r77 | hxxps://www[.]mediafire[.]com/file/aaguct1m2lg1la9/HITMAN_3_v3[.]10_Plus_11_Trainer[.]exe/file

Resubmissions

24-08-2024 15:27

240824-sv18lsybpq 10

24-08-2024 15:21

240824-srr6jayakk 10

Analysis

max time kernel
376s
max time network
378s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-08-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/aaguct1m2lg1la9/HITMAN_3_v3.10_Plus_11_Trainer.exe/file

Score

10^/10

r77 defense_evasion discovery persistence rootkit

Malware Config

Signatures

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 1 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
behavioral1/files/0x000200000002aaf0-220.dat	r77_payload

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

Executes dropped EXE 2 IoCs

pid	Process
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
708	procexp64.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	procexp.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-242286936-336880687-2152680090-1000\{31399686-DB20-4F83-B7D1-FA5BA8DD6D11}	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 849999.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ProcessExplorer.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3928	msedge.exe
3928	msedge.exe
564	msedge.exe
564	msedge.exe
1572	msedge.exe
1572	msedge.exe
3464	identity_helper.exe
3464	identity_helper.exe
864	msedge.exe
864	msedge.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4460	Taskmgr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
708	procexp64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
Token: SeDebugPrivilege	4460	Taskmgr.exe
Token: SeSystemProfilePrivilege	4460	Taskmgr.exe
Token: SeCreateGlobalPrivilege	4460	Taskmgr.exe
Token: SeDebugPrivilege	708	procexp64.exe
Token: SeBackupPrivilege	708	procexp64.exe
Token: SeSecurityPrivilege	708	procexp64.exe
Token: SeLoadDriverPrivilege	708	procexp64.exe
Token: SeShutdownPrivilege	708	procexp64.exe
Token: SeCreatePagefilePrivilege	708	procexp64.exe
Token: SeShutdownPrivilege	708	procexp64.exe
Token: SeCreatePagefilePrivilege	708	procexp64.exe
Token: SeDebugPrivilege	708	procexp64.exe
Token: SeImpersonatePrivilege	708	procexp64.exe
Token: SeSecurityPrivilege	708	procexp64.exe
Token: SeDebugPrivilege	708	procexp64.exe
Token: SeBackupPrivilege	708	procexp64.exe
Token: SeRestorePrivilege	708	procexp64.exe
Token: SeDebugPrivilege	708	procexp64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe
4460	Taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4896	HITMAN 3 v3.10 Plus 11 Trainer.exe
1616	MiniSearchHost.exe
708	procexp64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 3320	564	msedge.exe	81
PID 564 wrote to memory of 3320	564	msedge.exe	81
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 4868	564	msedge.exe	82
PID 564 wrote to memory of 3928	564	msedge.exe	83
PID 564 wrote to memory of 3928	564	msedge.exe	83
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84
PID 564 wrote to memory of 2636	564	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/aaguct1m2lg1la9/HITMAN_3_v3.10_Plus_11_Trainer.exe/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff09403cb8,0x7fff09403cc8,0x7fff09403cd8
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3288 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7264 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7560 /prefetch:2
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2352 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1332 /prefetch:8
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7448 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,3377940150850731772,9004519805582024324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7432 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3268

C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe
"C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4896

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4132
- C:\Users\Admin\AppData\Local\Temp\procexp64.exe
  "C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
20KB

MD5
8266eb9d769b0040c61f9107b9233d0d

SHA1
7d84098b0f5a6b1fb73333838e071558086938da

SHA256
389603813af8808ae7ec8ca4f2bc326b15e4c2ad5d86eeabfb271ac4d170b923

SHA512
82854e09e38363bf682d1426cd72d2efe770a58531f8b006c80c32718229cd9699c6db6ae4afe0a5ba64504a08b16568e53ec8fdf2702b5abc41ef7711f011b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
62KB

MD5
c0b6bb8bf06770448a0226486a3fa5c5

SHA1
11324fc181adb507aae8bd8f06018dd0980f4cf2

SHA256
51b8e76e663104d57b8772579bdd2803c2f0d92e9420f576729e0147d383530b

SHA512
4e47255d0cc444f87e367f61a245d83aacb82a911ca0045a25e3aa4ce9bd9c000a4e0d80092b57662cd3c054c3677c0848b5c23afb466ca9b70357ed27b7a097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
31KB

MD5
a4da976dde535a4f11ff4c9d57a8a56c

SHA1
fc4c29049db6d81135507dc3736cb638340f55aa

SHA256
6b85680498d0061e6b748f0fd9c904c74eb9f265f7d6ff6b33a37a0656164bf9

SHA512
e3db7eb080a2c927ec3a223d16d818cc76f9da51525a91b8eb3cc9e15106e2939ef6d550121b8cdf76d38c001971662d833d70a269ccf35d36278d25cf42aa18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2e367b3913539e5f_0

Filesize
23KB

MD5
73a4a50ce25ffccb131e3db415530112

SHA1
24afbdca2c13c8460f0fef9edf9e9fa06c7a408a

SHA256
10bc81efbc3c766b1dbf30159d49680f8f1ef00d088bbf4115582f171cc27f62

SHA512
30d35c972821ad1e349ae61a1d2ac20e2883f0b67792af78af5c5558b98330b11e9a3f2a91b7ec873e19165693f78a06ca05a7f77c3bf4f04d810d03bcb95dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\411dca8eeecf259b_0

Filesize
278B

MD5
2e7e7188dd2e048c3dd16caffd706ba2

SHA1
9e8b42b5df5fb86e3ef3cbd40f9890824dc2a63b

SHA256
380206e4526b53071f71418eb8a3439eb5072cd3ab3a2c779d70028155b4af94

SHA512
0e3a2316e24c2e2c709f6616f1c0f0f4a4be24cfde07b604da0d5cec61e8b52748fc2fa6d368c0ae51e1993c2b034b9857c22fe81da9dc603640f2295bf204f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6c4af2cb715f69cf_0

Filesize
14KB

MD5
0bc4f4002fa1dac5465e78051e41dbb8

SHA1
3d4017ed2ee5f3b8358975f274631c5061c4ece6

SHA256
b14587b611cc340618601231c531825d1f3eb9bd8c14e6a7b4bf42d5169d9d40

SHA512
21bd92e9a4ff5c564231ca497afad687c2691316cfe94d6370ba432e72fd5efd17f2c95e591608829515b4abfb60b80b38c17b89a597910c3532a826c63e0159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b52da9c403ac9e6f_0

Filesize
160KB

MD5
5f02f08b9117a5cead4f812246e497f8

SHA1
6567fb9351b6f5d9ca48947193c739b5b6184801

SHA256
bbc6342f1844be55f92dcdb05adf0a0085e435adbeded8b7d4e29ead32ea1a57

SHA512
74000df09a4dc55f003d401315bf142888af5db9406efda59c61c7edc48adbd6a8c8f95057c8d264291ffd50ed84b5d31014cdf786a6f3e5226b90a117117688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bd1ca6c0f0418268_0

Filesize
55KB

MD5
5b95d8389ab53f2385659971c4a84417

SHA1
92905b6ed791265dbe0da5026f490526b6c6fd43

SHA256
915be0d58afc20199e28191f70606c9c2a32f765ef580dbe9b485102f492cfc7

SHA512
cb2fe6779089262dfe37870a9c5d67d67cc3ef72c5c45dee1ef771af46c08989d3f56f008732b681057baa92983fc0d1f6dcc31a40de9e2a00b57cbe40271312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
59a8dad9a360ba330600b8815de02498

SHA1
2b2e8ca7cabff5e8b39fdcea54f277a8b01de6b6

SHA256
fdd5b9413582d858ce0d8e25d56ed31c8822ed688057833c1e33023e2948cda0

SHA512
ebeff1708b2fd1a6fc58e12d7a5863b3f77e7b5ae7ce249fb7f57a2936c3c17e3d929359e4b7770aa986aa585b1f14a598b5d37f16659501781afd0e2bc7a5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
de4c2ce5cb20f964956874a6ed55100d

SHA1
754225410f0ca1650eac32cce053501d2bbe6935

SHA256
15e8d61ca05145e1d61f4873032332257e27f3f183ee7763051bd90c18774fa8

SHA512
e2783ba98d892a881cab42322dc8eb0cadba32ec318ddb0b2f60c861f40c8aa545eff7ace94db0746aacecbd7a2b8100d77eb76f3815652602c1ff5538d859e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
777c18c91702679d70ce7e9bd0aeb3f6

SHA1
b18f6c4603fa7df6fbcb2e944f720b363979e57e

SHA256
9f225c4188639882a3e0d791109cbf0f0f1389797453f84da3322c8e1fa4ecf7

SHA512
856f073f0943715ea0e2bcee404887644e2cb3355119169f939458d53529cb376ecf240959a44a5eb0de7088be3f94281073334581f3589ad089bf5c2f4f1474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
778f60f0a9cdf8edf0dca7a867137506

SHA1
44145c559729bbcc2d019f427e627a248e4ba2ce

SHA256
78996e195285c589bdaea080c432e543a3c0312c7f448c10efa5ce315cc8e24c

SHA512
ef0af8b8edc62287edb0c8535c7c684710931a51436dac9336b5a128c80a46411c2a98ba5697826f23ec1c0c07538a93f32c1e7783f41e51d73742c923c9a799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
99aa23e34db20e422704f57c426b9215

SHA1
0b235453f5db0ba31b22be4ae737f98cd3e4d458

SHA256
1cee9a94b4d165f79ada39c61d9797bd82240bc7d1b830f8eb6cf2c30aefeb9d

SHA512
600bc08581088869c3904285796aa8389aeaae40dd82285a4307e0841ce9c3d2431840db312249b5a8c1e61fb3a122d08270d537b1cf7f3fa893d5d0aac071af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
696b7fc2b15fb0e1deee912e8c824e61

SHA1
1393547fed09895a3540670fcc23ab269df59f3a

SHA256
e36301cb0fc4c4a515e346fe9de6796aeb5691def797042d8802b7ffd0bcf99d

SHA512
60706783cac3aa898a5bd14dbe9e40fb95af83a04f4e169294d7297ad8d4154c1cefef25064090db71f34f8359fcdacf74afd47f264c26b34ccc176b5692da7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fb6a83fbc434aec653d2c7b963398cf6

SHA1
f88d90594a2bdfce93a0611a79fb907fec827941

SHA256
2805eee4534743d0fc979d48e44c104effbdf7d109b18e75df6751b2c129f14e

SHA512
0ee291d5b5e30e9d7a53822c98ec270e5f6dd993bffde891a130593366b03750c31b6e526db35ed83e76e887619296a059d3313be028d239007771abe44a581d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
91f06f0df3f3a86a6b6bc68a8359f926

SHA1
3c3877544ba8d1505a85679742b039e9509bcd17

SHA256
8b5f19687e169c96f7660f059048b735477aa2c0d6c05db66ebfda7e1133cc07

SHA512
729c1776b4611bfa6b6fa5ead87865755b8651d2610676ffb7f9adf9d62318d017e80892f882d82598c11108cba556332f732b69f16d91c6d459e0e632108d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
812b6a518e8e85312c517536aa147467

SHA1
0be18eb3546dec6c08d71e4f06435fc501a3a287

SHA256
c90c58a641c9926613dbb1bc1cc7f3dd43f8f59ae36c4b276dec3319c185c30c

SHA512
f1173f48ce6c88714da644a24fd777ab73ac697325df4ca214baca2542362447e01f15ca30559d44c4427a26e76523f148761704b8e6765b49371f88d90bce92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
1058e9866623182a7e4ddf6e36d24b26

SHA1
f0181cb81feaaa546f00f4640099a07962ff6bb4

SHA256
2cf274eee1890683b93fab2c8faa404f049edc81c6fe34091816b4ecfb39b61a

SHA512
87c3e2c17ec01f9e8a4d6bf77a2a3ad949b8de89220eb68b512c00c5da848d789e93f840778b158f627ebcbea6501e26c19c31fad1403bbb4cb4ee9d239014c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
cf4a7f4649fcc61ad475abf14093e0d9

SHA1
01ec7974dcc7ab8333cc0b0a6096a7595c56093e

SHA256
1b63b40b659fdfc9dc271610275e212f5765f452b8f69d516c0764a885a2bd54

SHA512
c97294510152de6ecd406a83387e71f27801736bde9e308b454820bdfbf898c3be4690dd3789e292455d5df95a8ac497ab5c5ca823f1db37a36a84351727e158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d520f712b7e8381e78aa9ec96d3d426e

SHA1
68386b4ed8e0b6a44b31dd3a6833abb35dc972cc

SHA256
74c833897e757be52dedc865102404906d79bb7bb401575e67dd07b7887c1d81

SHA512
f258ca20dba99326dac11a0f0c2f77d6a21472c58abe77026578d741e1eb415e73ddc8047aac6200398ff240f85f32664d856aeff1230febb86b139b0ad1abfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
e9faf2167484e2e8ac3acd9bb1d73c7d

SHA1
9bc11980766ca6a914c0913029041ef683485d19

SHA256
42e6b678b3a2c2909f79578533db8e4c03459cbc4fe3c571c5345f7b04fe89c3

SHA512
ad6b06aa2d87acf46a631dd06359fa37a1c892681f78259290090b3e8991eaf787d70f4b9c29c953d8271bdd868fe6e5dbfd406c103548ad868e482491e72b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
48d1c8355a7435a816d6b7cddbb419eb

SHA1
7d6e10baecfb09b710d8680033e4bec66a311f88

SHA256
20f763c2786c6cf47d07ea1fc960cd5dbd20f9e8aa9c0e1b5bc2442b9c52db62

SHA512
0bb34ef48458f0d3031246c4edd31b73e6847dc99c1c205c5e7bca820c2c5700e1d69e3c401db57eeae44d354f0656b12644165b51360401b000564b636ea01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
381f538953e3eab314f5433cc1082994

SHA1
105e8c6f4ced76ff5f4062ccdb62dfdc319b6913

SHA256
de1b25c9a0b74a3740e17dc6697742b5e8ead5fcbddfed1a7cd23ea2c3fcfd47

SHA512
6c98fc9bbbae6abb5fe229e3e5466b273314e313de145b363307927c83f66f1d98d76c456429499f11420cb7930b02097d338dfe0a50e815ca391410d18d1a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
2355d3d6f8fdd24c59167194938aa2d4

SHA1
5f11f4fca5c1b51cecde24b40f9d51c688ea50f7

SHA256
87591d5a18244410a55baa322274fedb8bda45a8aa53912e0b85742a120fb206

SHA512
9368dc3da9cc57969b97ddea890da5a5292ff2031838f789bdb5fe98f3c3760c818c48f7fa9dc3f3d8f825492b5aad52ac15fa4bf08002a38633e48145d5f41a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f37d1a613603b65f876029336e8f8407

SHA1
0ecf92cb34001cc2a5eb662edf4b70671e468e5f

SHA256
60f1e40bd647963ab8c1d1f1a44aa3a9cc89fa044311fc3646d46af167af4af4

SHA512
7d64852d857bd59885cbae3eeb62db3d2cd3ddcaae61e2d2d79212be69049e214a955da31f6f0b4bfc3a1215e5f6f780caabe932b152fad0ec613691b48de64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5b1a3b.TMP

Filesize
48B

MD5
6e7471b924735a0c3e6bb60dba938ef6

SHA1
7bf723193365999c9481a48d09015f74585993ed

SHA256
dd38b8ca583f6859b1457e64d1db831f9c79f5be110c1426a9e7398bbfbef992

SHA512
fc05dca02903b45093bdf110ca83bffc8257391f7d861c014e77e11d51c6a95ce3d290f43b96b5744dacda788e1bf2d592da7201cd5d6a138cf82751faec1ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
65ec36a224be8b682df6d6117de27d07

SHA1
46f12c20af999a51b1e95d9d2fcfdbec8b05a9ab

SHA256
9832612b486c6a62b106439a9d23967330a846a897514cbaef85ade37827b7a8

SHA512
722fa4b982f9b5c6660ce28972b79f1a908274eb4b4c17f4796ffa2cdcc8464870311c1d71e02558362620e4fb6e4831c1de94a9a3161885be6a82de74b775f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0879eddd8d719425bf26b17589fc3b85

SHA1
228bff0c1067bd8343058fb69d1ba65414e4c205

SHA256
bf7da5daeb9b761613b2b6fd0cdf3a5e574cf68c024aade656d1b6c5901f4bb6

SHA512
0432dc1310deb26abe2ffe51d871d13bf418b682e538bc79ff04ab65437b8bfe6861b863da84ddfd9e862cbe3536f9e2dcf13419e1e77e44c2a16c713041ced4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ff200fe34d1248e8d6faeb3e86bad1bc

SHA1
3bd4e3465ca678f795fd0c25738c4b991035812f

SHA256
2945a0abfd8409abc2f6d11a276c5cabcc4f0512819d7653c53b96c406a3e983

SHA512
606192c9a05a0fa945ae89697cb5d5d8ce61562864dc40170ecf7875ac81284b9134990bc9f2795827389ae41b33604b783cd1631dde1cde25de2d69f168df05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
215df77e08fe8c7845765f40767bd093

SHA1
3f0b66a6179e46764e0fcff05e6c7a211022aea0

SHA256
b769ef85db03d537be2408b193ec044cbef826b0b58f5f27d54d6b67d529c2b2

SHA512
6e54490ad18b583bf60f1013173ff0976b7b0023596191afafff2823f1f9cc18c4cff2170dce65d9c0045c7078e9cf4b643bada6558b7e47fe48020222c81f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
bbb0375bfe9622a2641facc4620fa91b

SHA1
ba30468a89b01672d1289563f8da21b8c3ae5921

SHA256
bfcea2656961970ec66cc7969241bfa807101b2cc6e98ce13f24c44a7815aadb

SHA512
ef15ebf6c0d6ee8ea89302f24e64c6aff463c37d2a5df9fec84dcb3b1ae9ee4c45db0509bbfce4349d94822300d66530cf5bd840fa68552bfa687ce7371a1c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8331e052fda8efb69862254b8d5cd185

SHA1
d922aec7e2e4941bcc1f42e5575c2ccc914b4140

SHA256
adc95cea9a6fa6bc64aba3104cbc80526fe900076c6452040a00f18623cbe25c

SHA512
e01fceeb88fe5c3595abebeb7de45984e6d22a1013226311ce6d0044eb563dbc2aa1efdd51ccdbc634516167d09dc1c900a868157c11be2674fa3d9c41893773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0167a9e81027f36b33d058ca4c6d21e7

SHA1
13b459038fc862ab431f429ae0fe271bbc6b75c4

SHA256
f0f84e60389eb8b8e710efb146443001bbb7e3c1bcb82d5ab70df546e2f84e27

SHA512
0e7e0d1140d625ffcc87d6b8016fec68e62612d0ad3dba6b84221e50e316661f79c21d992d1b1346ad9f9d056ad11ea8bb8c7f810120a80fd63c9c5bb06838c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
071b5de2b5dcd7a1d7e73d75f13dccef

SHA1
123829a44352fd5f3cd8d675e5d9c20209fdd05b

SHA256
b9b159fe8b9e2e08e78d2efc55861664c4b887d9d37290ec50074aa282128d73

SHA512
82589267392b7413400d4a67571b1cd5389add777e68094c1ae4dfe1767b2a0c0c78f812a5d53c5075742911ccc9beecdfd301e1db5dadaea47e53e30eaf0b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b329f9e634fd199ed0ff6e040286ca6e

SHA1
1acd5bab1426a67957af98ff658ae8e3c0c1319e

SHA256
079797297ae843ffa8efb805698b1d27192447a1505b51d1fa92f3892665c501

SHA512
6b65087292165370120318bbfa6929ad0678e258b9c2bebf3f9068fbc1ef7e457eeeec2f2609219abc04480ff70c63b1d9f524fc3736456015c657e3dbe7926c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2a8d25f705f0ccb897ea586d90a3066e

SHA1
9eac5ffd71f92c556808e3ad7e831ea747baa5fa

SHA256
11781a4de6fa2ff97e61d72ef9fee350695169cb974e814ad36214e9fa053cdb

SHA512
2d4ce8c703af743f39dd676eed5fff027e169aaa8868156cdda145743cf4316d98267118ebaa2ee6c1aa9ab9e96298fa45bcd5aa374f923cbe98e54fb8db83de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cdda3a618b25bc3adf535d198885a34d

SHA1
663fb6f2ad30829cef74c7da9cd071ff9f0d6af9

SHA256
15cf3f68c8aeff3341c484e0f48a793bea33bd61b61103677ba44b88a60e69d4

SHA512
65720524597e2b174ccd1c866c37cec80748fc5607bf83589ee3156abf4345588b601a4607f502cace625b32aa81770e6df09adcda82d603a2fd88c033095890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
25017f7f8a1580a8ef7b17b744268aad

SHA1
b1901b7740990c957d1b0ec5348effe63793755b

SHA256
822c3ad64257bd5e60f48650bf760b80125cb8e8d4744fcea742baff9f458ae8

SHA512
ed9d5e71623fcbd819e1f46dd148458d62a329c01eec57779578e9a4f90e2da42137d9699a53476789f6e53add5a1b3bec44c0221299948c9fa8c38eda3e88ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d673e4cf2e4b3e07b0034204b67b34d0

SHA1
af66f2685a0d83348dd7c88eec12f06cab46bf33

SHA256
42947ff67a864090f87259f541a22442c09430a04db4fb4f9bc184e38cd07327

SHA512
dfd43769ea493aa90cf589724c009d91255b23eeb5fe59b785a52616c6b2fb1bed78ecdc4d0bbf64069b31a10402a0402d14ad0803ce7ec8e4696d9628c9c7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1d8caafb975f958061b3eb2b65992bbf

SHA1
2e0a51d2204876ac7c40b9498d5a6cb5dda311c9

SHA256
7552fb5685414e2b38aa5198531452c1d0e7b46be936c08d7ac6fd6996f07da6

SHA512
06b9720ee7e98e26669105acf7b9163ac944706ba08cc646d431f098e33af2f3201d687b4e6683d7f923aab44a7d764d15cc4f3c307398e6465d7829baf66514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
fda1d861757295bc3dce8d09b87f37a2

SHA1
ab51dc903529d9f318a9e528b08ff67ae3a22b43

SHA256
9d44747910ed763d2349763ae68bd5aad2c3a6b6258484119a21d8f7d63a9502

SHA512
c4c4327eca9dbfc5d0b9f87d9f24ea3d420fbfb03cdf6efb52a79f6ecbb64b3dd7b48d17571acf3dd2915f628bee8941057c58fd7ae06364ada7be2d84965a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8b8b624d7f03f71749adf0722d6d5789

SHA1
ef405153232f02dc0ff7a1c654591f2ba89fa502

SHA256
e272d115bc80092a98d89cb909b4f72ebbb66c6dc9d36f7bbded27a0fd7816c7

SHA512
368c1ce47ace26b77956f5dc435804eee6cbed0bb1766660a414b747e62a483af59662e9ac3c952173ef503518838a1d8fa5fe7bf20c16850091c25211d0f0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589a95.TMP

Filesize
538B

MD5
2bfb528966a60cb8a2a0096be9994aa3

SHA1
87b54db8d95ca46883906f76d6c6fea7aecf6256

SHA256
85587c70b7b3975243eb58394a53188e0994f1af3a6724e618568488232a1721

SHA512
a07aac17deb22e7eaeaeda35673be982b21d4fc421a70777d3de573069dc2aa5f562c3aaf1f5ccbae200b55669871f048911174be9bdbc75094b2598955c602c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
039d23733254c2ca9242288c530e721d

SHA1
80b782f4dbeaf8ea93de88fbf6d6006445f59712

SHA256
3eb8b99911c745e7b3d8e56aa87e919d5c8dc5dac18826e4b07b24ebd3e7369b

SHA512
2e290465fdf866caf3870f02750bbf2b155049e3b045c7a883f97a812e878a488588c2beb5c04b598e951a7225e006ceecf4d13afb24a083709f4e43a49a088f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f825c0c8bf6cf7866ab2d6bd9520f67a

SHA1
77e17ae2ae682a856728fdb8708b0910982dac99

SHA256
5c51c0c7e67740e27d721a394855acf3c85c6095a0d5c5134f801e703c46518b

SHA512
ae77b354b3373928654bcf0c3a514a2b5ea5245b3ed5ae8c24b4dd0dd0b2472022b3899c8a79e8c286022ede11d5a57a180cdadb6f05189bc97532c02262dc12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
45ae32ebc963965a3282fe2d2915ece6

SHA1
9d0ddc202c541e468520014960184256dea9f304

SHA256
53670e554c40928547911caebf8814344cb1f08300a00037f59c7e258a017581

SHA512
932ea7a2001b3a38ec0f25e7e3213616ec8225f823f6c123c71944a2f38dd74a7a00d157cb0146fd90375f4844a335a0cf892c1f31fe55c9ee0749f5d425ba72

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
26d98b946f17c556ed48590e1e6afa3a

SHA1
e8f42f8fc64a498a5549da2a7e687f65346ebf84

SHA256
b2b3884625d0b3bc36888649d7c3a9187a29aa782fa68a3dd5ddf82f19ed9f91

SHA512
f09c4a67232efa5cf2a66bae57a2222b89fb45700da028a37598fa6b3cb760a8a84609a4ac91d4b314bc5e32f5f5d198d048ffdb9804b38d93e741a87285884e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
3e1f5eeae74491d8850ef2c8b03a9a3b

SHA1
0c02c9c2550107de6dd0eb740ac5668f292883c0

SHA256
66756c0edf3925de7bcb685385e2a4f0b854cffd796a9e90eb1ed064b1fb0e30

SHA512
7637f0807d88dbceeb68823a044583e2248ac1ba73c000da6560f94075635a27d15970df7e52f8315bdc2f1c45cff6f1ab7690e916b58307a533f8df24329c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\procexp64.exe

Filesize
2.3MB

MD5
dfeea73e421c76deb18d5ca0800dccf2

SHA1
0497eba0b24d0f4500faad5ae96dbebab9c64608

SHA256
8158dc0569972c10056f507cf9e72f4946600ce163c4c659a610480585cd4935

SHA512
23ddc9f28314d4cf3b05d88b9e0b6fd69f9804f5e9c3f7703258ff2c5786721061321379fde53e21048d3c7cce1ff71e2872d48dcc580d059397fa0692335630

Download Submit
C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\ProcessExplorer.zip

Filesize
3.3MB

MD5
6c33b4937c5ed3f19f44cda1a9fe0bfc

SHA1
09ac5309b4d112d7cdb275572c28e3513748ad8c

SHA256
54336cd4f4608903b1f89a43ca88f65c2f209f4512a5201cebd2b38ddc855f24

SHA512
de2d46289164c77e7e5815d011164b48fe3e7394228a4ac2dd97b58a9ec68e306e7d18b18c45913fda9b80fed47607ea7600004e5fdffcda5b1362e71ad68056

Download Submit
C:\Users\Admin\Downloads\ProcessExplorer.zip:Zone.Identifier

Filesize
68B

MD5
95382976d1d1faa42a3d1561498e4ea6

SHA1
a73de3ad4be0e5beadd5fe5ec4ef9e5bf41da233

SHA256
10b5e0c965f5f3a06c919adddcb0a93458b0140de324b0ee96873d8590a98e9a

SHA512
59f643930138c9f9064e469ed880eec1577086319906269ed9673f3424cc1ed6a8e606a249133ce03c48fec006aa48cac0bcdd970ac4f91849dc1baaf91653a2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 849999.crdownload

Filesize
1.2MB

MD5
f257a0e7008656f9e2fa44a8a14f8d0d

SHA1
3469c35ce974b4c7f0531af5116266393779d903

SHA256
0e99e5e385e731404a25342a226633594e160f2081bbe4c84a756186ea08a9e8

SHA512
e9d9dbadd01ebfcf4ea40d49cbacaab4ac43faaa21c7c0a173032e1382eab52bcf18bc2d26c5618cdd4d7d3642581d5d08a48330551f51617e388ac88e5622ee

Download Submit
memory/4460-572-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4460-581-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4460-571-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4460-573-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4460-583-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4460-582-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4460-578-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4460-579-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4460-580-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4460-577-0x00000233A5C10000-0x00000233A5C11000-memory.dmp

Filesize
4KB

Download
memory/4896-345-0x00000194338C0000-0x00000194338F2000-memory.dmp

Filesize
200KB

Download