avoslocker | e7d9a5b611a026cfe696e863dba29097e604f198c54f5da18b7db4a810f22d4f

Analysis

max time kernel
132s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2025, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
Size

921KB
MD5

075cb88f83fbe4ad2ae0f553697e7bdf
SHA1

773dce7c01a42e8371cf49ceda07f26cba0907b9
SHA256

be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70
SHA512

3f0a503acbfffc79eed37597d59e313c31f6b5451fdad79eacd611119ec17a4a245928079993689811a5695ad310951a282b1c493d08bdb31aa2b5fdbf63bf67
SSDEEP

24576:SnkXEg1ZlhKG+WWZtCpDCE5Ie534SCeTpOl135HlIp:SkXEg1ZlIzZtCpGE5j5oSHOlxdlIp

Score

10^/10

avoslocker discovery execution ransomware

Malware Config

Signatures

Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
ransomware avoslocker
Avoslocker family
avoslocker
Renames multiple (137) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 1 IoCs

flow	pid	Process
44	4252	Process not Found

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\360593556.png"	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4228	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1348	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133839167918142152"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4000	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4228	powershell.exe
4228	powershell.exe
1656	chrome.exe
1656	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 4228	844	be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe	87
PID 844 wrote to memory of 4228	844	be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe	87
PID 844 wrote to memory of 4228	844	be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe	87
PID 4228 wrote to memory of 2020	4228	powershell.exe	92
PID 4228 wrote to memory of 2020	4228	powershell.exe	92
PID 4228 wrote to memory of 2020	4228	powershell.exe	92
PID 4228 wrote to memory of 3544	4228	powershell.exe	93
PID 4228 wrote to memory of 3544	4228	powershell.exe	93
PID 4228 wrote to memory of 3544	4228	powershell.exe	93
PID 1656 wrote to memory of 4540	1656	chrome.exe	105
PID 1656 wrote to memory of 4540	1656	chrome.exe	105
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 2892	1656	chrome.exe	106
PID 1656 wrote to memory of 4504	1656	chrome.exe	107
PID 1656 wrote to memory of 4504	1656	chrome.exe	107
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108
PID 1656 wrote to memory of 3068	1656	chrome.exe	108

C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\360593556.png /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3544

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4000

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUEyQjFDNTktOTc0NC00MzhELUI5RkMtN0FDMEY3RTVDMkVCfSIgdXNlcmlkPSJ7MDhGOUZFMkEtMzE2NS00NkZDLUFDRkYtMEIwRTQ2QkI1NTY5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzRCQzk0MEQtMkE2QS00QkMyLTgxMDMtM0RGRjJCNUU3NTlDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjgyNzE0MzU4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff90db1cc40,0x7ff90db1cc4c,0x7ff90db1cc58
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1556,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4440,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5336,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3400,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:5040

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
d90d05a5fea9c28b3bf2b55f808c3a45

SHA1
7774c79c85b4401acfc56002f9e8a3e10e8a7b60

SHA256
8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec

SHA512
783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
1adfaf50cbb64b844a4d3dadfb7c8d88

SHA1
0acb2355c1d3b49fdf1b4086382bfb5c9def468b

SHA256
507ce704f633df7c108e2f0bcc62c6005a438243662bad372ec8ed3d97bc723e

SHA512
f22034441ed15e6fde81f02a89819b4ce819db2914955535a467dba26b82bd6a7bc947718fb71e9837389dd8f00518bced4992f9a3b1e200571d805c1bf577db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
515fb88af27a09352c3e0762cbf22b70

SHA1
13127d44af4c50620f895c4057cd789ebcaccd61

SHA256
d1cfed4829c9f5ffef6b3acf5014878a3a123d0627a04c047e9941461ed7d0b6

SHA512
c58ca3291d1dd87f7d41e3b853c96cec25f596341144840345872904321b57d336475f42286b12a0d9aff88d24cd3a17a65a04fe1b69ed049ba0d32406dbfb3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7b82dd54-fc3f-425e-a474-ad671fe72ea0.tmp

Filesize
354B

MD5
370135f315f06d149eaca2bc44967cc1

SHA1
6702da42006fda3171e0d753ee6bbc2e9818feb8

SHA256
a6ac96e85d6fadb0f02bc9ec10b64276a88819688ed70ce568c779d7d7560091

SHA512
0ca90c091f425c004fb3b23ce3e80da0409b3a01672d3903151c99b5a7e54aec2d760cc6560e2cfb2d610506a8810bc0fad40ad8d76edf3d4b77450b9a59a94c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
254017016896ecfeebcb379f32b7b60b

SHA1
137cb364a745f5d6b4ca25079851bc882f0dd52b

SHA256
c380d437e70f5c18c9098c63378a5694b909d584d79e1ff388c07ab22cf7939f

SHA512
8ba5f048aeaf9cd03c07bfc77a4c9a963797f59e6a7992984403142e911f5f3f2b2b370b8b4f6455b5fe70c90e6341c739335f7ed821056d25e318c0360514c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a0fa3ebe1bb62df923dbfd12304d4720

SHA1
2b5dbf4407b5fe64b2f4e1a80cf6816c91b5f097

SHA256
90f89431ccdb4485f9b83d0eeb28a8ea75a61703d82f3a2fe2bfa88d8e1cee4f

SHA512
cee602672df26e2d4fd7adc1585dd9a4395b3769c44ed017b6f1d756d6fc78fbea2e8e54a918e933378faa9833b1923c4a1d88c2e8597ce9aacf8a31179c1ecb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
481528af8774fef3bd029f069d75b4c2

SHA1
df366091c8076d356ddbf3b80181a0c89f28e051

SHA256
d31b38e3dc7440374c4cd5dad139b44696b7f6070a6fdbd0b957e66189af41f2

SHA512
e39dc6819235b766c526b7e22e257e1b964e00785e3931ebf6b8d0ac332b106ee9ab5692add5f9495403a88d1e33dfde6572898bb8011857b29876deda890a2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a0f5df486cc2c6854f6368ded51b835

SHA1
a09eef1b782c5a89c67a3c587c821d45ed70213b

SHA256
23f3cd81ddcd06f074a413045e98f8381edd9e9f10d8a98245022201ef9fcf87

SHA512
3e905859ae6ca910a9fee830590152fc1f6403d2bc80f1c3a1c0b7747e8139e68b4aff026d092f2f99f5fa218aa07271648b3e238313a4e0193180b6706ddf77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b93342648ccd7df099ce988f65c756fe

SHA1
d806614b1fa6d1cf0fb6a1538e67996ba3d3119b

SHA256
3d08598553a7892d98dc58ade56509571b66798c2b981fbaab773c75439de848

SHA512
6f06692c0165cf061bb26a11fa47b471c87a35a4e8630199bc6e62ab87cde14096d1ada5e6b495daffc814209b9767d567baaf4ea88c17c68f4a73b05f88c36a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7a238fff18d10a7bf14d705e42439eed

SHA1
b0a83ad8558c9026ae559c600e9318da2f6db86a

SHA256
ada5b9d466c97be45af9cf81b2b12e3af393ae2991bdbb1070cc2f62c520250c

SHA512
9b93d3db495349c3efb2e2c3017386f1ee90619e2c262dd2ab244afe8a2c7f6f25059604c33a3b70ca404eba991e55816b8de58121ef825f40c9b08511a9132b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8cb5aa65411c596f9f629d83bab0b97a

SHA1
580538ee2be6a01665e96978d072153a60a3d838

SHA256
d81320aaf160fe32b1f911f850f06aa195dc1fdbb38ca7345574ea3b2b96271b

SHA512
376cb13734806a2f7a06703812166f9a8733306465ac592015bc2b59936b2e484b827f13994f6c091ae224d0a5d81ac65a5f29db1e1b0b05b0c89631cec7a5fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
249KB

MD5
4a969ded9e52e6f82408f40805d5e247

SHA1
522b9b1cfa88276246c316e0667701e3c053546c

SHA256
95a489842817b5b321bac26fdee7b5f3d4b21e1dc3f1beb41bd1625eb110c1b2

SHA512
302184789c4b283559f94b57155e7406ca5d99fd001911891c45b8323e71100be18cd05b5a1f1a3cc9c3989dc5f6459ca888a9e88c087e927cc6481d01d2e4e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
249KB

MD5
fafbdf3d0ace6fac7e579d72f79c5f50

SHA1
e853cc0f1f13fe8d59b2d8acc15b4d9b57e7a68e

SHA256
6597d58f85830d58743aa320bbdcb70f08c5be531bbd539cf73f180da5d294f9

SHA512
1f849d5caad2f6e1ef538e3f7534c1677c66ef7029a48a61aa956756782e37577ea7d7c5315be846def02c8c5d9ca3f17f82c561a7a00251aac325897fc769da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
bcfbd509803382bdbd6dd3802db06450

SHA1
5d34a609c38d53dfcfd6cc268dede45278c2f530

SHA256
04457850d7c7fb9e9d641e2705c659eeac2ec38ec73b138e9e29bdd75523096f

SHA512
0e44e6055653607f14b45876ce67d3a3e9b6599762623748345982dc5edbb56c2b86a21b29bfe28843745945435ecc1953d05abf3484367145148354ce656bcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
249KB

MD5
6aff817a0d91bd897a48a07bcc40c00a

SHA1
0cedf7af210bc4f4668fb4fcbf784ff68d7432b1

SHA256
68e5e013ae96a1e3e1b870db6afd784d905822355a2bf6e0686c9a46fbc11aee

SHA512
fc3939caf000048db67e9abdf9e71b33a8fcec1cb7cb443a5ba7db6155bfefd6cb0e32f185b7d5cdd688b806a42fd0b011c202f20b5154b9be6e57c49eebb656

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atyq3lbc.00o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4228-397-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/4228-418-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/4228-414-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/4228-413-0x0000000007530000-0x00000000075C2000-memory.dmp

Filesize
584KB

Download
memory/4228-412-0x0000000006610000-0x000000000662A000-memory.dmp

Filesize
104KB

Download
memory/4228-411-0x0000000007730000-0x0000000007DAA000-memory.dmp

Filesize
6.5MB

Download
memory/4228-409-0x0000000006100000-0x000000000614C000-memory.dmp

Filesize
304KB

Download
memory/4228-408-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/4228-407-0x0000000005AD0000-0x0000000005E24000-memory.dmp

Filesize
3.3MB

Download
memory/4228-396-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/4228-395-0x0000000005100000-0x0000000005122000-memory.dmp

Filesize
136KB

Download
memory/4228-394-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/4228-392-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download
memory/4228-393-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/4228-391-0x0000000002790000-0x00000000027C6000-memory.dmp

Filesize
216KB

Download
memory/4228-390-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download