Analysis Overview
SHA256
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Threat Level: Known bad
The file RIP_YOUR_PC_LOL.exe was found to be: Known bad.
Malicious Activity Summary
Raccoon
Nanocore family
PurpleFox
AsyncRat
RedLine
Oski family
Detect PurpleFox Rootkit
Oski
HawkEye
Detect Blackmoon payload
xmrig
Process spawned unexpected child process
Redline family
Dcrat family
Raccoon family
Fickerstealer family
Gh0strat family
Hawkeye family
njRAT/Bladabindi
Xmrig family
Blackmoon, KrBanker
DcRat
Raccoon Stealer V1 payload
Fickerstealer
Blackmoon family
Gh0st RAT payload
Pony family
NanoCore
Gh0strat
Asyncrat family
Azorult family
UAC bypass
Njrat family
Azorult
Pony,Fareit
Purplefox family
Detected Nirsoft tools
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
DCRat payload
NirSoft WebBrowserPassView
XMRig Miner payload
NirSoft MailPassView
Downloads MZ/PE file
Sets service image path in registry
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Modifies Windows Firewall
Reads data files stored by FTP clients
Loads dropped DLL
Reads user/profile data of web browsers
Checks BIOS information in registry
Drops startup file
Impair Defenses: Safe Mode Boot
Unsecured Credentials: Credentials In Files
Uses the VBS compiler for execution
Unexpected DNS network traffic destination
Executes dropped EXE
Enumerates connected drives
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Checks whether UAC is enabled
Maps connected drives based on registry
Accesses Microsoft Outlook profiles
Indicator Removal: File Deletion
UPX packed file
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Drops file in Windows directory
Program crash
Browser Information Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
System policy modification
Suspicious behavior: EnumeratesProcesses
NTFS ADS
outlook_win_path
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Runs ping.exe
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-04 19:23
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nanocore family
Njrat family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 19:23
Reported
2024-12-04 19:29
Platform
win11-20241007-en
Max time kernel
97s
Max time network
302s
Command Line
Signatures
AsyncRat
Asyncrat family
Azorult
Azorult family
Blackmoon family
Blackmoon, KrBanker
DcRat
Dcrat family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fickerstealer
Fickerstealer family
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
HawkEye
Hawkeye family
NanoCore
Nanocore family
Njrat family
Oski
Oski family
Pony family
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
PurpleFox
Purplefox family
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon family
RedLine
Redline family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\KBDTAJIK\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\KBDTAJIK\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\System32\KBDTAJIK\conhost.exe | N/A |
Xmrig family
njRAT/Bladabindi
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| File created | C:\Windows\system32\drivers\hitmanpro37.sys | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\hitmanpro37.sys | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240616453.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37.sys | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
| N/A | N/A | C:\Windows\Help\Winlogon.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 185.228.168.9 | N/A | N/A |
Unsecured Credentials: Credentials In Files
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\tracing\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "\"C:\\PerfLogs\\a.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Recovery\\WindowsRE\\chrome.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Monitor = "C:\\Program Files (x86)\\DPI Monitor\\dpimon.exe" | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TXPlatforn = "\"C:\\ProgramData\\Desktop\\TXPlatforn.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\___11.19 = "\"C:\\Users\\Admin\\AppData\\Roaming\\pidloc\\___11.19.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ö÷¶¯·ÀÓù·þÎñÄ£¿é = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\ExperienceExtensions\\SearchHost.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Start Menu\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\KBDTAJIK\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ö÷¶¯·ÀÓù·þÎñÄ£¿é = "\"C:\\Recovery\\WindowsRE\\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe\"" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\System32\KBDTAJIK\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\KBDTAJIK\conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Indicator Removal: File Deletion
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\System32\KBDTAJIK\conhost.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\SysWOW64\240616453.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\KBDTAJIK\conhost.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\System32\KBDTAJIK\088424020bedd6b28ac7fd22ee35dcd7322895ce | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File created | C:\Program Files (x86)\DPI Monitor\dpimon.exe | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DPI Monitor\dpimon.exe | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Help\Winlogon.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Cursors\KillProcc.sys | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File opened for modification | C:\Windows\Cursors\TrustedInsteller.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ExperienceExtensions\SearchHost.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ExperienceExtensions\cfa885d449487c00023eaee43254d4b7ac0b9e42 | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render.dll | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Cursors\WUDFhosts.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\rescache\_merged\37519308\a.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Windows\tracing\conhost.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\tracing\088424020bedd6b28ac7fd22ee35dcd7322895ce | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render_New.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\HitmanPro_x64.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Help\Winlogon.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\test.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Help\Winlogon.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\HD____11.19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\healastounding.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\gay.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\ | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133778138750070952" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\HitmanPro_x64.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Opus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\mediaget.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\HitmanPro_x64.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\KBDTAJIK\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\System32\KBDTAJIK\conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\KBDTAJIK\conhost.exe | N/A |
Uses Task Scheduler COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\aaa.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
C:\Users\Admin\AppData\Roaming\healastounding.exe
"C:\Users\Admin\AppData\Roaming\healastounding.exe"
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Roaming\22.exe
"C:\Users\Admin\AppData\Roaming\22.exe"
C:\Users\Admin\AppData\Roaming\test.exe
"C:\Users\Admin\AppData\Roaming\test.exe"
C:\Users\Admin\AppData\Roaming\gay.exe
"C:\Users\Admin\AppData\Roaming\gay.exe"
C:\Users\Admin\AppData\Roaming\Opus.exe
"C:\Users\Admin\AppData\Roaming\Opus.exe"
C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
C:\Users\Admin\AppData\Roaming\___11.19.exe
"C:\Users\Admin\AppData\Roaming\___11.19.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8648.tmp"
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240616453.txt",MainThread
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe4263cc40,0x7ffe4263cc4c,0x7ffe4263cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1828 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:8
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dllhost.exe'" /rl HIGHEST /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3108 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4476 /prefetch:1
C:\Users\Admin\AppData\Roaming\mediaget.exe
"C:\Users\Admin\AppData\Roaming\mediaget.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\tracing\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TXPlatforn" /sc ONLOGON /tr "'C:\ProgramData\Desktop\TXPlatforn.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "___11.19" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\pidloc\___11.19.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDTAJIK\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Ö÷¶¯·ÀÓù·þÎñÄ£¿é" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Ö÷¶¯·ÀÓù·þÎñÄ£¿é" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ExperienceExtensions\SearchHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\PerfLogs\a.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\chrome.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
C:\Windows\System32\KBDTAJIK\conhost.exe
"C:\Windows\System32\KBDTAJIK\conhost.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3644,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:1
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240639593.bat" "C:\Users\Admin\AppData\Roaming\aaa.exe" "
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1376 -ip 1376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1180
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3148,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3156,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4404,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
C:\Windows\Help\Winlogon.exe
C:\Windows\Help\Winlogon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3248,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4276 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Cursors\WUDFhosts.exe
C:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4996,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1580 -ip 1580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 480
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5340,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5360 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5712,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5700,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5844 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5992,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:8
C:\Users\Admin\Downloads\HitmanPro_x64.exe
"C:\Users\Admin\Downloads\HitmanPro_x64.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4696,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6400 /prefetch:8
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=1668,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4240,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5864 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4904,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5988,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6400 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5828,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5980,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6400 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=4660,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6684 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6976,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5752 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7092,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7088 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7112,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6816 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3244,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004DC
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5920,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5984,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6196 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6712,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6904 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=5696,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6260 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=4936,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6204 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5964,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=7140,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=7224,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7348 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6816,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6928 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| RU | 80.87.192.115:80 | tcp | |
| US | 107.178.223.183:81 | yabynennet.xyz | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:443 | whatismyipaddress.com | tcp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| CA | 172.98.92.42:58491 | tcp | |
| CN | 59.56.110.231:8898 | tcp | |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| GB | 142.250.200.1:443 | clients2.googleusercontent.com | tcp |
| MD | 194.180.174.53:80 | tcp | |
| US | 99.83.230.36:443 | hitmanpro.com | tcp |
| US | 99.83.230.36:443 | hitmanpro.com | tcp |
| RU | 92.63.107.12:80 | tcp | |
| GB | 184.28.198.99:443 | www.hitmanpro.com | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 104.18.87.42:443 | cdn.cookielaw.org | tcp |
| US | 104.16.242.229:443 | pricingapi.cleverbridge.com | tcp |
| GB | 184.28.198.99:443 | www.hitmanpro.com | tcp |
| US | 172.64.155.119:443 | sophos-privacy.my.onetrust.com | tcp |
| RU | 92.63.107.12:80 | tcp | |
| MD | 194.180.174.53:80 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.18.32.137:443 | sophos-privacy.my.onetrust.com | tcp |
| HU | 91.219.236.18:80 | 91.219.236.18 | tcp |
| SG | 45.77.45.115:80 | pool.usa-138.com | tcp |
| MD | 194.180.174.41:80 | tcp | |
| CA | 172.98.92.42:58491 | tcp | |
| GB | 2.21.185.132:443 | download.sophos.com | tcp |
| GB | 2.21.185.132:443 | download.sophos.com | tcp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| MD | 194.180.174.41:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| HU | 91.219.236.148:80 | tcp | |
| US | 8.8.8.8:53 | files.surfright.nl | udp |
| NL | 185.105.204.28:443 | files.surfright.nl | tcp |
| NL | 52.174.35.5:80 | scan.hitmanpro.com | tcp |
| HU | 91.219.236.148:80 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 185.228.168.9:53 | 8.8.8.8.zen.spamhaus.org | udp |
| NL | 23.97.160.56:443 | remnants.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CA | 172.98.92.42:58491 | tcp | |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| NL | 23.97.160.56:443 | hash.hitmanpro.com | tcp |
| NL | 52.174.35.5:443 | scan.hitmanpro.com | tcp |
| RU | 80.87.192.115:80 | tcp | |
| NL | 52.174.35.5:443 | scan.hitmanpro.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| CA | 172.98.92.42:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| CA | 172.98.92.42:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| N/A | 127.0.0.1:58491 | tcp | |
| N/A | 127.0.0.1:58491 | tcp | |
| N/A | 127.0.0.1:58491 | tcp | |
| CA | 172.98.92.42:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| RU | 80.87.192.115:80 | tcp | |
| CA | 172.98.92.42:58491 | tcp | |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CA | 172.98.92.42:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| CA | 172.98.92.42:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| US | 8.8.8.8:53 | kazya1.hopto.org | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| RU | 80.87.192.115:80 | tcp | |
| CA | 172.98.92.42:58491 | tcp | |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 142.250.179.234:443 | content-autofill.googleapis.com | tcp |
| US | 204.79.197.200:443 | bing.com | tcp |
| US | 204.79.197.200:443 | bing.com | tcp |
| GB | 88.221.135.24:443 | th.bing.com | tcp |
| GB | 88.221.135.24:443 | th.bing.com | udp |
| GB | 88.221.135.2:443 | r.bing.com | tcp |
| GB | 88.221.135.2:443 | r.bing.com | tcp |
| GB | 88.221.135.2:443 | r.bing.com | udp |
| US | 8.8.8.8:53 | 2.135.221.88.in-addr.arpa | udp |
| GB | 95.101.143.130:443 | assets.msn.com | tcp |
| IE | 40.126.31.67:443 | login.microsoftonline.com | tcp |
| US | 13.107.21.237:443 | www2.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| CA | 172.98.92.42:58491 | tcp | |
| RU | 80.87.192.115:80 | tcp | |
| US | 152.199.21.175:443 | aadcdn.msftauth.net | tcp |
| IE | 40.126.31.67:443 | login.microsoftonline.com | tcp |
| GB | 88.221.135.25:443 | th.bing.com | udp |
| US | 13.107.246.64:443 | 3pcookiecheck.azureedge.net | tcp |
| US | 172.67.138.224:443 | www.thepcinsider.com | tcp |
| US | 172.67.138.224:443 | www.thepcinsider.com | tcp |
| US | 172.67.138.224:443 | www.thepcinsider.com | udp |
| GB | 142.250.179.234:443 | content-autofill.googleapis.com | tcp |
| US | 104.18.95.41:443 | challenges.cloudflare.com | tcp |
| US | 172.67.138.224:443 | www.thepcinsider.com | tcp |
| US | 172.67.138.224:443 | www.thepcinsider.com | tcp |
| US | 8.8.8.8:53 | 40.169.217.172.in-addr.arpa | udp |
| US | 104.18.95.41:443 | challenges.cloudflare.com | udp |
| US | 172.67.138.224:443 | www.thepcinsider.com | udp |
| GB | 142.250.179.234:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 172.217.169.34:443 | googleads.g.doubleclick.net | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.200.2:443 | ep1.adtrafficquality.google | tcp |
| GB | 172.217.169.1:443 | ep2.adtrafficquality.google | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.169.1:443 | ep2.adtrafficquality.google | tcp |
| GB | 142.250.179.226:443 | partner.googleadservices.com | tcp |
| GB | 142.250.187.225:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.187.225:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.187.225:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.187.225:443 | tpc.googlesyndication.com | tcp |
| GB | 172.217.169.14:443 | encrypted-tbn3.gstatic.com | tcp |
| GB | 142.250.187.225:443 | tpc.googlesyndication.com | udp |
| CA | 172.98.92.42:58491 | tcp | |
| GB | 172.217.169.1:443 | ep2.adtrafficquality.google | udp |
| GB | 142.250.200.2:443 | ep1.adtrafficquality.google | udp |
| US | 208.109.37.181:443 | www.zemana.com | tcp |
| US | 208.109.37.181:443 | www.zemana.com | tcp |
| US | 208.109.37.181:443 | www.zemana.com | tcp |
| US | 208.109.37.181:443 | www.zemana.com | tcp |
| US | 208.109.37.181:443 | www.zemana.com | tcp |
| US | 208.109.37.181:443 | www.zemana.com | tcp |
| US | 208.109.37.181:443 | www.zemana.com | tcp |
| US | 208.109.37.181:443 | www.zemana.com | tcp |
| RU | 80.87.192.115:80 | tcp | |
| US | 18.189.252.148:443 | redirect.prod.experiment.routing.cloudfront.aws.a2z.com | tcp |
| US | 18.172.183.161:443 | a6a1ecd1999a410d17b0f86da3199e866.profile.yvr52-p1.cloudfront.net | tcp |
| CO | 179.13.1.253:8050 | gfhhjgh.duckdns.org | tcp |
| GB | 172.217.169.34:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.200.2:443 | ep1.adtrafficquality.google | udp |
| GB | 172.217.169.46:443 | encrypted-tbn0.gstatic.com | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 104.20.141.25:443 | my.emsisoft.com | tcp |
| US | 104.20.141.25:443 | my.emsisoft.com | tcp |
| RU | 80.87.192.115:80 | tcp | |
| US | 104.22.59.91:443 | cdn-cookieyes.com | tcp |
| GB | 142.250.200.54:443 | i.ytimg.com | tcp |
| IE | 52.212.126.15:443 | log.cookieyes.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 142.250.179.234:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 15.126.212.52.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 142.250.179.234:443 | content-autofill.googleapis.com | udp |
Files
memory/4308-0-0x0000000074FB1000-0x0000000074FB2000-memory.dmp
memory/4308-1-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/4308-2-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/4308-4-0x0000000074FB0000-0x0000000075561000-memory.dmp
C:\Users\Admin\AppData\Roaming\healastounding.exe
| MD5 | 6fb798f1090448ce26299c2b35acf876 |
| SHA1 | 451423d5690cffa02741d5da6e7c45bc08aefb55 |
| SHA256 | b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f |
| SHA512 | 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3 |
memory/3876-26-0x0000000074FB0000-0x0000000075561000-memory.dmp
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
| MD5 | ed666bf7f4a0766fcec0e9c8074b089b |
| SHA1 | 1b90f1a4cb6059d573fff115b3598604825d76e6 |
| SHA256 | d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264 |
| SHA512 | d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49 |
C:\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
C:\Users\Admin\AppData\Roaming\test.exe
| MD5 | 7e50b292982932190179245c60c0b59b |
| SHA1 | 25cf641ddcdc818f32837db236a58060426b5571 |
| SHA256 | a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8 |
| SHA512 | c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885 |
memory/3964-53-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/3964-52-0x0000000074FB0000-0x0000000075561000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opus.exe
| MD5 | 759185ee3724d7563b709c888c696959 |
| SHA1 | 7c166cc3cbfef08bb378bcf557b1f45396a22931 |
| SHA256 | 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641 |
| SHA512 | ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c |
C:\Users\Admin\AppData\Roaming\aaa.exe
| MD5 | 860aa57fc3578f7037bb27fc79b2a62c |
| SHA1 | a14008fe5e1eb88bf46266de3d5ee5db2e0a722b |
| SHA256 | 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29 |
| SHA512 | 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1 |
C:\Users\Admin\AppData\Roaming\___11.19.exe
| MD5 | a071727b72a8374ff79a695ecde32594 |
| SHA1 | b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc |
| SHA256 | 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745 |
| SHA512 | 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400 |
C:\Users\Admin\AppData\Roaming\a.exe
| MD5 | 52cfd35f337ca837d31df0a95ce2a55e |
| SHA1 | 88eb919fa2761f739f02a025e4f9bf1fd340b6ff |
| SHA256 | 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448 |
| SHA512 | b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73 |
memory/3876-134-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/3652-152-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1000-163-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/1700-201-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | 748a4bea8c0624a4c7a69f67263e0839 |
| SHA1 | 6955b7d516df38992ac6bff9d0b0f5df150df859 |
| SHA256 | 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e |
| SHA512 | 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd |
memory/3216-229-0x00000000065E0000-0x000000000662C000-memory.dmp
memory/4204-234-0x00000000007B0000-0x0000000000844000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
| MD5 | 870d6e5aef6dea98ced388cce87bfbd4 |
| SHA1 | 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54 |
| SHA256 | 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0 |
| SHA512 | 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566 |
memory/4204-240-0x0000000002930000-0x000000000293A000-memory.dmp
memory/4204-239-0x0000000002920000-0x000000000292C000-memory.dmp
memory/4204-241-0x0000000002A60000-0x0000000002A6C000-memory.dmp
memory/1700-228-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
| MD5 | 78d40b12ffc837843fbf4de2164002f6 |
| SHA1 | 985bdffa69bb915831cd6b81783aef3ae4418f53 |
| SHA256 | 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44 |
| SHA512 | c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79 |
memory/3216-219-0x0000000006560000-0x000000000659C000-memory.dmp
C:\Windows\SysWOW64\240616453.txt
| MD5 | fd1bd75813d5e067ff434b80497a2494 |
| SHA1 | 3731707e8f9e4b5eff3e5bd123a5226c289da738 |
| SHA256 | 69a731c6c4df323d45ac979d0c2c4734a474267130927fa1ba9d84e184c5c078 |
| SHA512 | da06b2a84726ffb2e335b3ef366a0adeb927dfa11e7166109a5a70ba4eb523c1ad56f8edb205da7fcee700e690ff82451ce08b3e04e8a3498a6b34305328dc92 |
memory/3216-196-0x0000000006450000-0x000000000655A000-memory.dmp
memory/3216-195-0x0000000006430000-0x0000000006442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp
| MD5 | 28219e12dd6c55676bdf791833067e9d |
| SHA1 | a4c854d929404e5073d16610c62dfa331c9727a0 |
| SHA256 | d3035bd90ad0e9fedeecb44da09e78421b5e6e1e0bbed1afc624750043355540 |
| SHA512 | e8c118063052002745c503b8fd0decfecf38f31e71e4dbdedc79bb8e91d443d65a33e7d983d4c0e1d6ee1eb9045100c2324b941b3bef00e69d4d91eb7d6d0161 |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
memory/3216-184-0x0000000005DC0000-0x00000000063D8000-memory.dmp
memory/1468-180-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1468-178-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1468-181-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/3216-176-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/3216-173-0x0000000000400000-0x00000000007C2000-memory.dmp
memory/1000-162-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1000-160-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4308-157-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/3652-155-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3216-141-0x0000000000400000-0x00000000007C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
C:\ProgramData\kaosdma.txt
| MD5 | 2c807857a435aa8554d595bd14ed35d1 |
| SHA1 | 9003a73beceab3d1b1cd65614347c33117041a95 |
| SHA256 | 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b |
| SHA512 | 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9 |
memory/4204-243-0x0000000002A90000-0x0000000002A9C000-memory.dmp
C:\Users\Admin\AppData\Roaming\4.exe
| MD5 | e6dace3f577ac7a6f9747b4a0956c8d7 |
| SHA1 | 86c71169025b822a8dfba679ea981035ce1abfd1 |
| SHA256 | 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63 |
| SHA512 | 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268 |
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
| MD5 | 8f1c8b40c7be588389a8d382040b23bb |
| SHA1 | bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a |
| SHA256 | ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1 |
| SHA512 | 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f |
memory/2460-111-0x00000000003F0000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Roaming\gay.exe
| MD5 | 8eedc01c11b251481dec59e5308dccc3 |
| SHA1 | 24bf069e9f2a1f12aefa391674ed82059386b0aa |
| SHA256 | 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d |
| SHA512 | 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc |
memory/2580-65-0x0000000000400000-0x0000000000625000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8648.tmp
| MD5 | fb16df60656546f3eed87417838a3342 |
| SHA1 | 5c8cd1b4fdd2fa57a31fe30a65e332c30a20b4bc |
| SHA256 | ca607854bb6d7a457f80fdadeaf62a5471a71824defc531136c4b8a8452af426 |
| SHA512 | 2a56a040dee5c375ef8bdffa7c4f3f0a379bcc387655201f744e8fc99e57a6ed3afdbb92f63b783e8d4354e62908c80e8e7aac1636748a117e1507f2ec0f35e8 |
memory/4792-254-0x0000000000400000-0x00000000019AA000-memory.dmp
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 22bb5bd901d8b25ac5b41edbb7d5053e |
| SHA1 | 8a935dd8d7e104fc553ff7e8b54a404f7b079334 |
| SHA256 | 8dcaeeebef9b9f3d41d295db145ffb3850f309d089c08125c7fa7034db5fd80e |
| SHA512 | cc3fb68fd6791a08e4a7d1a8db8d07cfcc8c9b9dceec10b53f0cb7ee86473303a19be4f23e379f84c59e02d0568e7c066e21cd1300f6032dac4ba52f609f62e7 |
memory/4792-304-0x00000000061A0000-0x0000000006562000-memory.dmp
memory/4792-306-0x00000000061A0000-0x0000000006562000-memory.dmp
memory/4792-315-0x00000000061A0000-0x0000000006562000-memory.dmp
memory/4792-326-0x00000000061A0000-0x0000000006562000-memory.dmp
memory/4792-323-0x00000000061A0000-0x0000000006562000-memory.dmp
memory/4792-319-0x00000000061A0000-0x0000000006562000-memory.dmp
memory/4792-312-0x00000000061A0000-0x0000000006562000-memory.dmp
memory/4792-309-0x00000000061A0000-0x0000000006562000-memory.dmp
\??\pipe\crashpad_5112_FECXNQEIDECWBFJW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3652-342-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3964-345-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/3964-354-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/1372-357-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1372-356-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1372-355-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3.exe.log
| MD5 | ef46129aa52eb53b42a33a6cae6021f2 |
| SHA1 | 809c987b65cf51a75563f14f179c2e5adbb4db58 |
| SHA256 | 602ab1dff04cdfee5dbd495e7ed729623437676c186f7e217ddafc8dcfd0617d |
| SHA512 | bdfc36e5e54453173e9943e7c5eaeab30b421e9ca600aa0dbc03fcf46c8ab7651a912f8014bd78d31355aa2dd029232f586b7d5e01de16cdd5d597032460496d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/4792-376-0x0000000000400000-0x00000000019AA000-memory.dmp
memory/3420-392-0x0000000000400000-0x0000000000495000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a57c74bc3131cbe65824ba229bf517fd |
| SHA1 | 147acecdea0acb52544c1403b0ae6b3c52d209e4 |
| SHA256 | 2243df7f499a19b5d9d338f773914fe9bef26432ea6f63d56b7c7f33cfc67a50 |
| SHA512 | 5818f5d1c280c65aced9e286c4b8c2dc511636e29624850fbf2a4ba3d4c758ddf7be220c1134208ddb2cc38779f0d8c2003d7a4a4167fda75898aabbb1d6bfce |
memory/3420-390-0x0000000000400000-0x0000000000495000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2e083adeb2a56dae1d1c25c3d3135bcd |
| SHA1 | fe947bb6f2b8faf205e872d908e7aedce94404d4 |
| SHA256 | 69ddd59666463e8d0caa24ba2ddbe4713638972d975dc93435e5c7d5b1df5d42 |
| SHA512 | e2cf96c49fddea4983e41b2886a8bf174979251bfd306014cdcaf8294e99960478646b85314bb32fc3a60b3b1b69764553773e550aeb024044ef9f1e2ab49b2e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f0ce9f283892061c75752a2b75df367b |
| SHA1 | 73c50e0d2995cd3958e5f7e1ed9bc8d556344b9e |
| SHA256 | a6011b26481d457f5908c3644423ad1b6bd0003b4c44dec346f33ca43431c392 |
| SHA512 | 6b145af4d9d84bb5775517ea73bf476f189fa02e3d5d44c6228cc2c2e11fc1f4526df7b3acc39f2f21244df6d89ad6080351da1d9ceb0c522605b0a83367eac6 |
memory/2640-426-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2640-430-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2640-429-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3540-449-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3540-448-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | fa664fda7f7eb57170b77c19c17d8712 |
| SHA1 | 9d46b91973d13579156a94569e66fae4543961ae |
| SHA256 | 16360e8664e75ba7ecbb75623b853fce6e3646b387b8285f6349df3c500e5750 |
| SHA512 | 3f852b0a207986b487679dc6a38c9bfed0920213e15d7886aee4e39dcb0e3c242b4cd89d30d2bf482659136a039f3e31c4eccf9f1bc86ec8e3d69a361a511ce2 |
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/3540-469-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1752-471-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1752-472-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1752-474-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scoped_dir5112_2060521537\c3ba5117-010e-4a18-8db9-2f88b6f7c0d2.tmp
| MD5 | 3f6f93c3dccd4a91c4eb25c7f6feb1c1 |
| SHA1 | 9b73f46adfa1f4464929b408407e73d4535c6827 |
| SHA256 | 19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e |
| SHA512 | d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4 |
memory/4352-607-0x00007FF6B1FB0000-0x00007FF6B2530000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scoped_dir5112_2060521537\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 54dd967f4e7984a2ca5bc86eee9b6ccf |
| SHA1 | a1b6823da89c1c1979266f220b035a9a5afe324e |
| SHA256 | 6a2fca39e34c1bd6b9448e7afe0282f27b83c0d0ea9f6ef533752931d7baf7bb |
| SHA512 | 827e0dbe8eee519b9036d4dc62b19b96ad38419ef052598ad33513a47843aa1000bcd15bc8299b6c2e383b4a6b3bba0e9429823a1128795458b441f74f7acf90 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2a8bfbc26cb8cbc9dcfc244b60427d51 |
| SHA1 | eac446ed69cda8be43bc738e96d3619e56ca6b59 |
| SHA256 | 8bd7ed17fa6f146b17942db528020efc9652a88bf95750e27df18ded30485b62 |
| SHA512 | e65a256f72cd3b3608dc6fea85af6964429ec1d550c7607cb919a458d3bc04fbc8653fded28367521968af61466963dbaf734c814eb27976d0d763b75e51b096 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 077208066549b16288cb803930e2ffdc |
| SHA1 | a5d67117b397775d87fefdc9a45db831a45705bc |
| SHA256 | 83e974a8ef52ee1a4b166da740bf1c2ea343dd63b5e641ff8d927e55e2df1912 |
| SHA512 | d293fc506d1f6451349e025a07f7d1908b0f83cd562045a2e3e997e7df79dc7f7bcf34953f20fcc836dee1f8606e4f6f0d8683b23f4d3127300e9cad4334af74 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d4a30166078301353baa70d29c4cf57a |
| SHA1 | 4f6e90b95c5d7c7759e992eb65a008f0f2f5307a |
| SHA256 | 2c62e914c7a13d5aabbf5bc9d1ee9d412f95429fc76309488c5bff3d3e7043cb |
| SHA512 | bb2b41a9ff6864a2d5f63760672aaf907d2a05d53932746dd4a2e1306fe69f55c5dc6363de6fb55c95e84c9801e4cfcdcc1a7e971f45464f3be7489fecc4ab4b |
memory/4352-948-0x00007FF6B1FB0000-0x00007FF6B2530000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8b157af1cbd675041866e762d853decc |
| SHA1 | 2b0c3e6fa06f6d4c7fbddc1621fb26fcbe846f64 |
| SHA256 | b74172444ef57ab52a7afb1be170065c8c742bf80b0ba5b77e5f25cd3a964fc6 |
| SHA512 | e412940cfadb6a09d999dd4951a2bf3e391b5de2baeab1f3557775ab8b1c5d03a8b30438966168c3b2926f24493c03d8c5fdd1d8e15760ec3b63f9fac8131c7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | dc4b4b5d4ce53c45c29909aec272d3f1 |
| SHA1 | c4794803f479ff58c56df59d4fd33372cbacfdb3 |
| SHA256 | 3504c17f959dd99af0d54d940b3a77a1e95664659f88d2b6eae762a66685be11 |
| SHA512 | 90edfde4b08192cb455009f44fe5df95479145f5c34803faccc150fcba3e00be06d0acbdea487f729df680a26891ad8e3ae07fd916cf27d12d2aebf584b4a022 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | d8971249419d782c10f861a105604903 |
| SHA1 | eb4221f2028adbc4c7769956ddb12190fc93f684 |
| SHA256 | 6c05d12024bb0174d735e2ece97fb46b75f8da6222d63f8e63135a2c850f8a7f |
| SHA512 | 8969eeeca6ce01cf74f0d5c1be7f70ecd8a560ea5f804dc93fd550df4082b9fffe73485481ab87379260e79a6514b39cecbb424821a78130b1000a5fd61c2d25 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bd8ff78b7c138bae4e3b1fb97b832288 |
| SHA1 | 560e60a14986b8a6b83b8c6ab68a9796d74cec6a |
| SHA256 | fafbc698b506e009ba665191b1e4d9690c16779d8a5c421b18222ad706b4e0d1 |
| SHA512 | 61668dec342b73ede086648a4edf33d3f291226b6525b55eb3224b11bca2d64c5bcbbb63483e93ad3bcb4d30ad7c51bfdf4bad8064839261196aa5ff09d4db5b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 450bdbb3139c8bbbe3d6101d6e53d770 |
| SHA1 | 049b63276b203d393fa093858b6cd6e43c1733f6 |
| SHA256 | b2b436dcd66ecced895acc96068213c14b8fc769407e311e384113f709e15c6f |
| SHA512 | d6fefa7bb81b37a146c12fbabda2824ce4889a3795c8905b8523eb24b142f21710fa1bc8486aa54da9575ff38eb0720d9f77f9ba3375e213d8065e8f75008ac3 |
C:\Windows\System32\drivers\hitmanpro37.sys
| MD5 | 55b9678f6281ff7cb41b8994dabf9e67 |
| SHA1 | 95a6a9742b4279a5a81bef3f6e994e22493bbf9f |
| SHA256 | eb5d9df12ae2770d0e5558e8264cbb1867c618217d10b5115690ab4dcfe893c6 |
| SHA512 | d2270c13dc8212b568361f9d7d10210970b313d8cd2b944f63a626f6e7f2feb19671d3fcdbdf35e593652427521c7c18050c1181dc4c114da96db2675814ab40 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d15b78df2b47fe84fc0b8dc0c7315e6f |
| SHA1 | ade4de85f7029b54c244a26bec3aedd3464be4d0 |
| SHA256 | 18e63065c84fca954b5809ecf533cd1bc1e34e3c2029cf126d7d62b815cea8f6 |
| SHA512 | 297795943206d7a7dd584cf807d4e4014f645d68ac82e12b5d29f373cc2f63f488a935c7407169aa329f2e4f2b2d55fe3a286dbc06dfcdeba0bf2767f299e598 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | dcbd4bda8938d5b4d0b271de2353f818 |
| SHA1 | ca6418a27aabe47fc30926efaf14cd23363761c4 |
| SHA256 | 074f3001dde4961b5edc64b6d04767cef264e6b2d1823e96427936f4fdf8b871 |
| SHA512 | f07b553dba2eb6515b5d0edfeb7ca98ef12ae996679d5b3ff0c90105bcb19d2f81b555ed95978e99c1ad59f03302299f1ca6d69b1645f199505ce5c36b89d5a5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\03f7f231-f5ab-4cdd-b706-44165166f8e4.tmp
| MD5 | 8e2bc0a0c087a98304fefa8c5bba0302 |
| SHA1 | d06a8488429fb9f5cb29aed52a75642c520ab989 |
| SHA256 | e032e60e362b0bf8e55471b1ca7b999d34fedc2a3d2fc48e445978617b405875 |
| SHA512 | 1c2e59f71485ef5c88b48c539c79eff8caca88138320bd078d80f3ddfec91fb437fbd34cbd943f6917885eb0370147a8ecc2c0d18a2c7aff7f5d2cdab95a013e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ede5b1c2086b4380ebc0a8f9be268a55 |
| SHA1 | 7f2b9b0ad429632417b391f1f1b14ba8a783f6fe |
| SHA256 | e9b62651cb93cc309baf33bc957024aa917034a633f062052a21367b9c338bb5 |
| SHA512 | 4e64e946a460c865ffe737dc8c8c6cfa6ba0ad00bab3856185aaaa34ba196422475eb552cbd9e18bdccc0bedafea647f309bc0015728fc04df04d0d9cdada5ef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d278452c1376945477b5bd74d474ead3 |
| SHA1 | 748586c24ae34ac6cda05a6fab582ba638d1662d |
| SHA256 | 600bdca0e402e6f05daffb6ed342cbdcaea82de0b1a9d029822b1ea05165579b |
| SHA512 | 46cbbd5f34cba27ae63366d085d560a6a38ce2f20abd814203fca358a17bb9342cf50eb8edab672258c7530f825e2b310ce571121c438ab461413c0b22a214c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 65a1352c1fe6c67cdb46b109523c6a24 |
| SHA1 | 6b8148e6765e547de54bddf7e00577b177c8dca0 |
| SHA256 | a1cbff1163aeaec44c6a5402bfdc419b48b35c1d10aa171de0a3e0da008fb495 |
| SHA512 | acffd996a65aacaeaf86e4f2cfabbbd1c978504efdcf4f0ee6187e7355a4e2680b09d3886f4312057b7fcad4f34b7a144e9f6cf9b9ac496d6dc3e4e6c0b9e768 |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | d222b77a61527f2c177b0869e7babc24 |
| SHA1 | 3f23acb984307a4aeba41ebbb70439c97ad1f268 |
| SHA256 | 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747 |
| SHA512 | d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | b5ad5caaaee00cb8cf445427975ae66c |
| SHA1 | dcde6527290a326e048f9c3a85280d3fa71e1e22 |
| SHA256 | b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8 |
| SHA512 | 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2f89eedea2e9ee9cdcb7c48dd9c4bde1 |
| SHA1 | 584e12face13ee224e01f7d74c20eeedbdfd34b4 |
| SHA256 | 41ae3928d39fad56e530a5816e4d512c42071c949fe57624d71209d7859b9ceb |
| SHA512 | 37f025d32dcc69560201638eae6c030cda7f66b2f1d6ea8581cd1d5105b61adf73954bb1e39ae161c5cb003fcafeea254feca44639555178c33657bf05dd39a1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d057daa0432f6587d90906a2aa917cac |
| SHA1 | df05c740a1f7326409d7f78b89cbb0ea98f8da0d |
| SHA256 | d795d9b66cdce1e9706d99a6936cb8530da97e8f3e78427f76136952f6f68ab0 |
| SHA512 | 8fc9ce50fba066a9776f363cd1c699695c6fefab4758edb1f948082bdae8c975e3dd4703e8b78d930ec96f2632d30246ccdf2bfb77e4fd6e0bf62093e09d4536 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1dad19f1ca9448930f7d7ab29f4cb7fa |
| SHA1 | 95199a7566ec9249d66d1a30cde6bceb2d1a28d0 |
| SHA256 | 68cf2fb59479c3da83f7e88335053d9ab8d642236bb230d056720d635406d927 |
| SHA512 | fb61675974bb836bab35011c1dbb5b8a31d5b05bd4b81ecc90542d094f58103926e7bac7539acdeff6d9bd2f6dd74655708702759e0c33c43b9d54c41eb74813 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 96329c73cc49cd960e2485210d01c4d2 |
| SHA1 | a496b98ad2f2bbf26687b5b7794a26aa4470148e |
| SHA256 | 4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466 |
| SHA512 | e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 847a64ce22adca83e091e5403ef844ed |
| SHA1 | f2cf8559f0eba3d237cee1162b811613d2a0c308 |
| SHA256 | 1db255895b125edbed50b5296edafaf303dde2b93a600313b6a1aa61f9ec2b88 |
| SHA512 | 94abff56e498bfd7af0e72a652a0b03d29cbe7d0322f43cb8fa4182cfa829ec6d608c5bb3f6deaaf1dcaae764c90036beedb503109c8080999dfaf2d6a2e9de6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1cca473d591a1374b4ee2b0f19877493 |
| SHA1 | 4f67a4ef4caad0c2ecf664a40bece6be030fd9a3 |
| SHA256 | 5bea833ed5f8ae0ded0e73dfd39a4232177d8b618210f923b486c05d497548df |
| SHA512 | ade623f92f477cc09d1569d554362d5dd232e39d4cc0ad05bc20d2c40b11f731d1548675469b5c4f5031f87d18b3c3cb964c257bf757332d1b539b6f2c7b12d8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 79ffc9ecd4837b3f3bb93f34e3041a25 |
| SHA1 | f340579da32fb4a98ebea208073876d09494c758 |
| SHA256 | 864ffd62be0c9376529089a598436f1079207b883ef7bf75d95beb469059e9ef |
| SHA512 | 0b66c2ef814c22a592a6a63eb1384003969f3e2b2779a7df16baee585c8800f16ed3547be3474479f9280afe1342c716cdbf70f7e5f6ea55b517c762605dc5d4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9cee423cc765f223e027e03166b10f5d |
| SHA1 | 3e93830cfe385722b20cea7615da02d1b8aa7af6 |
| SHA256 | 9ea47790f502fc7b160a44198eaf04c6a9b8a331e9e038b07dbb680e8c07a30f |
| SHA512 | 41a6e73da023529f539c599d15153343779bee73f39692433fd9d95ca45c2b7db8f7e9de8933434477f0b293e749990bfa52bb01846f7329bb377af36b729ea9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 71c796e25ac5a8d5f8e433ffda663b32 |
| SHA1 | d8707fbe739498e00672b83622eb5476a6f5ae3a |
| SHA256 | 8f38aacba6dae50e7313552009f106cec1f029a834afe3dd246fdcf758344f7e |
| SHA512 | 1ebd0ffb239bc79b59da2fccdb68d362816e379429b2b7a26f1945700c17486d8f21f1222c212960f6a6e522e565ea0986e6a032b90c04ddea1740f1acd0a849 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 41c9f95896e4398cdaa94ac6d6e7b1a6 |
| SHA1 | 0118160aa2304b6a532aa975c4201c8742ab2bdb |
| SHA256 | edd2cb5fbbee6409c1e3d24a404c65dcadbb2c025eca3c12edaf031a4f04ca06 |
| SHA512 | 39f778b86c0c10cb1344aa4775d28abe82b87ae83607726058ef8e67d4350cf97bea226edad6556bdfc5ce676b337df95ed2278a2cef28911368f23b2f21c877 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d
| MD5 | 2be38925751dc3580e84c3af3a87f98d |
| SHA1 | 8a390d24e6588bef5da1d3db713784c11ca58921 |
| SHA256 | 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b |
| SHA512 | 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7a057a2ade70474e563c2271fb67d8eb |
| SHA1 | bbb9aea4ceb9bfe80942b0de464826f256aba569 |
| SHA256 | 784fe54683d14d848bcbc148810b2269b29c29913be90b2e3b20521518b04862 |
| SHA512 | 0106258e1b3d97afb5e9ecfc4fa2146d7c201db9bf1e9e6e585d8f34ced62ffb6c2630f696d5e2d9a435f671ec3498ca6d1d9cd912196c53023b3f682678c0f8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ed7a3136ee3a5639ca29cee52b651ce2 |
| SHA1 | 5de6bbb17af4b67d49f2a0705ca37d6abe1f47d4 |
| SHA256 | a22d542b9c4aafc4b656fabca06dc147dde094352ecee84f919da04dff61365a |
| SHA512 | a2d48cc89bc20df81aaaede436882b576c3e8a5265b1b4dc4c5f13dcbdeee3eafb7cc245cb5424b12d445b918e0b0557189c4c1dc847bf0baec708e7cc5edf2a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 38d85e904b1c810bc67e3b4137bd0993 |
| SHA1 | 6e7f3407ad2195f5927560b67ca8311b6843fa29 |
| SHA256 | b046a7e4f3334da23c2db9c8dbb8cdaae73eb30d3b18fb6c761566e1bf6369de |
| SHA512 | 4698bfffe05c4915a82b84d09df9f6cd23292b2eb8adf756e322e88df7208b1fe2f37d80c31878377f7021fcdb46baf1cf862ab3cb5eb1946fe94de2704b0f6e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 77525a26bf8c6943bf4b86879384f14f |
| SHA1 | 217c4c14acc6d8225dc09e4b857bc596411d5282 |
| SHA256 | 85c3498fb3e449c3c45d10b04f8de201840f55b56c84e4128a4f609ac1b4d037 |
| SHA512 | 7158fe4ff237a5064331719eae090b6d1ac2ea8b7057f74fe9efed4d923306a48948df21ff8b5696d66a4fccdd5fdbb3cb95cdfa8f132cb92d8ea9c1d6bcaddd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4d174f9772192ac91936c6aa6b35d6bc |
| SHA1 | 00484306757962adc9e7c04ba990f4dbd5430da9 |
| SHA256 | 322c09362f0227c96a1d7928781f42382d394d45d8b6f322262a839760f317c7 |
| SHA512 | 6b7f22cbb803d91c982878eeb1b62ac3432c5ddddf72e001ceb1c234997af52727a6f2ede964016ebc632ab0408aecd2d3ec1c3a8fdc4b333d2944a5cba87d77 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fc4c34254c6c12401914a4763838cac8 |
| SHA1 | 1d1c6c670b6ba4f3e30902786767215721010fae |
| SHA256 | 2388baaae65af1cd6ce813dbb093ac37e02e8635efb0c631c6f3f285ef948833 |
| SHA512 | 9c8e3edefe529ded3940227950dfb475638ec032dca1a65afd537dbf665312d7ef41221269a7a2b9b349c4a359a1eb3e0e480c907c6f81bad93aa87848c6d600 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ca63ad1bc44409607b5da2b7f64714d7 |
| SHA1 | 7f469810487b5de4265b3360f02756e2b2cafecf |
| SHA256 | 2dd4e1dc3539f114e84670a80991a03c412de669d7b5fe82be25e4cebee72a9b |
| SHA512 | def6da9f7fa8471d67fce860c5481a2409a45e154897d1f7a5f142c75a48a36d0b64ccd9caf7167460fd257ca8dddd5dacf2e4a1242c1c0e746beb469837f19a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0bd6089c9a79238630a47863f0e99cc2 |
| SHA1 | 781d4e0e2aeb70b51aa8d5953a6b228b32120f7e |
| SHA256 | 9e25de9fa04f2a47c2badce37acf4df69a63d972b852ef902e8372f1dbb88daf |
| SHA512 | 90a8d3ee75dd70ca85b6368e93089248abcd49f07aa9b12e7aad8bffc420437922a0691143a1a80ea0c42eb1bfdd64bedd70a305b0b3513de3b12755f6ec7e67 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 225025658d207d5f6c8c8135d601eecf |
| SHA1 | 8cdba314b7c08025c301475e160fef9c7ed19a28 |
| SHA256 | c5360f371327c77e617f18aabf6c1c2dedd92f9f9f6439ffaf5cd0aa97fdb587 |
| SHA512 | 9a4b44d95b0a0acf95ea674b5a99b8a7ffb4be0b6c5424dee719aef3013b2e26318dc52fbb8764759ee04946aaef242b7e765d6159f7d8cd7436409eeffa9173 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 72f847fe22996ba89196c5c56146020c |
| SHA1 | debac46dc182ab95556ddb7f7b0dcfe6199e8396 |
| SHA256 | 12e7906888cadc68def9f97e82ab5ba331be6abc7342071cc76e8c378d088790 |
| SHA512 | 7748134b7dd8a873c56da8ee9d67f638851c5a57065e58eee12b198829322e03e984773ccffd731ee550cecfcda2e819f457978d4aca4ee5c5930ecb4e226fd6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d
| MD5 | b168c512b43b8a44ff245adebe698224 |
| SHA1 | 1c2c68d95f3f0ceed70982339d27c0d0d53a1e39 |
| SHA256 | 13af56496b21a1d7f375f049cd81d517a2b770fc0f4b4de4fc9122ec6a7338e6 |
| SHA512 | 66728a9e0339513faa1038b9ce5e679e0247c0e47619bcfadfa0cb4edce44d96fe133335a962829dbd5965d16ada8b7bb34a3c7ce9ca64c884f8451917a714d3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f
| MD5 | e92faff58b6be9dba9bc283c4f4c8513 |
| SHA1 | 49588273a413dffd248cd35dd191189ed2c2343c |
| SHA256 | 8c6c6736f4650f9bf7af6fe14128a3d173816f3dee2e02c5552240c04852b691 |
| SHA512 | 52ddb77b600f519eed2343d528b9c9bc03585c82edaa91c63e8850d19be23c2f645bc8faea19c3d75ccffb30e4e69a3605883106fb1783346a8883465051643e |
C:\Users\Admin\Downloads\Unconfirmed 496130.crdownload
| MD5 | 048ea3233e0e7611ab414684583c1421 |
| SHA1 | 026e20baca271cbfea44fa2ce6f3e405ca5d263d |
| SHA256 | b548f01428cb26a5870602e8018adbce814dd2ed53a6b1f74c3b3b7bf23fa965 |
| SHA512 | 7ced1bb205695c9ed1556f597682ffd74c6207a48961668d2f2e1e2eca84929297a9321e6cc3112d8af1078edc7c9e54b1ff5a2657fbbc45df52e7baaa3565c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1107411adbf75ef9d14a61552a8597a9 |
| SHA1 | d84bfcaf1e3afa7b1be549e3569a85e24fabb50a |
| SHA256 | 9c07e0c8e04590a50e8df8c6b230dc081f6ec8fed112a6a6e60dac66b4fe1f2f |
| SHA512 | 6f26baa04b8809ff1e06fc70fa1cfd0c1114d95aee9270a67addd43f3a05dc154d9caef8246a581d04c29013be0176dad5582cd4478a1745ba98385d51f13478 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 93757993b581b0c1329ea6a80245da32 |
| SHA1 | 909275c839b0864b30c675bf39a48c0cb561647f |
| SHA256 | 4cdc288e517ecb8dbb72dd3a33b38fc30b698d75e39ae74d4f55a4fa5ab79ee9 |
| SHA512 | 4e3e0cdb36bceedabf6896be554ac15f810ca3d18a59cb37cdc8e6c460d446a0fe6e717a2ced37b194b47c5715434ae6b8dc7ff5acd8fbf1e86f742310f67a83 |