Analysis Overview
SHA256
e7d9a5b611a026cfe696e863dba29097e604f198c54f5da18b7db4a810f22d4f
Threat Level: Known bad
The file be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.7z was found to be: Known bad.
Malicious Activity Summary
Avoslocker family
Avoslocker Ransomware
Renames multiple (137) files with added filename extension
Renames multiple (191) files with added filename extension
Downloads MZ/PE file
Sets desktop wallpaper using registry
System Network Configuration Discovery: Internet Connection Discovery
Command and Scripting Interpreter: PowerShell
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-13 10:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-13 10:37
Reported
2025-02-13 10:40
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Avoslocker Ransomware
Avoslocker family
Renames multiple (191) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1340577695.png" | C:\Windows\SysWOW64\reg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1340577695.png /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
Network
Files
F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt
| MD5 | d90d05a5fea9c28b3bf2b55f808c3a45 |
| SHA1 | 7774c79c85b4401acfc56002f9e8a3e10e8a7b60 |
| SHA256 | 8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec |
| SHA512 | 783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a |
memory/2036-461-0x0000000073EE1000-0x0000000073EE2000-memory.dmp
memory/2036-462-0x0000000073EE0000-0x000000007448B000-memory.dmp
memory/2036-463-0x0000000073EE0000-0x000000007448B000-memory.dmp
memory/2036-464-0x0000000073EE0000-0x000000007448B000-memory.dmp
memory/2036-467-0x0000000073EE0000-0x000000007448B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-13 10:37
Reported
2025-02-13 10:40
Platform
win10v2004-20250211-en
Max time kernel
132s
Max time network
140s
Command Line
Signatures
Avoslocker Ransomware
Avoslocker family
Renames multiple (137) files with added filename extension
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\360593556.png" | C:\Windows\SysWOW64\reg.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133839167918142152" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe
"C:\Users\Admin\AppData\Local\Temp\be19681b21f2a573b477444a788e00eb8dad2d740d11c02f14e878fe5b89fa70.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\360593556.png /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUEyQjFDNTktOTc0NC00MzhELUI5RkMtN0FDMEY3RTVDMkVCfSIgdXNlcmlkPSJ7MDhGOUZFMkEtMzE2NS00NkZDLUFDRkYtMEIwRTQ2QkI1NTY5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzRCQzk0MEQtMkE2QS00QkMyLTgxMDMtM0RGRjJCNUU3NTlDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjgyNzE0MzU4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff90db1cc40,0x7ff90db1cc4c,0x7ff90db1cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2008 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1556,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2460 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3160 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3212 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4056 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4696 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4820 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4748 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4848 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4440,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5224 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5336,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3448 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3400,i,1603035896231584624,9733048734170316239,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4484 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| IE | 4.245.161.190:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.234:443 | ogads-pa.googleapis.com | udp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.180.14:443 | clients2.google.com | udp |
| GB | 142.250.180.14:443 | clients2.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | dns-tunnel-check.googlezip.net | udp |
| US | 8.8.8.8:53 | tunnel.googlezip.net | udp |
| US | 216.239.34.157:443 | tunnel.googlezip.net | tcp |
| GB | 172.217.16.234:443 | ogads-pa.googleapis.com | tcp |
| GB | 172.217.16.234:443 | ogads-pa.googleapis.com | udp |
| US | 216.239.34.157:443 | tunnel.googlezip.net | tcp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | tcp |
| GB | 142.250.200.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | locate.measurementlab.net | udp |
| GB | 142.250.187.243:443 | locate.measurementlab.net | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| GB | 142.250.178.14:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | ndt-mlab2-lhr04.mlab-oti.measurement-lab.org | udp |
| GB | 142.250.178.14:443 | consent.google.com | tcp |
| GB | 195.89.146.24:443 | ndt-mlab2-lhr04.mlab-oti.measurement-lab.org | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 216.239.34.157:443 | tunnel.googlezip.net | tcp |
| US | 216.239.34.157:443 | tunnel.googlezip.net | tcp |
| US | 216.239.34.157:443 | tunnel.googlezip.net | tcp |
| US | 216.239.34.157:443 | tunnel.googlezip.net | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
Files
C:\GET_YOUR_FILES_BACK.txt
| MD5 | d90d05a5fea9c28b3bf2b55f808c3a45 |
| SHA1 | 7774c79c85b4401acfc56002f9e8a3e10e8a7b60 |
| SHA256 | 8a9b224d68a718e7cd4da069a158408d9c71fb8ecc4e4a6581982d7a35b29cec |
| SHA512 | 783d830a0d75911da6878ea58f7191f1438a429e232c63db86e6f09a1bb390ec7ee72f10db1ee695177686cacab24c9e58f61e7d403d75dd9c817c592131170a |
memory/4228-390-0x0000000073F8E000-0x0000000073F8F000-memory.dmp
memory/4228-391-0x0000000002790000-0x00000000027C6000-memory.dmp
memory/4228-393-0x0000000073F80000-0x0000000074730000-memory.dmp
memory/4228-392-0x00000000052C0000-0x00000000058E8000-memory.dmp
memory/4228-394-0x0000000073F80000-0x0000000074730000-memory.dmp
memory/4228-395-0x0000000005100000-0x0000000005122000-memory.dmp
memory/4228-396-0x00000000059F0000-0x0000000005A56000-memory.dmp
memory/4228-397-0x0000000005A60000-0x0000000005AC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atyq3lbc.00o.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4228-407-0x0000000005AD0000-0x0000000005E24000-memory.dmp
memory/4228-408-0x00000000060C0000-0x00000000060DE000-memory.dmp
memory/4228-409-0x0000000006100000-0x000000000614C000-memory.dmp
memory/4228-411-0x0000000007730000-0x0000000007DAA000-memory.dmp
memory/4228-412-0x0000000006610000-0x000000000662A000-memory.dmp
memory/4228-413-0x0000000007530000-0x00000000075C2000-memory.dmp
memory/4228-414-0x0000000073F80000-0x0000000074730000-memory.dmp
memory/4228-418-0x0000000073F80000-0x0000000074730000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | bcfbd509803382bdbd6dd3802db06450 |
| SHA1 | 5d34a609c38d53dfcfd6cc268dede45278c2f530 |
| SHA256 | 04457850d7c7fb9e9d641e2705c659eeac2ec38ec73b138e9e29bdd75523096f |
| SHA512 | 0e44e6055653607f14b45876ce67d3a3e9b6599762623748345982dc5edbb56c2b86a21b29bfe28843745945435ecc1953d05abf3484367145148354ce656bcf |
\??\pipe\crashpad_1656_RKXWKXNISUXIWWNA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 4a969ded9e52e6f82408f40805d5e247 |
| SHA1 | 522b9b1cfa88276246c316e0667701e3c053546c |
| SHA256 | 95a489842817b5b321bac26fdee7b5f3d4b21e1dc3f1beb41bd1625eb110c1b2 |
| SHA512 | 302184789c4b283559f94b57155e7406ca5d99fd001911891c45b8323e71100be18cd05b5a1f1a3cc9c3989dc5f6459ca888a9e88c087e927cc6481d01d2e4e6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7a238fff18d10a7bf14d705e42439eed |
| SHA1 | b0a83ad8558c9026ae559c600e9318da2f6db86a |
| SHA256 | ada5b9d466c97be45af9cf81b2b12e3af393ae2991bdbb1070cc2f62c520250c |
| SHA512 | 9b93d3db495349c3efb2e2c3017386f1ee90619e2c262dd2ab244afe8a2c7f6f25059604c33a3b70ca404eba991e55816b8de58121ef825f40c9b08511a9132b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | a0fa3ebe1bb62df923dbfd12304d4720 |
| SHA1 | 2b5dbf4407b5fe64b2f4e1a80cf6816c91b5f097 |
| SHA256 | 90f89431ccdb4485f9b83d0eeb28a8ea75a61703d82f3a2fe2bfa88d8e1cee4f |
| SHA512 | cee602672df26e2d4fd7adc1585dd9a4395b3769c44ed017b6f1d756d6fc78fbea2e8e54a918e933378faa9833b1923c4a1d88c2e8597ce9aacf8a31179c1ecb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 481528af8774fef3bd029f069d75b4c2 |
| SHA1 | df366091c8076d356ddbf3b80181a0c89f28e051 |
| SHA256 | d31b38e3dc7440374c4cd5dad139b44696b7f6070a6fdbd0b957e66189af41f2 |
| SHA512 | e39dc6819235b766c526b7e22e257e1b964e00785e3931ebf6b8d0ac332b106ee9ab5692add5f9495403a88d1e33dfde6572898bb8011857b29876deda890a2b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 8cb5aa65411c596f9f629d83bab0b97a |
| SHA1 | 580538ee2be6a01665e96978d072153a60a3d838 |
| SHA256 | d81320aaf160fe32b1f911f850f06aa195dc1fdbb38ca7345574ea3b2b96271b |
| SHA512 | 376cb13734806a2f7a06703812166f9a8733306465ac592015bc2b59936b2e484b827f13994f6c091ae224d0a5d81ac65a5f29db1e1b0b05b0c89631cec7a5fc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7b82dd54-fc3f-425e-a474-ad671fe72ea0.tmp
| MD5 | 370135f315f06d149eaca2bc44967cc1 |
| SHA1 | 6702da42006fda3171e0d753ee6bbc2e9818feb8 |
| SHA256 | a6ac96e85d6fadb0f02bc9ec10b64276a88819688ed70ce568c779d7d7560091 |
| SHA512 | 0ca90c091f425c004fb3b23ce3e80da0409b3a01672d3903151c99b5a7e54aec2d760cc6560e2cfb2d610506a8810bc0fad40ad8d76edf3d4b77450b9a59a94c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b93342648ccd7df099ce988f65c756fe |
| SHA1 | d806614b1fa6d1cf0fb6a1538e67996ba3d3119b |
| SHA256 | 3d08598553a7892d98dc58ade56509571b66798c2b981fbaab773c75439de848 |
| SHA512 | 6f06692c0165cf061bb26a11fa47b471c87a35a4e8630199bc6e62ab87cde14096d1ada5e6b495daffc814209b9767d567baaf4ea88c17c68f4a73b05f88c36a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2a0f5df486cc2c6854f6368ded51b835 |
| SHA1 | a09eef1b782c5a89c67a3c587c821d45ed70213b |
| SHA256 | 23f3cd81ddcd06f074a413045e98f8381edd9e9f10d8a98245022201ef9fcf87 |
| SHA512 | 3e905859ae6ca910a9fee830590152fc1f6403d2bc80f1c3a1c0b7747e8139e68b4aff026d092f2f99f5fa218aa07271648b3e238313a4e0193180b6706ddf77 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6aff817a0d91bd897a48a07bcc40c00a |
| SHA1 | 0cedf7af210bc4f4668fb4fcbf784ff68d7432b1 |
| SHA256 | 68e5e013ae96a1e3e1b870db6afd784d905822355a2bf6e0686c9a46fbc11aee |
| SHA512 | fc3939caf000048db67e9abdf9e71b33a8fcec1cb7cb443a5ba7db6155bfefd6cb0e32f185b7d5cdd688b806a42fd0b011c202f20b5154b9be6e57c49eebb656 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1adfaf50cbb64b844a4d3dadfb7c8d88 |
| SHA1 | 0acb2355c1d3b49fdf1b4086382bfb5c9def468b |
| SHA256 | 507ce704f633df7c108e2f0bcc62c6005a438243662bad372ec8ed3d97bc723e |
| SHA512 | f22034441ed15e6fde81f02a89819b4ce819db2914955535a467dba26b82bd6a7bc947718fb71e9837389dd8f00518bced4992f9a3b1e200571d805c1bf577db |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | fafbdf3d0ace6fac7e579d72f79c5f50 |
| SHA1 | e853cc0f1f13fe8d59b2d8acc15b4d9b57e7a68e |
| SHA256 | 6597d58f85830d58743aa320bbdcb70f08c5be531bbd539cf73f180da5d294f9 |
| SHA512 | 1f849d5caad2f6e1ef538e3f7534c1677c66ef7029a48a61aa956756782e37577ea7d7c5315be846def02c8c5d9ca3f17f82c561a7a00251aac325897fc769da |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 254017016896ecfeebcb379f32b7b60b |
| SHA1 | 137cb364a745f5d6b4ca25079851bc882f0dd52b |
| SHA256 | c380d437e70f5c18c9098c63378a5694b909d584d79e1ff388c07ab22cf7939f |
| SHA512 | 8ba5f048aeaf9cd03c07bfc77a4c9a963797f59e6a7992984403142e911f5f3f2b2b370b8b4f6455b5fe70c90e6341c739335f7ed821056d25e318c0360514c7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | 515fb88af27a09352c3e0762cbf22b70 |
| SHA1 | 13127d44af4c50620f895c4057cd789ebcaccd61 |
| SHA256 | d1cfed4829c9f5ffef6b3acf5014878a3a123d0627a04c047e9941461ed7d0b6 |
| SHA512 | c58ca3291d1dd87f7d41e3b853c96cec25f596341144840345872904321b57d336475f42286b12a0d9aff88d24cd3a17a65a04fe1b69ed049ba0d32406dbfb3c |