chaos | a19228e0bf1b1aa215e84f0381b6f4ec16e4dc5831089600678a3d6c2eed0936

Resubmissions

20-02-2025 09:24

250220-lc7t4s1pft 10

Analysis

max time kernel
573s
max time network
493s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
20-02-2025 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
Size

27KB
MD5

1dea80c3acd337a732a41b1ef0a655c9
SHA1

0c183db452f00bd5282de8c589b5ca39ff671dd6
SHA256

a19228e0bf1b1aa215e84f0381b6f4ec16e4dc5831089600678a3d6c2eed0936
SHA512

f42e8c34379afc24ac9dd3d87b6284571e60932d8dfe6b088cf30dd655416a894ad03e95c63b538d55fb20d082b9a3c0024cd4f8740665e13c8be7eef3070f62
SSDEEP

384:OtWZPzzxAm1vmSZUoGnpjCG+N/y81lxOy5o91ns3J82v4:T7zxAmXZUoGwG+0Kho9VQ82A

Score

10^/10

chaos defense_evasion discovery evasion execution impact motw persistence phishing ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/3064-1-0x00000000000F0000-0x00000000000FE000-memory.dmp	family_chaos
behavioral1/files/0x001c00000002ae2c-7.dat	family_chaos

Chaos family
chaos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4160	bcdedit.exe
2672	bcdedit.exe
6140	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2236	wbadmin.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 1 IoCs

flow	pid	Process
539	2036	chrome.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2272	svchost.exe
7968	FRST64.exe
6676	FRST64.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc	pid	Process
425	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html	2036	chrome.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001900000002b2b0-1719.dat	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\FRST64.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	FRST64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	FRST64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	FRST64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	FRST64.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	FRST64.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3392	vssadmin.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133845235389917073"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Modifies system certificate store 2 TTPs 9 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FRST64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FRST64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FRST64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	FRST64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FRST64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	FRST64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FRST64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	FRST64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FRST64.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winmgmts:{impersonationLevel=impersonate}!\root\cimv2:Win32_ShadowCopy	FRST64.exe
File opened for modification	C:\Users\Admin\Downloads\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	FRST64.exe
File opened for modification	C:\Users\Admin\Downloads\winmgmts:{impersonationLevel=impersonate}!\root\cimv2:Win32_ShadowCopy	FRST64.exe
File opened for modification	C:\Users\Admin\Downloads\FRST64.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	FRST64.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1632	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
2272	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
2272	svchost.exe
4028	chrome.exe
4028	chrome.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
7968	FRST64.exe
6676	FRST64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
6376	chrome.exe
6376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
Token: SeDebugPrivilege	2272	svchost.exe
Token: SeBackupPrivilege	4152	vssvc.exe
Token: SeRestorePrivilege	4152	vssvc.exe
Token: SeAuditPrivilege	4152	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1064	WMIC.exe
Token: SeSecurityPrivilege	1064	WMIC.exe
Token: SeTakeOwnershipPrivilege	1064	WMIC.exe
Token: SeLoadDriverPrivilege	1064	WMIC.exe
Token: SeSystemProfilePrivilege	1064	WMIC.exe
Token: SeSystemtimePrivilege	1064	WMIC.exe
Token: SeProfSingleProcessPrivilege	1064	WMIC.exe
Token: SeIncBasePriorityPrivilege	1064	WMIC.exe
Token: SeCreatePagefilePrivilege	1064	WMIC.exe
Token: SeBackupPrivilege	1064	WMIC.exe
Token: SeRestorePrivilege	1064	WMIC.exe
Token: SeShutdownPrivilege	1064	WMIC.exe
Token: SeDebugPrivilege	1064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1064	WMIC.exe
Token: SeRemoteShutdownPrivilege	1064	WMIC.exe
Token: SeUndockPrivilege	1064	WMIC.exe
Token: SeManageVolumePrivilege	1064	WMIC.exe
Token: 33	1064	WMIC.exe
Token: 34	1064	WMIC.exe
Token: 35	1064	WMIC.exe
Token: 36	1064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1064	WMIC.exe
Token: SeSecurityPrivilege	1064	WMIC.exe
Token: SeTakeOwnershipPrivilege	1064	WMIC.exe
Token: SeLoadDriverPrivilege	1064	WMIC.exe
Token: SeSystemProfilePrivilege	1064	WMIC.exe
Token: SeSystemtimePrivilege	1064	WMIC.exe
Token: SeProfSingleProcessPrivilege	1064	WMIC.exe
Token: SeIncBasePriorityPrivilege	1064	WMIC.exe
Token: SeCreatePagefilePrivilege	1064	WMIC.exe
Token: SeBackupPrivilege	1064	WMIC.exe
Token: SeRestorePrivilege	1064	WMIC.exe
Token: SeShutdownPrivilege	1064	WMIC.exe
Token: SeDebugPrivilege	1064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1064	WMIC.exe
Token: SeRemoteShutdownPrivilege	1064	WMIC.exe
Token: SeUndockPrivilege	1064	WMIC.exe
Token: SeManageVolumePrivilege	1064	WMIC.exe
Token: 33	1064	WMIC.exe
Token: 34	1064	WMIC.exe
Token: 35	1064	WMIC.exe
Token: 36	1064	WMIC.exe
Token: SeBackupPrivilege	3276	wbengine.exe
Token: SeRestorePrivilege	3276	wbengine.exe
Token: SeSecurityPrivilege	3276	wbengine.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
4028	chrome.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
7968	FRST64.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6376	chrome.exe
6676	FRST64.exe
6676	FRST64.exe
6676	FRST64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
420	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2272	3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe	77
PID 3064 wrote to memory of 2272	3064	2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe	77
PID 2272 wrote to memory of 3176	2272	svchost.exe	79
PID 2272 wrote to memory of 3176	2272	svchost.exe	79
PID 3176 wrote to memory of 3392	3176	cmd.exe	81
PID 3176 wrote to memory of 3392	3176	cmd.exe	81
PID 3176 wrote to memory of 1064	3176	cmd.exe	84
PID 3176 wrote to memory of 1064	3176	cmd.exe	84
PID 2272 wrote to memory of 1904	2272	svchost.exe	86
PID 2272 wrote to memory of 1904	2272	svchost.exe	86
PID 1904 wrote to memory of 4160	1904	cmd.exe	88
PID 1904 wrote to memory of 4160	1904	cmd.exe	88
PID 1904 wrote to memory of 2672	1904	cmd.exe	89
PID 1904 wrote to memory of 2672	1904	cmd.exe	89
PID 2272 wrote to memory of 2980	2272	svchost.exe	90
PID 2272 wrote to memory of 2980	2272	svchost.exe	90
PID 2980 wrote to memory of 2236	2980	cmd.exe	92
PID 2980 wrote to memory of 2236	2980	cmd.exe	92
PID 2272 wrote to memory of 1632	2272	svchost.exe	98
PID 2272 wrote to memory of 1632	2272	svchost.exe	98
PID 4028 wrote to memory of 1984	4028	chrome.exe	108
PID 4028 wrote to memory of 1984	4028	chrome.exe	108
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 1808	4028	chrome.exe	109
PID 4028 wrote to memory of 2036	4028	chrome.exe	110
PID 4028 wrote to memory of 2036	4028	chrome.exe	110
PID 4028 wrote to memory of 3988	4028	chrome.exe	111
PID 4028 wrote to memory of 3988	4028	chrome.exe	111
PID 4028 wrote to memory of 3988	4028	chrome.exe	111
PID 4028 wrote to memory of 3988	4028	chrome.exe	111
PID 4028 wrote to memory of 3988	4028	chrome.exe	111
PID 4028 wrote to memory of 3988	4028	chrome.exe	111
PID 4028 wrote to memory of 3988	4028	chrome.exe	111
PID 4028 wrote to memory of 3988	4028	chrome.exe	111
PID 4028 wrote to memory of 3988	4028	chrome.exe	111
PID 4028 wrote to memory of 3988	4028	chrome.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1064
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4160
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2672
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2236
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2032

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb7d0ecc40,0x7ffb7d0ecc4c,0x7ffb7d0ecc58
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1736,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Mark of the Web detected: This indicates that the page was originally saved or cloned.
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3528,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4648,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4608,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5024,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5048,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3456,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5316,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5224,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5060,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5452,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5716,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5720,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5656,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5668,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6104,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6140,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6428,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6724,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6684,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6984,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6832 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7124,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7144,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7280 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7412,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7148 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7436,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7572 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7600,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=7720,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7860 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7868,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=8000 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7988,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=8148 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=8176,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=8296 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=6988,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=8744,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=8784 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=7556,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=8648 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=9032,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=9020 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=9160,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=8900 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=9308,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=9288 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=9528,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=9284 /prefetch:1
  2⤵
  PID:6644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=9664,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=9656 /prefetch:1
  2⤵
  PID:6816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=9776,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=9492 /prefetch:8
  2⤵
  PID:7064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=8808,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=8560 /prefetch:1
  2⤵
  PID:6224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=9172,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=9948 /prefetch:1
  2⤵
  PID:6240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=9928,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=10056 /prefetch:1
  2⤵
  PID:6248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=10144,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=10120 /prefetch:1
  2⤵
  PID:6408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=10292,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=10268 /prefetch:1
  2⤵
  PID:6420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=10416,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=10436 /prefetch:1
  2⤵
  PID:6268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=10608,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=10260 /prefetch:1
  2⤵
  PID:6748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=10084,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=10080 /prefetch:1
  2⤵
  PID:6848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=11040,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=11212 /prefetch:8
  2⤵
  PID:6784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=11196,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=11364 /prefetch:8
  2⤵
  PID:6792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=11524,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=11192 /prefetch:1
  2⤵
  PID:7060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=11552,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=11536 /prefetch:1
  2⤵
  PID:7080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=11800,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=11836 /prefetch:1
  2⤵
  PID:7132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=11808,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=11568 /prefetch:1
  2⤵
  PID:6164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=11840,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=12116 /prefetch:1
  2⤵
  PID:6172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=11852,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=12248 /prefetch:1
  2⤵
  PID:6188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=11988,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=12404 /prefetch:1
  2⤵
  PID:6192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=12532,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=12580 /prefetch:1
  2⤵
  PID:7308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=12712,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=12692 /prefetch:1
  2⤵
  PID:7412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=12860,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=12856 /prefetch:1
  2⤵
  PID:7464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=12952,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=12696 /prefetch:1
  2⤵
  PID:7516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=13092,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=12956 /prefetch:1
  2⤵
  PID:7572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=13264,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=13248 /prefetch:1
  2⤵
  PID:7628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=11036,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=13244 /prefetch:1
  2⤵
  PID:7688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=13560,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=13396 /prefetch:1
  2⤵
  PID:7780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=13728,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=13088 /prefetch:1
  2⤵
  PID:7840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=13576,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=13712 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:7932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=13256,i,18066928359652257653,8765723051168264981,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=13272 /prefetch:1
  2⤵
  PID:8044
- C:\Users\Admin\Downloads\FRST64.exe
  "C:\Users\Admin\Downloads\FRST64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies system certificate store
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:7968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /u /c echo 2
    3⤵
    PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
    3⤵
    PID:2244
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\SOFTWARE
    3⤵
    PID:5148
  - - C:\Windows\system32\reg.exe
      reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\SOFTWARE
      4⤵
      PID:5676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\SYSTEM
    3⤵
    PID:7280
  - - C:\Windows\system32\reg.exe
      reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\SYSTEM
      4⤵
      PID:6576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\SAM
    3⤵
    PID:5948
  - - C:\Windows\system32\reg.exe
      reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\SAM
      4⤵
      PID:6584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\DEFAULT
    3⤵
    PID:6796
  - - C:\Windows\system32\reg.exe
      reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\DEFAULT
      4⤵
      PID:6176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\SECURITY
    3⤵
    PID:7020
  - - C:\Windows\system32\reg.exe
      reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\SECURITY
      4⤵
      PID:6448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\COMPONENTS
    3⤵
    PID:5412
  - - C:\Windows\system32\reg.exe
      reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\COMPONENTS
      4⤵
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\NTUSER.DAT
    3⤵
    PID:7700
  - - C:\Windows\system32\reg.exe
      reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\NTUSER.DAT
      4⤵
      PID:7388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\UsrClass.dat
    3⤵
    PID:2008
  - - C:\Windows\system32\reg.exe
      reg load hklm\b4Hk4Oy1 C:\FRST\e0Kq5Lv6H\UsrClass.dat
      4⤵
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\j0Tj5Ue8Ur1L C:\FRST\o0Su5Qv8Od0\system
    3⤵
    PID:7100
  - - C:\Windows\system32\reg.exe
      reg load hklm\j0Tj5Ue8Ur1L C:\FRST\o0Su5Qv8Od0\system
      4⤵
      PID:5292

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4024

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D4
1⤵
PID:7144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5712

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a1efa40814e14d228ae3fe35ffc0ddc5 /t 1260 /p 7968
1⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:6376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7d0ecc40,0x7ffb7d0ecc4c,0x7ffb7d0ecc58
  2⤵
  PID:5976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1600,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=1724 /prefetch:2
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1920,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3336,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3584,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:6672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4452,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:6268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4780,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:6516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4052,i,14183140134773557269,694420173093502466,262144 --variations-seed-version=20250219-113820.548000 --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  PID:6296
- C:\Users\Admin\Downloads\FRST64.exe
  "C:\Users\Admin\Downloads\FRST64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies system certificate store
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  PID:6676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg load hklm\e0Ls0Bs6 C:\FRST\p4Ox7Bf8\system
    3⤵
    PID:5636
  - - C:\Windows\system32\reg.exe
      reg load hklm\e0Ls0Bs6 C:\FRST\p4Ox7Bf8\system
      4⤵
      PID:5652

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3896

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FRST\Logs\up64

Filesize
11B

MD5
f6248289e8adabb2809a1e41e87ab5e6

SHA1
70c38676d7f5626e35f38230fa732856b9da9e88

SHA256
9874aa317b53310f2a4cbca09cc54c53ea172e6e0116c16522049df7c4661492

SHA512
314bf177478004762c4fa6d554a75a04053983aa6a6871b16e3bd62f657019fcab4244a71c53d9fb170b8403e852523eff236cffb109bf7e7682c9e2c43620a1

Download Submit
C:\FRST\bin\temprp

Filesize
3KB

MD5
81e7c3595ab154b290d4f3bb07557c2e

SHA1
319a1ebac140a33b97ed257e41c4d90b08e428e5

SHA256
2c18bd340b9c16296fa4f485738eee018992bf80b05089d41b90cd42d8f57891

SHA512
94685aef1ac434e650ba7063fcfe837e8827b5446e6c9c56d4d1a706a94e585872c277fe7b479b4cccedaae9ee3489b92d5c0958ff8c5df9193653b2d9528c21

Download Submit
C:\FRST\bin\temprp

Filesize
3KB

MD5
36aecfa61c4dcd45f6703051459de1f8

SHA1
dc6bf77fa500332e416e9c88ea745d4bb09400ba

SHA256
2c069bf4468426b0073adc0db5cc48f461f557b70fd04e2d36b50264b01a3bd3

SHA512
212ff9bc3e8888ef391edb05588909108f33285e9657b4a524b02644697e75683b394b4640bcc47b45c0b48398f77e5518f3a7e52c8200a03ac10cc75ae06805

Download Submit
C:\FRST\bin\temprp2

Filesize
337B

MD5
5909d8ddef20f533d0b0c8f7773698de

SHA1
72fe489a49845e37e6b8c60ba0e586a1d6abaa59

SHA256
8cb26ba2fe5879e25f52b94ed4800d4748b0cb347e0df8d199b6f6a39c5830ef

SHA512
2f50e52598d3f2ddea3eb08b6275b001af279e240bd9d6ef3d78d87c23b925524a124dfbb478dcf359166d0474b91b7f3cbe9923b9620411a43778afeedfb556

Download Submit
C:\FRST\bin\temprp2

Filesize
405B

MD5
09107983fdd78435eececad56abf2ff8

SHA1
d5032b3e363b4a024c098b081f6b05f4006b59ac

SHA256
667cdd758b5f40b5f528fc875a9c97b92b49cc3f35af6369d0c141a0c7bec9bd

SHA512
692ecc5719d031f6196eca11bdecd7f59d80c50a367370244fc104665767645b5ede8e9a8205fdfaf53ef62668db3fd697da067c32cfa5048d8d6e0364afa84c

Download Submit
C:\FRST\bin\temprp2

Filesize
443B

MD5
6c20dd1afceb45e7cd38fc7baf55c189

SHA1
ee8fe489cb7776ad4192644b47b3e71daee38c1f

SHA256
8d56fb244e5f47d9dba5bcddae7d4ac96191dbaa8f4814182da773e3aeecbf76

SHA512
31f7d585a19a53b685d4928f37e7f7085a31cf249669f0133f3f51f35f8e3a8f5cc735c033afa9dc87245842e6fdab6ec74d1baafed68b6e1b7f782afd69dbeb

Download Submit
C:\FRST\bin\temprp2

Filesize
148B

MD5
b67ecc69d457672e315258246b76b9e9

SHA1
ccc5d81b7a3f54b38db0ebfe0cbe0dfcfd0ea45d

SHA256
a487722a8e07d4d21046682c3a93ba5a2e34a6f3523948b874cecd5c5ddaeef8

SHA512
708af53473c67cb4d4b778df30d18bb84cc8224e7f4aaaae3555418a82d4194a9f0e45d7d888f9e1dd9ea38ccaa643166e56d1356df4b6133a30a4cc04f585f4

Download Submit
C:\FRST\bin\temprp2

Filesize
376B

MD5
438a888cb3ef7eb9a1dae0a2e6fdaeed

SHA1
61295b5670e9e03708cf377f14e637c0c7fbbdf4

SHA256
927b6ddd5dfd285ba1aa60386499950b4ec8bff59bcd27133a1c665fccf387b5

SHA512
a9422f56d0b514b9e6c1887d953753d1f2726ca111a1d47d73f2b6cd18b472304e484f2cf2420d5d4ebc30f22d7b2ab6c9b69e7d93e258fff1b0dcd0c64315b6

Download Submit
C:\FRST\bin\temprp2

Filesize
631B

MD5
e667284eb85b4b458e77450c6abc4e5a

SHA1
4038e20a72ff7bd3cfb849e360d31a1fb6714d12

SHA256
f4affcaefa29425dcdcc28824ea0ede387e58759bbebf348fd00c2eedec01917

SHA512
56ba359d7893732d2c92eec9e449d25b08d2058918292132036743fdc79820854593e98a621f4fc27322f28a8e5291233644ff17374ac5739b96c70d2be10073

Download Submit
C:\FRST\bin\temprp2

Filesize
801B

MD5
f03ea45dd72087222e2e1371d33a2ca3

SHA1
f05527030ee82d9e7b810df61c68d8bf63377470

SHA256
affafc17e59c6bdfb1f67b124f20df0e2c130d8ff8350b4ed3f58dfebf975e4f

SHA512
31c208498c6a4f598403873a798c6b67fdc4c9b0609e4fafe14c247a19a6f0836dcf459a41807050ecc9ecaa497201e2d8a07b3c3c2f367f148e3e42d4da7d1f

Download Submit
C:\FRST\bin\temprp2

Filesize
839B

MD5
1173292d668b0b22d3a8094e4cc286cb

SHA1
6e8d027706f4ad56d1b12ca491bf54a0e98f8a2e

SHA256
8e985bb78b42baf6f78a7f45f2414937948159a1b4e0032105891a7caefbb89c

SHA512
39aa54599418d74ace4612e1081224bebc314b92f725d8adbee5ee4494a8c13283df4a2a5ae2600c40274bea62858fd18b67d77b07076ef79ce08cb5de475e47

Download Submit
C:\FRST\bin\temprp2

Filesize
925B

MD5
72527ea2ae2639f711471870f3f0b426

SHA1
496eb4439681eb85f0cd944e166232b1088151ad

SHA256
e46e39d5719a212a8770cb56d3de3cdba6c13d63a26d9696e8bdc9e2577d7d60

SHA512
38b44c47cc07db0a4a21fe2dc5a8da6f7165af24c9091b6328eef72cab53585c22704ee2c36bb5d18d9c6e13450114197e4c9289146787e8eeb494e7e8dc17be

Download Submit
C:\FRST\bin\temprp2

Filesize
1019B

MD5
eb3a72b036f161c96a71a85269f20370

SHA1
0a6cf3f1449badd4435b643efb1603cfd9a4dce4

SHA256
6d9936fea87f5f78ed7bb52684ee72b6b08bf5562ede41ad68262de6ebfe04fc

SHA512
e7205a8276baa1e4093b7b9025388afceb60b201f0aa203c918a1b5f65bc244503d47e50cf0659f9615e682b192a4054fcd926e3c433bdadc8babf6c7c947d28

Download Submit
C:\FRST\bin\temprp2

Filesize
1KB

MD5
8a8819c6efa6232e7bb7521bce425b83

SHA1
11de33e638c83ad15299b9fd9f72378468611284

SHA256
fd312036f12eadd070aeb79db9d4c3546d6d232e9ba9a41a6a9675e26b330c20

SHA512
ac0e09f991d4be8bc0161a2194782954b851dee70f4e06a9d6b48c7f02722cf856cd77be2e13c4b62536a91d9b7aa4320cae46b7bc73a3d50a40a0bc180ae5a8

Download Submit
C:\FRST\e0Kq5Lv6H\NTUSER.DAT

Filesize
2.0MB

MD5
3ad89829c1fb667baf2e0ae9543a10ba

SHA1
b96bccde98a42649646675f18a43628dec20f877

SHA256
87722087f70556dcb64f9f72cec1824076bad0a9c28347c161c71dbd4acf20e5

SHA512
e8fe7a373b141bbf25f57332efadc497d845055a7c67fe3b78d2216ce92938475b3f746c11df76d1866f202ba0dd3e4c2a5c08157eb58ae63d332c5265dfe9b1

Download Submit
C:\FRST\e0Kq5Lv6H\SAM

Filesize
64KB

MD5
5277a5a7d2d870686f3ad47e3c3e880c

SHA1
efe475753fd044735135d55d8072d093a1e551e2

SHA256
a45f788f54fbba4be42b8c087a176dd4727170b35b7fd5f9c57027735cee7f35

SHA512
b35baa8d58030390e51edba28537aa3b6331d0a62b506bda771d75541e9acc030a9e12ffb51c405bde04618c126e38744c015911d2df5fd5970a33b5b4fbe903

Download Submit
C:\FRST\e0Kq5Lv6H\UsrClass.dat

Filesize
3.8MB

MD5
3f2a6ea91e8c21c4bb9de8c07b4a1276

SHA1
3cd7bf5a552e489757fa02e5e7a24f7fcbbe1ee8

SHA256
a91f78ed1d3d7a6bc999d2f6519ebd3a351cb3844ea01da8788bc4d5ae96688f

SHA512
ee1cf532079077e4e0ee6e4d8373bffb21c90b182c98f199225bbb3547ad2bf928bf60f059370adf47f71ad2cbfea9b44de1c106a1c7cdd51c6ae60378b9c153

Download Submit
C:\FRST\o0Su5Qv8Od0\SYSTEM.LOG1

Filesize
2.1MB

MD5
80bf87e42bdb5a905b476e44fa655fce

SHA1
156a7fd87d77c811428de33881ae75a2da56f7fe

SHA256
9a017f51bb41fd37e84efabedcce2e3f0c0f21f5ccdb19d4eaa054ccde6aa836

SHA512
18a33d8e188019a38766e2b0fd68984016e03579238c3bae28580894ea1f4f313581fc2302550d523c744c6d7a937a3a4aa6567dcd9082f4c064b0d18a6ad575

Download Submit
C:\FRST\o0Su5Qv8Od0\SYSTEM.LOG2

Filesize
1.1MB

MD5
46e0b087ec02df5b8a8640be928ac002

SHA1
817dbe341872e31c03d00018fa6f5fbae61df5fa

SHA256
46831fd33229f4e3c60818c938dd91b8fba4ebdeb41152ec33fe769816d0bb1b

SHA512
c1911a84f8a26cb3f7a4bafbbcebffba49b953d3ccd94d3aeb3bce404aa23aab5dff3145fd37dbde5fe1a92b73be0efbf2965b095509b7a53550035be4665811

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bbf4aa3272cb8e79e08cbf46d9e18a99

SHA1
7c865efc623c22fcf66f1e10a303b461a80bfbb4

SHA256
710df16b4330aa2cabfe3df90fe1ede3dcdc714e12a40636a00e9f54a355c5a4

SHA512
166e659f9f003879db9cafa371bc6f9dbaff6dbac01c207447b6f9c712e4c5cd19dae8ab340b1f64703972f51250370427c8b5b3ea277199fb072bc4efd4d954

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
52KB

MD5
35383ab0aae917038bc7c0bda6c92ff4

SHA1
574b4cf93f96edffe39f81d581a775955349e44a

SHA256
45cf2dda9bc68aa3c890eb7dc3e1d271c212070781a202f33dd8acf319b1789e

SHA512
e8709a41f7bbf3a7999f46ccb51110a3e8d1b57ca3d6cbfa7ae128a6af921b3d634a284641aa4947183558302e84375eade8b2ea217bb350820270cee3b76f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003c

Filesize
28KB

MD5
d941188b9b59bef71f6e45581bf1e79a

SHA1
6e94b7ae29d6e57f671589dc705db04d54212521

SHA256
dc07053ec83b93bc1b877fea01a9117493077e7107bfde0441b53e523d34443e

SHA512
e74cfddad66b90aeaa2c0ba905ce05c30f7dc23eb18c69edc13cfe083f1d12db336acceff22715650a5959718bc723790b0dde4deda698d74850bc25c1426de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5dd296b428b5d8396552f7997377aedc

SHA1
17f47d8c54c1a8f7dc3fa1cb2573f793c38f64a2

SHA256
3028f41a5752f2850e2e4c7fd7e7f15a84a7ff59000a1b143bf26882ec4671a1

SHA512
813b399a244fd1761b37c226e870b6e3a85ce78cc3e14b9d2c75c292866c5a02f676e3c09cbbb92c267754febf1aac9189930f9144b242bdb2f0c3a764a51ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f4fcf8849ca46d6ce06c3aead59b1746

SHA1
d1e52034907bef353f65697c904433024dee63ff

SHA256
9da9e08ff5cfd24a023c048754863bdaad01ce4beb7bb97c0210bfcdcf604fd8

SHA512
eb01ae323358280860c6389e6bbbf8b3800b1fc551b4e002e5704d811716f3b1b27f3f1f2663009d1694f50407cd5ae2187b8f8dc8abc202926d70f8785e2316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
50KB

MD5
768de1a762f17a0950dabeb03bf1cfcd

SHA1
d0478595e21d5a8aceb301b44d9d7fd847074b87

SHA256
c3e55e160af34a988456e01a56a630d1ba23ae9585ab30d5fd50bfa4e187bfff

SHA512
7901ef892e7b4d8afe9da6a05184ba5582155d52bd94195386206588d436aa54cad482f67eaf162ca49d935fe25f5d02652dbaaa48fc9fba02bac1a1f09de929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
50KB

MD5
ce1140d5d33fbb69deba0f2da16a6382

SHA1
b632dc4192ac44cc9e85ec10287e5f01b4675d5f

SHA256
1383e35286b6fefae37c86113319fb60706913353f794a655e644b4642ce28ea

SHA512
5a5f99f4f88287a752a25c1fc7d2124555a3de37d9d8219aea52894de3db7d3b20aa4d8cd6c0be1114b5ada6b6e959f18321616ae6e6450fd4fb57e84e1d665f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9457f96078af7af6d865807868ed853f

SHA1
4e5b88c7eb7566a80366612d0e03db34c638b6cf

SHA256
75c7c83db3f7235ecc9b0aca9889de311585d613786bac65edda80af10eedcbc

SHA512
6848120fab0fc5d9d53f9d53efe8baedcd9b911d46b017fdecbbb669c325ce5faa48ff93b98eef08ac7e4d9f8c65ca0f70efb19f28152ba8a0047031563b12f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c5fbb7a16b13b4df07dc101047ee24bb

SHA1
b232d25deac4d77eaa9ad6b289039d6528deab5e

SHA256
55b703328bca360d7f01099de21922536d357d9a6deb3d8a9d29e5dba3b4f185

SHA512
0798f63908939526cc2b0005f31eac5845b72a9284b2a62de47344472828eb72b28c71e587db1d6f480ca771a0cc6c56effdc8ab4b256d87ad78fdbd3fd28ab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
35fdc8ea2d8e816e77673994abe35e18

SHA1
e84beddda17d7bea7c19f1056dc6a7f29aaa5497

SHA256
8167b9f463d249846cada50a404a9b07613fffbaa89048ba5f7782fa2a86bc47

SHA512
25dfe02e86c14f5c02919de100ed0c14a4ad2208df3dce17c6bf3232bc57a499c9d80bb40eda307a26a55850953d4657dfb44bb1e24580cac76790ccd7eba883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
8KB

MD5
7c846717d57718bd57ebedbedd0eb29c

SHA1
6e651294c81bc799faeb8896d24ee7dccc9550bc

SHA256
a2bae13af55e1aa0cb3556b146ea2b803cb696463eb2eed268107373ce38e05e

SHA512
dd0a9d42a15181611cc1542d39d4e7f754b7a6e8f87f1e969b14416abfe1cbc6f019e8ef0dcaf50394575faa92427d3306a52e9cea86201f16b3725fbd64d337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
effb4fcdcfe76160a25c426bacad15b5

SHA1
a749e3a00922bd2d47864ba90585ba61a19b0fc1

SHA256
7dd8560275906cad9c043ad50dbefa75c2d6d29d307288c225f5283e3f643dec

SHA512
58293394b9adb798e50f2fc68d6bd5485e6876e41063cdca1b52c96fcff22603a56991391ccc24bfc3da66f348dafdb98351dc074d40e02d502e00cbae9f42df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f7a2f4afce61e34708678a461d32f746

SHA1
70bd1b87732a42e1c50649d9a4f8504188c91d6c

SHA256
de46b575c805792448d3b4186d8300c064126d420bb61e6a962b81b48a0ee2c6

SHA512
de65205b92cb49d4ae3d9accff597b1326664d51f2dcfef8caa238c6b0c4472889ebe223cde4914445c88a00a792187723aee9e078aca74b904211bb1033fd2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0dbc1e65d27b8530ae6a7147d6a076da

SHA1
632b91f162004714ecffcda4b1f8418adfcb2a94

SHA256
a67285e28502541a0542cfcccd650ce14d683382666ff37b8d8591691838154c

SHA512
27c178e61f7961e495a7a73f2da58967d0a3b73ee0d40f7370d33dbc1c58a4c5e91399ced7a3e0e8f2f376746a3f5c0cc411fee24a4dcff9a24ac693635ad2d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2059a01f4dc9599eacb21a0e213c544f

SHA1
78eb7356c1c29486c54593b1a42093bdc5840989

SHA256
13b20a4c4e4410b751335cebeafc2bdd8db622a1b5a429baa80aafafe28608c4

SHA512
2c840979769ee75e46f8a5fcf5d832b816de4f6f238e89bb610f82647e30969a05cb7053cd196577ea01ac62e367fdd018cb38feb4336c55e4bf696b75dca071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
052ae7d995f1bb1c265d4b42daf92f5b

SHA1
a473eefd35c00ab659b707142ca2b9b4ba4ed299

SHA256
773575b9bfc8920a8a371c2c3c46342b01e80eed448012e84f1b9aad0095c04f

SHA512
9edf29e7c4e3ae553da8f9b989bb5fa394cc870a47815bc4dc6182432c8396c29e05a30077de43a019a844a095fc8962b036849a6a085a11aec9bdda1b6a506c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
47de95ecc1da5907c64d4b520aea3f35

SHA1
a5561d432514a3666d09bffb404adffd64550200

SHA256
adf6366b00ca81985465a45110d64cde4b81ef0d7a210f3f7f596dd3229a21da

SHA512
3feae469318b3638c3fc2a487777cfe4145498972abe3f0105381c63ab8c248916cb0ce63cda3a672a3872ffe9e4566ac463bd640f61efd35efb4aa9d78f2ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8a07b15077e3b838b94d8704b1113064

SHA1
d774962ef697d6f77ab3a2fe4ee0ac1617e7f03a

SHA256
ef292363e0400cb2d1533c259545b37d587c522ba4da85a34337db531eb4d6e3

SHA512
232dece1a2e72a34ad2030ba7888fe31c785461d428df39014fd1bb9066bb320ebfe2544e251ebc01124a913b454981eae05c1784c1fe4a2ed64f0af979fbc4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
5f07d2ccb4c99eeccfce29e0f6fa0a8c

SHA1
8061f633581bab6f2d1fe79ce36c0faa8d78f26e

SHA256
01be9d53e6c51311ceb38f1c46a06017ac107d095f3305a662303238f03efbd5

SHA512
8c78fbca2e7f15bc8dcc48c9f4e1c547d1c3d1db2170864edcdaf0a44af9f252d44b8bc51c427166a166854aa67042698b62ac9427849efde95df1613f09bfe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
73bb2ecbcb03e0a6cff3d18da9d3e4a8

SHA1
d07d2587c085259f9d4b8f9b03f1817c988f7877

SHA256
67240ddbd1d8e4aaf394bdbb35226885b4c11bce2d75341bab106f99b6608602

SHA512
755dc9f102dabb3ccbe19e8894a4d216643533a373650602b764caf426fd4dee75511085334783174218ef74941011906c915a2d967ee6226b0bf233001a9c67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
290f01454e51c59fad77367ca91f4008

SHA1
89661c7de8c3d2bf6b6a9dd71527beb79ed80659

SHA256
ea8ea697f56ada61242b5704c60b8bfc6d5397b36ae3fdecaee98efbff881d1c

SHA512
208f9bbbd6ebebf6066c02f58e8c18bae646f9de99f9bd61fe5f223d4ac18e85f53c580f7e570db96438f186d428936228b6aaaa21fc353fd82ead445620f4e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
a4d316f6453cc4a77bdefcdf260c0adf

SHA1
30fe98fd980da0a390734efb7e928eabb0db12eb

SHA256
5471ae005536c4de0e0cc09339d80e4b5da9f5a2820d21f2d458cec1ae64cd35

SHA512
18f09de3c650dd464bf9973d9ad9b284ee0a2dd824643a79827a38defbc0e2564bc0bd9bb2f183ffa29c3fa6cb07a2a2aeda4566ae1267a888e17919355a736f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2025-02-20_1dea80c3acd337a732a41b1ef0a655c9_destroyer_wannacry.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f0311dbf-35e1-4be4-ae08-6b83b3689644.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver

Filesize
43KB

MD5
e741608bb5fbd5295f0a38619f913a4a

SHA1
c37c2feab3e3245ba42af21c141b3f595a767394

SHA256
8df15480f43ec389a2572204e002eeb496fee627cf613cd8da7f19e79ea76440

SHA512
4b911b022f4550271cd351c324cf4f51157bf77df7a5c4f9fa3b2b9e8371e966d9de2bc5135976451d1ae3382c7672b1d8d2e1f8124df427fe8223167609a822

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsock

Filesize
4KB

MD5
cf60086092342ce68dd1b5e2ee54d6be

SHA1
dfc5c2ce0e3b0d1a7b046ed9d55f4434842daa41

SHA256
3bca8054f9a92c01b23878d5270664999b46a362452df88c433664f7638ea39a

SHA512
7cbefb063ecd678b5753c7f721b3768a33c9fe359a149684448b17d8da8649c059f3a3cc2afced2e3c3b704ee999cda1111620ade5c44ac692958c2fd8c231ee

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
27KB

MD5
1dea80c3acd337a732a41b1ef0a655c9

SHA1
0c183db452f00bd5282de8c589b5ca39ff671dd6

SHA256
a19228e0bf1b1aa215e84f0381b6f4ec16e4dc5831089600678a3d6c2eed0936

SHA512
f42e8c34379afc24ac9dd3d87b6284571e60932d8dfe6b088cf30dd655416a894ad03e95c63b538d55fb20d082b9a3c0024cd4f8740665e13c8be7eef3070f62

Download Submit
C:\Users\Admin\Downloads\FRST.txt

Filesize
7KB

MD5
60cbf3eea2321016bd19ea5180240e75

SHA1
936409bcad829b79fc5f97aac41695f0913e2048

SHA256
4e57a18d00a7ddc9ca4c8d04583059f5f6edf01bf12a3e4c8ac7448030a8b52b

SHA512
f6902eb1787e7d1a0112dbe3c0d950e6b316d9a9b53d54594ab14912d18783aad412c96048e7772edfd8e2f056108012b8a09ee7326f20f1c05992ba54cfaad5

Download Submit
C:\Users\Admin\Downloads\FRST.txt

Filesize
7KB

MD5
b76ae529a9ee0850ac238c97b6faedb2

SHA1
bca5270d5cccf2133e40ba71d476d9a5684392fe

SHA256
b924f71964347c7e4a788b60ac746edaae342f6f6810c1afd01add7e4248d078

SHA512
3ef014b18da629e0cc79ea12d619a7169e5b43626108d81cf1981b09442446b99eceeb307b1231aa4043d9af01b09d0ed392441ceb6a3fe0a11bb6e77c68c58a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 590345.crdownload

Filesize
2.3MB

MD5
157eb564af9025d654d3785c04a64133

SHA1
f0a0a913fbcd23fc8eab3651c6e02da7504d70b2

SHA256
4d16bfeeadf533be5d9f8b09d28ad83bc8809b390e59e3eb273b8fe841f4061a

SHA512
057d5fe90f2c4974ba3a63064a590678ac9f0c5bdf4249969c9ba690b082b1b604f2d04ac911fbc19d7d4b660ccd29a48b17249c2a9b9fcbc2c95a8c1038bd1d

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools.lnk

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
C:\Users\Default\read_it.txt

Filesize
384B

MD5
4527a1a6c828a73f063e103e63d697cd

SHA1
26c8f133fe0b6d033aac19a901e9198d0ff18352

SHA256
92eccda02248ea9ac84249ca833268534d135e99c4ad33f0e12c930a8c650b59

SHA512
7267a891748dc00453c2efa96d28ad4a3f860298cddc25ba8a765322db57cdf141b572a97d2e8bdb9442cae77e5259bebf5f8471210d54c645037a3d28722f4a

Download Submit
memory/2272-1135-0x00007FFB82E30000-0x00007FFB838F2000-memory.dmp

Filesize
10.8MB

Download
memory/2272-16-0x00007FFB82E30000-0x00007FFB838F2000-memory.dmp

Filesize
10.8MB

Download
memory/3064-0-0x00007FFB82E33000-0x00007FFB82E35000-memory.dmp

Filesize
8KB

Download
memory/3064-1-0x00000000000F0000-0x00000000000FE000-memory.dmp

Filesize
56KB

Download
memory/3064-2-0x00007FFB82E30000-0x00007FFB838F2000-memory.dmp

Filesize
10.8MB

Download
memory/3064-15-0x00007FFB82E30000-0x00007FFB838F2000-memory.dmp

Filesize
10.8MB

Download