b189c45faa |
| SHA1 | 1395b4bbfacf276d576f59bd424de9ee78c46b30 |
| SHA256 | 6e4ba35b4f487bf34edf3b79dfe9a20f7cbc8047120738444588eb4861884c8b |
| SHA512 | b3a0a129b071180692ac28fc89070c358d0115e1b554afcacf7ca5248e14c7f1927b91e491732d10d86b9d760b1c963fafc4292c97bbcbf05e3fe71760904f4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2dfc4eb28345fa4146b588c69d23d802 |
| SHA1 | 52908b1a6dbde50bc3d4893cfcaa984f48d26620 |
| SHA256 | 78295bfd05ae12fe00ec0d68404eb57b6cf9a07366db1d8d321d22f2c2851307 |
| SHA512 | 75005fcf46657d08dc85073ba22c84d31c0514677d2f5847bc0e7ad6d527b8db4b8e327da17ba876c32b6d5f8b9f98a0e152224fed53f6d237506ee26283d2ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8cfb64d586ef492844ab6d05c027752b |
| SHA1 | c9bdf4574427a1794e21c607a50059cfbed1a228 |
| SHA256 | 73e9f7b690ac83ff5f33d8d972d64b4b05d4cc7a0aa00e4b54941263353fa2e3 |
| SHA512 | a53fd48c1485ca287c07388636069a7539eecd3dc3a0e9d4fbfddd622f8156ce32bf7e7b7a9f54444d7714f9452de699a80e8407d7d2d47b78598bd12b3d590d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 822cca7e712743690b55f5fcde8f9865 |
| SHA1 | c180de49a304f2f8132acc12dcba5a72af66a334 |
| SHA256 | 442ca08e01260146c6d8b96091fa16dcfe420fe7f5b34626d6db88cb8f37057f |
| SHA512 | 184444d1ead5ae30e93314cd7553af84d9f7c5e388f9626ffc9b6d41e79defd84b3b2d8250d6f5ffe58c242c7965b99e6fcf0a01a13b1a01cc1e60ff90702540 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3c201acefa387353cfcdb531a129839 |
| SHA1 | d45dc86bf196d6a20c170b6ac8ff365264972bb0 |
| SHA256 | 883add4c6036d91f5a9ed49a19a78a281fff784f78e40febbfd229e7264bd9c3 |
| SHA512 | 173639be5453ac6503a55d01dba486d26413026b3a333718953f6c537702830fb55b32add1764c0be1790bdf7340f7a05de47d719d55becc25929ae367acbaa9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da8d936428c3f23bf8ef5af8d50d8416 |
| SHA1 | 055e6b3acd8ffb47d88fc3980239d3eda1ccf0ff |
| SHA256 | 6dbcdc3a14ee8df85b31938a9f3e1423cb9e4a8e781555bd6db9f144dbda9716 |
| SHA512 | f9d7ffd48749727b6bc16bb718133459194930fe5e13c2dcb2b3fb0910cd2f55013cb3db092bd1319e804b8aa8879a438f2f487c46e0ded16923d5a9b37e6faa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e396f8128232e3dcb4f9537e0d00a93 |
| SHA1 | 50fc23368d1e4edf0ef54533770075d36ffb9b6d |
| SHA256 | eaa2cbd3c17d9683eba90d568faa7441f43c002c2426780c29e15818853444b1 |
| SHA512 | ced2f83cc75975ca182042846d503339af59fe518410d241e5b5951f98aa38b25b15e6fb9a217fad90fda0d6f0f3fa1cb0a01bd5fef666a80738d7744239e31b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bb4fea931f11ca8259138b9a3274fbb |
| SHA1 | 97e17bccb6a53a0286bb083cacab95c340f6af96 |
| SHA256 | 6d1a8a70afe6aae58ad05bd83c8cd5e09498cfcb9fb32936276e0b7881257fd3 |
| SHA512 | 50eb37e46728639f736b82a279bad3adac055868fad115158b8b501ef59a2821373da920869318d6bfcf04341c5266d6d163fb0a5d3d56dd7fa944839c8a7555 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e0792cb9e2152b2387f08537f8f8f1d6 |
| SHA1 | 590d7eefd6a9c28e77f4eff67ce29036dd7d4925 |
| SHA256 | 83c001d5218273c252a3cf41415de9147bbbf145ff033a3e32b5dacf69bccffb |
| SHA512 | e2b1cb81e0e98a95dd480a6d2e7994e8ed1625af534242299d5e727d446db33cb4fdbb31d67d0ba4d9f49b43217e018bce1c6a984cae689c628e8aa21d7de255 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aa9ab741da339542cca046d6e9d4a96e |
| SHA1 | 54dbfe4a69d8e3815e53d9032c890f98f2c8cc82 |
| SHA256 | 8a69f4440af8a6cd0fe5c718cbddb5bb061fe2daa9f74a04ff1b9880b594e66d |
| SHA512 | 3be24d0997e7f45a8f0f264de79dbe33abb21a1d011fe7bd796720ed40001468b19ff63fbd662e6903abc207dd9a80267160c2b5f20c2543f7c60947058d34fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 716823c433386727c8bc213470e85d40 |
| SHA1 | 083952183df12a4922e51b274e54e9fab4cc6c24 |
| SHA256 | c8d662cf8c2300de1121e6b6bfcc18d04638668d4e541d29408821ff682c71af |
| SHA512 | 2a73ec6438c7632e59eeec8c587ad2fced28692cd1046e03e4ac6157c09c6612819c649ed1ea84707e49a5b82098e1c28b593c3ee9872cf7559a6630f13a611d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3fd97fc9f8213c946de6764abf1645ec |
| SHA1 | 9d48b350a2e77110756aa369d2de5369397415c9 |
| SHA256 | a1f8bfd76ae6e6c7e76d0a004e971197991d2c155d7efb09960038c6049e4ef9 |
| SHA512 | ef7a0bd9d1f6df474c6c86fbc2d11a0a9383d5ab5e60c230b120cf238416450364bed01328f9decb66c4a30eea7daa25bb25319b836bfaeca1ba08c9b62bd904 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a925c99cc0b95ee4f33ee4491854817f |
| SHA1 | b2ab43fc93bad81edadfe60d900faad9ffa6edff |
| SHA256 | 4e8f0fb06c67f380913d948f5b3567eba7b6c92f8ad6bdd61f82d175dc2b77c9 |
| SHA512 | ff965db02d4bff13ac77d31726fc2101e9b19397f9cd28161f5d69d73eaf6faf4ad04ee1eba2692e0f1b8e6ea637bf9052441f84ba8b90b9f1ad2ebf122fb722 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 435835d7e7bb18857bf7baea62b48df8 |
| SHA1 | e2c0ac8f9d924ba2987144fe2ec7a481b0cbc0cb |
| SHA256 | d2d59a8181438abd76b8c85faf83b6fce5496c15bcefff19a446cd9fb1ef7631 |
| SHA512 | 5724b9c139d542ac2e654e76caff4a96f43debeb25ebda00ff5e80ff53bd55bb4e58a8b292485fd28e3cd78458ff9568a8600bb8065cd95af74e4fc3b4127282 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92beb4b80b92175130272f500823950b |
| SHA1 | d3292a233dbbac436613afac9046be8628dcc390 |
| SHA256 | 3bf7572f0275e8c9416fd39b9d5cc18d6fd606a99a1b03e53efcbe3dc0d5b673 |
| SHA512 | b45603e17bdc64cf4f204645aa7526a851bbdfbe75d544e3616be73b29a1b229bfade64bd30abef76c36ec262ce62ef58cd1ea5b0c1cba74e57a330a98f0eabe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e87fa68c2b2e3aa714d4a2007b843d28 |
| SHA1 | e3a4e281f46f9ff077d99cc5b1014ffba0da49b0 |
| SHA256 | fd28daccc4b24f24a58e56e894145fd8da1597f0d2d411208b8a4d03825cdd2c |
| SHA512 | ea26bbd55d0fad2d898c2d0f2504ae538e06d0a2336fa80c6f81c3163bd2100873b4457e925cba841767aed76e0bf7a9b459e3cff1f71249908994f094d0c9eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59542f108265f24abf980adcc23b4a26 |
| SHA1 | abc7cc57e83111046f531275542d5b734c5a76c3 |
| SHA256 | c33541bbbc65c5efb353a3ffe1da80163c823f30f9a279b1ce7f59aebd7c1cd5 |
| SHA512 | 6ccc9758ec3f91ba317937354a482b7c3469aaf763a8fa2fd233fffee83bd33ee49340058d805145f559ec5af999705d781e2e117d05764329715e5e9332db86 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d304cb1ee044164f3d0a599c78694d56 |
| SHA1 | baa3ef2bffc4d6181df7df0edce791e03714f7f0 |
| SHA256 | edfb39a7ec0f3eba7a2e59a966c74dec78e18b88fdc105bd37e83c78224d3434 |
| SHA512 | cacbe4017276da34e6e9ee6b4d671311ea6f2c3fa490290c598d347f90f2e2eb1e0538bedc46a799a4c7f8878db62ed759d31418c2d8eaaf5760c749b2502dda |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-03 07:19
Reported
2024-12-03 07:21
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Locky
Locky (Osiris variant)
Locky family
Locky_osiris family
Indicator Removal: File Deletion
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" | C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\DesktopOSIRIS.htm
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x48,0x108,0x7ffe58ea46f8,0x7ffe58ea4708,0x7ffe58ea4718
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11438732743535674965,6408645584395830809,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.245.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| LV | 195.123.211.6:80 | tcp | |
| RU | 188.127.239.53:80 | 188.127.239.53 | tcp |
| LV | 195.123.211.6:80 | tcp | |
| US | 8.8.8.8:53 | 53.239.127.188.in-addr.arpa | udp |
| LV | 195.123.211.6:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.245.20.2.in-addr.arpa | udp |
Files
memory/3324-0-0x00000000022C0000-0x0000000002351000-memory.dmp
memory/3324-1-0x0000000002210000-0x0000000002211000-memory.dmp
memory/3324-2-0x0000000002210000-0x0000000002211000-memory.dmp
memory/3324-3-0x0000000002210000-0x0000000002211000-memory.dmp
memory/3324-4-0x0000000002210000-0x0000000002211000-memory.dmp
memory/3324-5-0x0000000002210000-0x0000000002211000-memory.dmp
memory/3324-6-0x00000000022C0000-0x0000000002351000-memory.dmp
memory/3324-7-0x0000000002210000-0x0000000002211000-memory.dmp
memory/3324-8-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3324-10-0x0000000002210000-0x0000000002211000-memory.dmp
memory/3324-11-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3324-14-0x0000000002260000-0x0000000002287000-memory.dmp
memory/3324-13-0x0000000002260000-0x0000000002287000-memory.dmp
memory/3324-15-0x0000000002260000-0x0000000002287000-memory.dmp
C:\Users\Admin\Music\OSIRIS-2488.htm
| MD5 | 10a9f01c9caa1ac167ab62adfa8106e6 |
| SHA1 | 8f320301159cd7fcb041368af86dc4ff27963fb0 |
| SHA256 | 375bf49117c36e801275f7274608056ba9a5d9946f73cb3ae745a5520e24f3bb |
| SHA512 | ab269c268e4cb379564c782f9c2d7ff879ff6de827d1b7c58682c7b73ca0623c74b221fd512156a8f3b462f074541601b0bfceed0444162ba31988a45339f1f1 |
memory/3324-357-0x0000000002260000-0x0000000002287000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 61cef8e38cd95bf003f5fdd1dc37dae1 |
| SHA1 | 11f2f79ecb349344c143eea9a0fed41891a3467f |
| SHA256 | ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e |
| SHA512 | 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d |
\??\pipe\LOCAL\crashpad_1456_LCKVPKJOBUGWLTFZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0a9dc42e4013fc47438e96d24beb8eff |
| SHA1 | 806ab26d7eae031a58484188a7eb1adab06457fc |
| SHA256 | 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151 |
| SHA512 | 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6e30bf4cd12bb65b04ba8d51b47ee6b7 |
| SHA1 | 8bae8417ba7821ce89f8043952bd57456fc9b276 |
| SHA256 | 5c39d2023dd7d9b59593740f96c8709775531076257bdbed4cc8c40dc3d95a81 |
| SHA512 | c3f8c4294b76dbcc3658ac45c95504c43cece543b3056bb1c5e30cef192a318a6c9f2ebe243ff6f9c1525f443571da72bc1ce37d0b9f5aa83f780e6526203f8a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5985f94adb0f7920e6684b9a7dfdcf9a |
| SHA1 | 94e3189679241e40305d5ea320ad46d0a49927c9 |
| SHA256 | 5f81bae9c313c04d160cf93f9b4f9e99452c6c56bbe3c47ef4d6c0d0106e9924 |
| SHA512 | 8a5c997121832a2141079b15061d1b327571f0695e3c3f812c8384c239aa3ebb273f5950a082ae7894218f2f8f7a0aa7ddac6ab0ae39626033959b1dfe3325d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 93687e1505c1ec7b0035ee138a0f818f |
| SHA1 | 30e0aac75198771077bce9793b3a01e986a83c85 |
| SHA256 | 740bd997b59ef1b56e71d849321ec4dc3e98e82763cdd15dc0e741e67411b314 |
| SHA512 | 9f1cb21b6b8fb23d288db126ab5f2437d27cdca0c9dd0d4b679d4c83c0ed3206cef710246be1a10b342cdc363494e1cd28fd05dcadf3ed892cf282ff7ce37c00 |