r77 | hxxps://www[.]mediafire[.]com/file/aaguct1m2lg1la9/HITMAN_3_v3[.]10_Plus_11_Trainer[.]exe/file

Resubmissions

24-08-2024 15:27

240824-sv18lsybpq 10

24-08-2024 15:21

240824-srr6jayakk 10

Analysis

max time kernel
92s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-08-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/aaguct1m2lg1la9/HITMAN_3_v3.10_Plus_11_Trainer.exe/file

Score

10^/10

r77 defense_evasion discovery rootkit

Malware Config

Signatures

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 1 IoCs

Detects the payload of the r77 rootkit.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe	r77_payload

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

HITMAN 3 v3.10 Plus 11 Trainer.exeHITMAN 3 v3.10 Plus 11 Trainer.exe

pid process

1660 HITMAN 3 v3.10 Plus 11 Trainer.exe
1100 HITMAN 3 v3.10 Plus 11 Trainer.exe
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1100	HITMAN 3 v3.10 Plus 11 Trainer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 655417.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeHITMAN 3 v3.10 Plus 11 Trainer.exe

pid	process
1032	msedge.exe
1032	msedge.exe
952	msedge.exe
952	msedge.exe
1560	msedge.exe
1560	msedge.exe
3096	identity_helper.exe
3096	identity_helper.exe
2220	msedge.exe
2220	msedge.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HITMAN 3 v3.10 Plus 11 Trainer.exeHITMAN 3 v3.10 Plus 11 Trainer.exe

description pid process

Token: SeDebugPrivilege 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe
Token: SeDebugPrivilege 1100 HITMAN 3 v3.10 Plus 11 Trainer.exe

description	pid	process
Token: SeDebugPrivilege	1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
Token: SeDebugPrivilege	1100	HITMAN 3 v3.10 Plus 11 Trainer.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

msedge.exe

pid	process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

HITMAN 3 v3.10 Plus 11 Trainer.exeHITMAN 3 v3.10 Plus 11 Trainer.exe

pid process

1660 HITMAN 3 v3.10 Plus 11 Trainer.exe
1100 HITMAN 3 v3.10 Plus 11 Trainer.exe

pid	process
1660	HITMAN 3 v3.10 Plus 11 Trainer.exe
1100	HITMAN 3 v3.10 Plus 11 Trainer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 952 wrote to memory of 3124	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3124	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 3196	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 1032	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 1032	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe
PID 952 wrote to memory of 4616	952	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/aaguct1m2lg1la9/HITMAN_3_v3.10_Plus_11_Trainer.exe/file
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeb0d73cb8,0x7ffeb0d73cc8,0x7ffeb0d73cd8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3752 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3456

C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe
"C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe
"C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FLiNGTrainer\TrainerSettings.ini

Filesize
29B

MD5
100ad43a6e39d44013fad7f3aa343e3b

SHA1
dc8050bdee8a74354cb4a2057e4e703e7a460943

SHA256
a7b15ee77dd0db946e7fdbf574889bd30c23fa3d7bff6d509df118595ee14ec5

SHA512
20f9b26416804f917d0642d35de32ccae0849c34bff4eb75c6450b1ee83756f3275850101d7482eb59c78356b1489c2d4db6cd95ae9b72b64d5eeab700d36ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HITMAN 3 v3.10 Plus 11 Trainer.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
63b8385278a0d6613c3439eb0134e7b0

SHA1
e9db17c7073de53c7c3d8b8abb41a6d3f55f7592

SHA256
8e742625930347894626259fbb2666b4630ad322cf7b1d38af1711534120a8fb

SHA512
248abbdfd0761761d57c843e4405dc10d1656ccc42718487276aefbecbe91ef43d396d0ba6523d3849d5975538017032d0380f2a8d77434dce380b251ab3d6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
836d138f02148c6125a854001275d146

SHA1
97f143697296de628c4dd01ef85ce742fbedf1f4

SHA256
9c15e261d5f8a2ee2e07410bbc4b95b06ef32bf3ec5ac823e965107a9f458700

SHA512
77f020061cfbe8562c0151f919a9d0aaac37f30a3658b21005eb4d12de601a8727250449a82f78edde6292a4a647eaa9d53396aa8ef4c97468c842e29fab16ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6054d9dc4431cac1f31a29e93907fc2

SHA1
0b295633900adc611a8b9965b3a3767a4afe1806

SHA256
178ccf7ebc61eac5bab99298043c50d1b6e4bed813c5dff13c04b35bfe47d022

SHA512
c3dc1df7e3c60a4d6c7590988f2042d2f09754a74aad192a0d3d52dccc6c395a53519ebd44b557ab91f6a562687a40bd3143972ce72723e2dd51974c2b021435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
2337747f8cb3c1f35e24ebbc2ef984b7

SHA1
67faf8e592ab404b30c31e3165bc098ab18f0c9e

SHA256
d0802275996e7ec3698e69ea3a8092e5465d93c2b74b5ff1a7ec5a73fc23e9a4

SHA512
ff0a9a46188a91d2fc7c6360021b05e91a42b398d4768b5cdd33d698ab5748bcf42d8805996ce4d2847d08217f3e1613786bf72a6f289255d3ad4b219da605e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a4385861107b740e0f0faf06a0cd792f

SHA1
8c20682dfee66d79ca5ee295272025fc28f57e08

SHA256
c8764f8e7e81ddfc56b6fd9b262a223c2cd33db08b1cf823e43cd109104a7dc2

SHA512
9338bb13e241686cc750470682a7163661523ac928b5150f84742d550b315845253e5e36245e411e78b9016765f01c8e3315bbfb2c482d92787a321e575a234a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ae940c3e594a1b161a6065b63c3961d3

SHA1
57e55e7307a80a6edb523e4bf4cc883b5259fbc5

SHA256
460ecac7a488d51010d6ab720cc3c1ef0ef96755d6314664debbdead35e05328

SHA512
a10df1c41b80d77e5077612488d63824a1ceb26738f2c887541f5764cabbde785bc650ec92f76eaee35b7b4923ee6fdae363df3e7bebd6538c100f4c228bf4a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
efdb04d75203e1b7bc74f41cfa7c891d

SHA1
b0afc2d4c4a54526faabed5b508e2d6e3037724c

SHA256
3555b513c86c02bee4b66d1806d3fbdf24ff3c1a0d26c77021490051345f7218

SHA512
8511cad0fd3cc839cb13b1b15d4eea65162ed7151d52b5f29254acf1ee825e373f42d152247007918a304110ce812a2a823dc3a3a27168520a9fe2a4eebd494f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586a00.TMP

Filesize
48B

MD5
143322cb5d58deacd7f65cd13f4fa013

SHA1
3eb9839060afbf39e78778d00a27a7baf5b751e9

SHA256
d8201b6f5eca02322842606188afe1321385e2dbae3d5b771e33c077c6476984

SHA512
86c463df7fc702896f3d64c1c9c3f7f41ee7fc8c61ecec939f97a1b8628d7c3b2f9fbf5887e0448c79745d48ac32ea3765326d56fe8e2f9e1214d399ef25aeff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0290c94da608dfdba078a4c7a3ae0e65

SHA1
3675959208fd7ff6058f9197886576790b61105d

SHA256
f44df8ea57b03e7f98c9fc42a02901f6307821f6a1bbfa1cd186f8fe09a13992

SHA512
a65829a915591b9c09addb9c45ca4421c2c1dadcbc46ef3cf198f169e8c0a834648ed912cac346b3b5ec007b2b1a92cd0b94f33206c9486f3202c7572247a35f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
26430fedd7ceb9221bd61b73835c542c

SHA1
c15272e7e62d8ea68bc27a1a071ffd51b1b0073c

SHA256
022dfb3aebc36933a11023c0f933c2407c6f96bd5b5f5c59c0850fe8e9460223

SHA512
9354d6463a5476e825c1f15d1ab19b1c3c61831097afee3a50af1771a8547acffa8595d6ab7d22de85e9b3ecfbd13a391ce0b3b0f9e76a4ec8715305595a0e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57edac.TMP

Filesize
872B

MD5
0a9d3824796a294706dc0296d98b9064

SHA1
0e40eff1a328aa6696a65d544acdf981b0325b41

SHA256
a992f3463494ec80d83ebf3bd0b43ca03b067f608ab72b62476df664b9716c78

SHA512
5db963052d605f42e30d48602d1f3327cf5cb4c0a90ae073a2be7277e8ecf2a8708f321253ef1398a83c8dc32db8211a91885e7c43a345a6d144ca98e9649119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e3bc0196b34c94c4b242cb5a82f71ae6

SHA1
b936f34a0c256b5fce02846dc386f715eea71da8

SHA256
1acb93cbca042ae25181c5ccc9209d1d6d610cd01084598ce8e9f18bd2abdba0

SHA512
646249afb70fbc1512f2ffbc770e16192fa1405f2082238074f8c24d492b9de923fd56406afc77e1470d557f955df42d8e511a0d6b504e15166c301bb9c23e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6999bfa47112d0edf00e321fa6c52f39

SHA1
8c533507a20906b821bd360043bb8dda6f28741f

SHA256
34da7e794e2f6b100a201c896a5952926131c834a64f772bb8da25e855927437

SHA512
672c6f5faf6b5fe952476ddd177e83369afbd91e5281cde47d0fd5903fe4ca0a53dce0b09d110721b3f9dbf54d1c607925c5299f5ba7b9d4a7bcda2769daeb64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5d868000918f3daf9594e43ac27b5741

SHA1
9c4c39736bde01eab066e3f7ecb2873569eb4a4a

SHA256
07abca70a8bc5be339ef7fc363a8d7200203b61fa2ef9c007d0598aabe889d1d

SHA512
a7ffa28041b0f5af8945cc07a8eba332d9256fd604952c79caa13720c8a552178fd545b5add6ab6dbc176dbfd2bec6fcfc44440e8b7611c479c0758d38f4912c

Download Submit
C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe

Filesize
1.2MB

MD5
f257a0e7008656f9e2fa44a8a14f8d0d

SHA1
3469c35ce974b4c7f0531af5116266393779d903

SHA256
0e99e5e385e731404a25342a226633594e160f2081bbe4c84a756186ea08a9e8

SHA512
e9d9dbadd01ebfcf4ea40d49cbacaab4ac43faaa21c7c0a173032e1382eab52bcf18bc2d26c5618cdd4d7d3642581d5d08a48330551f51617e388ac88e5622ee

Download Submit
C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe:Zone.Identifier

Filesize
66B

MD5
91a932dcd7bffe18428528359af8f18f

SHA1
bee30924f7cdee4b6332c7e53726c14e0e5acf36

SHA256
467b8610308d08ee1a4d30fd9ed93e238352b3020d19a8417c51df22eed98b3e

SHA512
0f2e141a64a55088b078d789159fde7bf407ebcd5583528a380cde89f573b104c29045dc1dd923fff562e4bbf1f710443a2ba5d617292cbd625030bcab074fc2

Download Submit
\??\pipe\LOCAL\crashpad_952_MNOJOKNMWKQIZOUD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1660-511-0x000001F993900000-0x000001F993932000-memory.dmp

Filesize
200KB

Download