Malware Analysis Report

2025-01-02 13:36

Sample ID 241204-x3662sspbq
Target RIP_YOUR_PC_LOL.exe
SHA256 37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Tags
blackmoon nanocore njrat asyncrat azorult dcrat fickerstealer gh0strat hawkeye oski pony purplefox raccoon redline xmrig 5781468cedb3a203003fdf1f12e72fe98d6f1c0f @zhilsholi default mediaget banker collection credential_access defense_evasion discovery evasion infostealer keylogger miner persistence privilege_escalation rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a

Threat Level: Known bad

The file RIP_YOUR_PC_LOL.exe was found to be: Known bad.

Malicious Activity Summary

blackmoon nanocore njrat asyncrat azorult dcrat fickerstealer gh0strat hawkeye oski pony purplefox raccoon redline xmrig 5781468cedb3a203003fdf1f12e72fe98d6f1c0f @zhilsholi default mediaget banker collection credential_access defense_evasion discovery evasion infostealer keylogger miner persistence privilege_escalation rat rootkit spyware stealer trojan upx

Raccoon

Nanocore family

PurpleFox

AsyncRat

RedLine

Oski family

Detect PurpleFox Rootkit

Oski

HawkEye

Detect Blackmoon payload

xmrig

Process spawned unexpected child process

Redline family

Dcrat family

Raccoon family

Fickerstealer family

Gh0strat family

Hawkeye family

njRAT/Bladabindi

Xmrig family

Blackmoon, KrBanker

DcRat

Raccoon Stealer V1 payload

Fickerstealer

Blackmoon family

Gh0st RAT payload

Pony family

NanoCore

Gh0strat

Asyncrat family

Azorult family

UAC bypass

Njrat family

Azorult

Pony,Fareit

Purplefox family

Detected Nirsoft tools

Async RAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

DCRat payload

NirSoft WebBrowserPassView

XMRig Miner payload

NirSoft MailPassView

Downloads MZ/PE file

Sets service image path in registry

Drops file in Drivers directory

Server Software Component: Terminal Services DLL

Modifies Windows Firewall

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Drops startup file

Impair Defenses: Safe Mode Boot

Unsecured Credentials: Credentials In Files

Uses the VBS compiler for execution

Unexpected DNS network traffic destination

Executes dropped EXE

Enumerates connected drives

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Checks whether UAC is enabled

Maps connected drives based on registry

Accesses Microsoft Outlook profiles

Indicator Removal: File Deletion

UPX packed file

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Subvert Trust Controls: Mark-of-the-Web Bypass

Drops file in Windows directory

Program crash

Browser Information Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious behavior: EnumeratesProcesses

NTFS ADS

outlook_win_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Runs ping.exe

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-04 19:23

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Nanocore family

nanocore

Njrat family

njrat

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 19:23

Reported

2024-12-04 19:29

Platform

win11-20241007-en

Max time kernel

97s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Azorult

trojan infostealer azorult

Azorult family

azorult

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fickerstealer

infostealer fickerstealer

Fickerstealer family

fickerstealer

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

HawkEye

keylogger trojan stealer spyware hawkeye

Hawkeye family

hawkeye

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Njrat family

njrat

Oski

infostealer oski

Oski family

oski

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

RedLine

infostealer redline

Redline family

redline

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\KBDTAJIK\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\KBDTAJIK\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\KBDTAJIK\conhost.exe N/A

Xmrig family

xmrig

njRAT/Bladabindi

trojan njrat

xmrig

miner xmrig

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\a.exe N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A
File created C:\Windows\system32\drivers\hitmanpro37.sys C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
File opened for modification C:\Windows\system32\drivers\hitmanpro37.sys C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240616453.txt" C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\a.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gay.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\HD____11.19.exe N/A
N/A N/A C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
N/A N/A C:\Windows\System32\KBDTAJIK\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
N/A N/A C:\Windows\Help\Winlogon.exe N/A
N/A N/A C:\Windows\Cursors\WUDFhosts.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitmanpro37.sys C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 185.228.168.9 N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Roaming\aaa.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\aaa.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\tracing\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "\"C:\\PerfLogs\\a.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Recovery\\WindowsRE\\chrome.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Monitor = "C:\\Program Files (x86)\\DPI Monitor\\dpimon.exe" C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TXPlatforn = "\"C:\\ProgramData\\Desktop\\TXPlatforn.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .." C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\___11.19 = "\"C:\\Users\\Admin\\AppData\\Roaming\\pidloc\\___11.19.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ö÷¶¯·ÀÓù·þÎñÄ£¿é = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\ExperienceExtensions\\SearchHost.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Start Menu\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\KBDTAJIK\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ö÷¶¯·ÀÓù·þÎñÄ£¿é = "\"C:\\Recovery\\WindowsRE\\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe\"" C:\Users\Admin\AppData\Roaming\3.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\KBDTAJIK\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\KBDTAJIK\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\System32\KBDTAJIK\conhost.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\SysWOW64\240616453.txt C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\System32\KBDTAJIK\conhost.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\System32\KBDTAJIK\088424020bedd6b28ac7fd22ee35dcd7322895ce C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
File created C:\Program Files (x86)\DPI Monitor\dpimon.exe C:\Users\Admin\AppData\Roaming\Opus.exe N/A
File opened for modification C:\Program Files (x86)\DPI Monitor\dpimon.exe C:\Users\Admin\AppData\Roaming\Opus.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Winlogon.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Cursors\KillProcc.sys C:\Users\Admin\AppData\Roaming\22.exe N/A
File opened for modification C:\Windows\Cursors\TrustedInsteller.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ExperienceExtensions\SearchHost.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ExperienceExtensions\cfa885d449487c00023eaee43254d4b7ac0b9e42 C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\Help\active_desktop_render.dll C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\Cursors\WUDFhosts.exe C:\Users\Admin\AppData\Roaming\22.exe N/A
File created C:\Windows\rescache\_merged\37519308\a.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Windows\tracing\conhost.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\tracing\088424020bedd6b28ac7fd22ee35dcd7322895ce C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\Help\active_desktop_render_New.dll C:\Windows\SysWOW64\svchost.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\HitmanPro_x64.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Help\Winlogon.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\HD____11.19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\healastounding.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\gay.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\TXPlatforn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\ C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133778138750070952" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\HitmanPro_x64.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\___11.19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Pluto Panel.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Opus.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\KBDTAJIK\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\mediaget.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\aaa.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\HitmanPro_x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 4308 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 4308 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\healastounding.exe
PID 4308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 4308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 4308 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
PID 4308 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4308 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4308 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4308 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 4308 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 4308 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\22.exe
PID 3876 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 3876 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 3876 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\test.exe
PID 3876 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 3876 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 3876 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\gay.exe
PID 3876 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 3876 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 3876 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\Opus.exe
PID 3876 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 3876 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 3876 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\aaa.exe
PID 3876 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 3876 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 3876 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PID 3876 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3876 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3876 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3876 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 3876 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 3876 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\healastounding.exe C:\Users\Admin\AppData\Roaming\a.exe
PID 2580 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\22.exe C:\Windows\SysWOW64\netsh.exe
PID 2580 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\22.exe C:\Windows\SysWOW64\netsh.exe
PID 2580 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\22.exe C:\Windows\SysWOW64\netsh.exe
PID 2344 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\Opus.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\Opus.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\Opus.exe C:\Windows\SysWOW64\schtasks.exe
PID 4308 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 4308 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 4308 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe C:\Users\Admin\AppData\Roaming\___11.19.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 3432 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PID 4720 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4720 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4720 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Roaming\___11.19.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\KBDTAJIK\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\KBDTAJIK\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Roaming\3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\KBDTAJIK\conhost.exe N/A

Uses Task Scheduler COM API

persistence

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\aaa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe

"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"

C:\Users\Admin\AppData\Roaming\healastounding.exe

"C:\Users\Admin\AppData\Roaming\healastounding.exe"

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe

"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Users\Admin\AppData\Roaming\22.exe

"C:\Users\Admin\AppData\Roaming\22.exe"

C:\Users\Admin\AppData\Roaming\test.exe

"C:\Users\Admin\AppData\Roaming\test.exe"

C:\Users\Admin\AppData\Roaming\gay.exe

"C:\Users\Admin\AppData\Roaming\gay.exe"

C:\Users\Admin\AppData\Roaming\Opus.exe

"C:\Users\Admin\AppData\Roaming\Opus.exe"

C:\Users\Admin\AppData\Roaming\aaa.exe

"C:\Users\Admin\AppData\Roaming\aaa.exe"

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"

C:\Users\Admin\AppData\Roaming\4.exe

"C:\Users\Admin\AppData\Roaming\4.exe"

C:\Users\Admin\AppData\Roaming\a.exe

"C:\Users\Admin\AppData\Roaming\a.exe"

C:\Users\Admin\AppData\Roaming\___11.19.exe

"C:\Users\Admin\AppData\Roaming\___11.19.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add policy name=Block

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp"

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\\svchost.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Users\Admin\AppData\Roaming\3.exe

"C:\Users\Admin\AppData\Roaming\3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul

C:\Users\Admin\AppData\Local\Temp\svchos.exe

C:\Users\Admin\AppData\Local\Temp\\svchos.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8648.tmp"

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240616453.txt",MainThread

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filterlist name=Filter1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe4263cc40,0x7ffe4263cc4c,0x7ffe4263cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1828 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:8

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dllhost.exe'" /rl HIGHEST /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3108 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4476 /prefetch:1

C:\Users\Admin\AppData\Roaming\mediaget.exe

"C:\Users\Admin\AppData\Roaming\mediaget.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\tracing\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TXPlatforn" /sc ONLOGON /tr "'C:\ProgramData\Desktop\TXPlatforn.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "___11.19" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\pidloc\___11.19.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Users\Admin\AppData\Roaming\3.exe

"C:\Users\Admin\AppData\Roaming\3.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDTAJIK\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Ö÷¶¯·ÀÓù·þÎñÄ£¿é" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Ö÷¶¯·ÀÓù·þÎñÄ£¿é" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ExperienceExtensions\SearchHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\PerfLogs\a.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\chrome.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"

C:\Windows\System32\KBDTAJIK\conhost.exe

"C:\Windows\System32\KBDTAJIK\conhost.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3644,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:1

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP

C:\Users\Admin\AppData\Roaming\aaa.exe

"C:\Users\Admin\AppData\Roaming\aaa.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add filteraction name=FilteraAtion1 action=block

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240639593.bat" "C:\Users\Admin\AppData\Roaming\aaa.exe" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"

C:\Windows\SysWOW64\netsh.exe

netsh ipsec static set policy name=Block assign=y

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1376 -ip 1376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1180

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3148,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3156,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4404,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8

C:\Windows\Help\Winlogon.exe

C:\Windows\Help\Winlogon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3248,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4276 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\Cursors\WUDFhosts.exe

C:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4996,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1580 -ip 1580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 480

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5340,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5712,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5700,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5844 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5992,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:8

C:\Users\Admin\Downloads\HitmanPro_x64.exe

"C:\Users\Admin\Downloads\HitmanPro_x64.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4696,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6400 /prefetch:8

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=1668,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4240,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5864 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4904,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5612 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5988,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6400 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5828,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5980,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6400 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=4660,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6684 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6976,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5752 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7092,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7088 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7112,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6816 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3244,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004DC

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5920,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5984,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6196 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6712,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6904 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=5696,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6260 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=4936,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6204 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5964,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=7140,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=7224,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7348 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6816,i,14463373679619969884,3584332416480578183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6928 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 104.26.12.205:80 api.ipify.org tcp
RU 80.87.192.115:80 tcp
US 107.178.223.183:81 yabynennet.xyz tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:443 whatismyipaddress.com tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
CA 172.98.92.42:58491 tcp
CN 59.56.110.231:8898 tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
GB 142.250.200.1:443 clients2.googleusercontent.com tcp
MD 194.180.174.53:80 tcp
US 99.83.230.36:443 hitmanpro.com tcp
US 99.83.230.36:443 hitmanpro.com tcp
RU 92.63.107.12:80 tcp
GB 184.28.198.99:443 www.hitmanpro.com tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 104.18.87.42:443 cdn.cookielaw.org tcp
US 104.16.242.229:443 pricingapi.cleverbridge.com tcp
GB 184.28.198.99:443 www.hitmanpro.com tcp
US 172.64.155.119:443 sophos-privacy.my.onetrust.com tcp
RU 92.63.107.12:80 tcp
MD 194.180.174.53:80 tcp
RU 80.87.192.115:80 tcp
N/A 224.0.0.251:5353 udp
US 104.18.32.137:443 sophos-privacy.my.onetrust.com tcp
HU 91.219.236.18:80 91.219.236.18 tcp
SG 45.77.45.115:80 pool.usa-138.com tcp
MD 194.180.174.41:80 tcp
CA 172.98.92.42:58491 tcp
GB 2.21.185.132:443 download.sophos.com tcp
GB 2.21.185.132:443 download.sophos.com tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
MD 194.180.174.41:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
HU 91.219.236.148:80 tcp
US 8.8.8.8:53 files.surfright.nl udp
NL 185.105.204.28:443 files.surfright.nl tcp
NL 52.174.35.5:80 scan.hitmanpro.com tcp
HU 91.219.236.148:80 tcp
RU 80.87.192.115:80 tcp
NL 149.154.167.99:443 t.me tcp
US 185.228.168.9:53 8.8.8.8.zen.spamhaus.org udp
NL 23.97.160.56:443 remnants.hitmanpro.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CA 172.98.92.42:58491 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
NL 23.97.160.56:443 hash.hitmanpro.com tcp
NL 52.174.35.5:443 scan.hitmanpro.com tcp
RU 80.87.192.115:80 tcp
NL 52.174.35.5:443 scan.hitmanpro.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
CA 172.98.92.42:58491 tcp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 kazya1.hopto.org udp
CA 172.98.92.42:58491 tcp
RU 80.87.192.115:80 tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
N/A 127.0.0.1:58491 tcp
N/A 127.0.0.1:58491 tcp
N/A 127.0.0.1:58491 tcp
CA 172.98.92.42:58491 tcp
RU 80.87.192.115:80 tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
RU 80.87.192.115:80 tcp
CA 172.98.92.42:58491 tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CA 172.98.92.42:58491 tcp
RU 80.87.192.115:80 tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
CA 172.98.92.42:58491 tcp
RU 80.87.192.115:80 tcp
US 8.8.8.8:53 kazya1.hopto.org udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
RU 80.87.192.115:80 tcp
CA 172.98.92.42:58491 tcp
GB 172.217.16.228:443 www.google.com udp
GB 142.250.179.234:443 content-autofill.googleapis.com tcp
US 204.79.197.200:443 bing.com tcp
US 204.79.197.200:443 bing.com tcp
GB 88.221.135.24:443 th.bing.com tcp
GB 88.221.135.24:443 th.bing.com udp
GB 88.221.135.2:443 r.bing.com tcp
GB 88.221.135.2:443 r.bing.com tcp
GB 88.221.135.2:443 r.bing.com udp
US 8.8.8.8:53 2.135.221.88.in-addr.arpa udp
GB 95.101.143.130:443 assets.msn.com tcp
IE 40.126.31.67:443 login.microsoftonline.com tcp
US 13.107.21.237:443 www2.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
CA 172.98.92.42:58491 tcp
RU 80.87.192.115:80 tcp
US 152.199.21.175:443 aadcdn.msftauth.net tcp
IE 40.126.31.67:443 login.microsoftonline.com tcp
GB 88.221.135.25:443 th.bing.com udp
US 13.107.246.64:443 3pcookiecheck.azureedge.net tcp
US 172.67.138.224:443 www.thepcinsider.com tcp
US 172.67.138.224:443 www.thepcinsider.com tcp
US 172.67.138.224:443 www.thepcinsider.com udp
GB 142.250.179.234:443 content-autofill.googleapis.com tcp
US 104.18.95.41:443 challenges.cloudflare.com tcp
US 172.67.138.224:443 www.thepcinsider.com tcp
US 172.67.138.224:443 www.thepcinsider.com tcp
US 8.8.8.8:53 40.169.217.172.in-addr.arpa udp
US 104.18.95.41:443 challenges.cloudflare.com udp
US 172.67.138.224:443 www.thepcinsider.com udp
GB 142.250.179.234:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.169.34:443 googleads.g.doubleclick.net tcp
US 216.239.34.36:443 region1.google-analytics.com tcp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.46:443 fundingchoicesmessages.google.com udp
GB 142.250.200.46:443 fundingchoicesmessages.google.com udp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.2:443 ep1.adtrafficquality.google tcp
GB 172.217.169.1:443 ep2.adtrafficquality.google tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.169.1:443 ep2.adtrafficquality.google tcp
GB 142.250.179.226:443 partner.googleadservices.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
GB 172.217.169.14:443 encrypted-tbn3.gstatic.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com udp
CA 172.98.92.42:58491 tcp
GB 172.217.169.1:443 ep2.adtrafficquality.google udp
GB 142.250.200.2:443 ep1.adtrafficquality.google udp
US 208.109.37.181:443 www.zemana.com tcp
US 208.109.37.181:443 www.zemana.com tcp
US 208.109.37.181:443 www.zemana.com tcp
US 208.109.37.181:443 www.zemana.com tcp
US 208.109.37.181:443 www.zemana.com tcp
US 208.109.37.181:443 www.zemana.com tcp
US 208.109.37.181:443 www.zemana.com tcp
US 208.109.37.181:443 www.zemana.com tcp
RU 80.87.192.115:80 tcp
US 18.189.252.148:443 redirect.prod.experiment.routing.cloudfront.aws.a2z.com tcp
US 18.172.183.161:443 a6a1ecd1999a410d17b0f86da3199e866.profile.yvr52-p1.cloudfront.net tcp
CO 179.13.1.253:8050 gfhhjgh.duckdns.org tcp
GB 172.217.169.34:443 googleads.g.doubleclick.net tcp
GB 142.250.200.2:443 ep1.adtrafficquality.google udp
GB 172.217.169.46:443 encrypted-tbn0.gstatic.com tcp
US 216.239.34.36:443 region1.google-analytics.com udp
US 104.20.141.25:443 my.emsisoft.com tcp
US 104.20.141.25:443 my.emsisoft.com tcp
RU 80.87.192.115:80 tcp
US 104.22.59.91:443 cdn-cookieyes.com tcp
GB 142.250.200.54:443 i.ytimg.com tcp
IE 52.212.126.15:443 log.cookieyes.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.179.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 15.126.212.52.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.179.234:443 content-autofill.googleapis.com udp

Files

memory/4308-0-0x0000000074FB1000-0x0000000074FB2000-memory.dmp

memory/4308-1-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/4308-2-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/4308-4-0x0000000074FB0000-0x0000000075561000-memory.dmp

C:\Users\Admin\AppData\Roaming\healastounding.exe

MD5 6fb798f1090448ce26299c2b35acf876
SHA1 451423d5690cffa02741d5da6e7c45bc08aefb55
SHA256 b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f
SHA512 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3

memory/3876-26-0x0000000074FB0000-0x0000000075561000-memory.dmp

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

MD5 0fd7de5367376231a788872005d7ed4f
SHA1 658e4d5efb8b14661967be2183cc60e3e561b2b6
SHA256 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd
SHA512 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe

MD5 ed666bf7f4a0766fcec0e9c8074b089b
SHA1 1b90f1a4cb6059d573fff115b3598604825d76e6
SHA256 d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
SHA512 d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49

C:\Users\Admin\AppData\Roaming\22.exe

MD5 dbf9daa1707b1037e28a6e0694b33a4b
SHA1 ddc1fcec1c25f2d97c372fffa247969aa6cd35ef
SHA256 a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6
SHA512 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd

C:\Users\Admin\AppData\Roaming\test.exe

MD5 7e50b292982932190179245c60c0b59b
SHA1 25cf641ddcdc818f32837db236a58060426b5571
SHA256 a8dde4e60db080dfc397d7e312e7e9f18d9c08d6088e8043feeae9ab32abdbb8
SHA512 c6d422d9fb115e1b6b085285b1d3ca46ed541e390895d702710e82a336f4de6cc5c9183f8e6ebe35475fcce6def8cc5ffa8ee4a61b38d7e80a9f40789688b885

memory/3964-53-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/3964-52-0x0000000074FB0000-0x0000000075561000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opus.exe

MD5 759185ee3724d7563b709c888c696959
SHA1 7c166cc3cbfef08bb378bcf557b1f45396a22931
SHA256 9384798985672c356a8a41bf822443f8eb0d3747bfca148ce814594c1a894641
SHA512 ed754357b1b995de918af21fecd9d1464bdea6778f7ab450a34e3aae22ba7eebc02f2442af13774abfdf97954e419ec9e356b54506c7e3bf12e3b76ee882fa2c

C:\Users\Admin\AppData\Roaming\aaa.exe

MD5 860aa57fc3578f7037bb27fc79b2a62c
SHA1 a14008fe5e1eb88bf46266de3d5ee5db2e0a722b
SHA256 5430565c4534b482c7216a0ae75d04e201ee0db0386682c0c010243083c28d29
SHA512 6639b3e2594e554c7fa811f22e1c514474d34220155b4c989ad8716db1a0aea65894aa23d78c12a4618c57312da00353a77dd8e6c6bdd927bf865f2e98aff8f1

C:\Users\Admin\AppData\Roaming\___11.19.exe

MD5 a071727b72a8374ff79a695ecde32594
SHA1 b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc
SHA256 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745
SHA512 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400

C:\Users\Admin\AppData\Roaming\a.exe

MD5 52cfd35f337ca837d31df0a95ce2a55e
SHA1 88eb919fa2761f739f02a025e4f9bf1fd340b6ff
SHA256 5975e737584ddf2601c02e5918a79dad7531df0e13dca922f0525f66bec4b448
SHA512 b584282f6f5396c3bbed7835be67420aa14d11b9c42a88b0e3413a07a6164c22d6f50d845d05f48cb95d84fd9545d0b9e25e581324a08b3a95ced9f048d41d73

memory/3876-134-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/3652-152-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1000-163-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Windows\SysWOW64\TXPlatforn.exe

MD5 a4329177954d4104005bce3020e5ef59
SHA1 23c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA256 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA512 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

memory/1700-201-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\3.exe

MD5 748a4bea8c0624a4c7a69f67263e0839
SHA1 6955b7d516df38992ac6bff9d0b0f5df150df859
SHA256 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e
SHA512 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

memory/3216-229-0x00000000065E0000-0x000000000662C000-memory.dmp

memory/4204-234-0x00000000007B0000-0x0000000000844000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe

MD5 870d6e5aef6dea98ced388cce87bfbd4
SHA1 2d7eee096d38d3c2a8f12fcba0a44b4c4da33d54
SHA256 6d50833895b2e3eb9d6f879a6436660127c270b6a516cda0253e56a3d8b7fba0
SHA512 0d55ab28b2f80136af121b870b7503551d87bbeb2848cf9a32540006cac9a5e346d9fcce2bf1223a22927f72a147b81487533a10b91373d4fa4429d6159fd566

memory/4204-240-0x0000000002930000-0x000000000293A000-memory.dmp

memory/4204-239-0x0000000002920000-0x000000000292C000-memory.dmp

memory/4204-241-0x0000000002A60000-0x0000000002A6C000-memory.dmp

memory/1700-228-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe

MD5 78d40b12ffc837843fbf4de2164002f6
SHA1 985bdffa69bb915831cd6b81783aef3ae4418f53
SHA256 308a15dabdc4ce6b96dd54954a351d304f1fcb59e8c93221ba1c412bcdfd1c44
SHA512 c6575e1771d37ded4089d963bea95deac78b329ed555c991d7c559ee1970dd0887a965e88c09981529adc9c25df5cfd3d57e3dce6724da1f01f1198f0f460b79

memory/3216-219-0x0000000006560000-0x000000000659C000-memory.dmp

C:\Windows\SysWOW64\240616453.txt

MD5 fd1bd75813d5e067ff434b80497a2494
SHA1 3731707e8f9e4b5eff3e5bd123a5226c289da738
SHA256 69a731c6c4df323d45ac979d0c2c4734a474267130927fa1ba9d84e184c5c078
SHA512 da06b2a84726ffb2e335b3ef366a0adeb927dfa11e7166109a5a70ba4eb523c1ad56f8edb205da7fcee700e690ff82451ce08b3e04e8a3498a6b34305328dc92

memory/3216-196-0x0000000006450000-0x000000000655A000-memory.dmp

memory/3216-195-0x0000000006430000-0x0000000006442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp

MD5 28219e12dd6c55676bdf791833067e9d
SHA1 a4c854d929404e5073d16610c62dfa331c9727a0
SHA256 d3035bd90ad0e9fedeecb44da09e78421b5e6e1e0bbed1afc624750043355540
SHA512 e8c118063052002745c503b8fd0decfecf38f31e71e4dbdedc79bb8e91d443d65a33e7d983d4c0e1d6ee1eb9045100c2324b941b3bef00e69d4d91eb7d6d0161

C:\Users\Admin\AppData\Local\Temp\svchos.exe

MD5 3b377ad877a942ec9f60ea285f7119a2
SHA1 60b23987b20d913982f723ab375eef50fafa6c70
SHA256 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512 af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

memory/3216-184-0x0000000005DC0000-0x00000000063D8000-memory.dmp

memory/1468-180-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1468-178-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1468-181-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3216-176-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/3216-173-0x0000000000400000-0x00000000007C2000-memory.dmp

memory/1000-162-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1000-160-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4308-157-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/3652-155-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3216-141-0x0000000000400000-0x00000000007C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\HD____11.19.exe

MD5 b14120b6701d42147208ebf264ad9981
SHA1 f3cff7ac8e6c1671d2c3387648e54f80957196de
SHA256 d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97
SHA512 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b

C:\ProgramData\kaosdma.txt

MD5 2c807857a435aa8554d595bd14ed35d1
SHA1 9003a73beceab3d1b1cd65614347c33117041a95
SHA256 3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b
SHA512 95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

memory/4204-243-0x0000000002A90000-0x0000000002A9C000-memory.dmp

C:\Users\Admin\AppData\Roaming\4.exe

MD5 e6dace3f577ac7a6f9747b4a0956c8d7
SHA1 86c71169025b822a8dfba679ea981035ce1abfd1
SHA256 8b4b846fe1023fa173ab410e3a5862a4c09f16534e14926878e387092e7ffb63
SHA512 1c8554d3d9a1b1509ba1df569ede3fb7a081bef84394c708c4f1a2fb8779f012c74fbf6de085514e0c8debb5079cc23c6c6112b95bf2f0ab6a8f0bd156a3e268

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

MD5 8f1c8b40c7be588389a8d382040b23bb
SHA1 bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a
SHA256 ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1
SHA512 9192b6f2f8320a728c445f9cd6e6d66495ad0ebebd7ff193dc09ee8ae57b3933c1b75dc208e7d638db273cb9d31b4ca24ee7bfd9729ff0cdbf432d72bb322b1f

memory/2460-111-0x00000000003F0000-0x0000000000402000-memory.dmp

C:\Users\Admin\AppData\Roaming\gay.exe

MD5 8eedc01c11b251481dec59e5308dccc3
SHA1 24bf069e9f2a1f12aefa391674ed82059386b0aa
SHA256 0184983a425fef55d46b7e0eb729a245730ee26414ebe4b155917c0124a19c2d
SHA512 52388313b21f14aa69c8b37e0fe0b73f66aa92f08651a16c820aae65d341dc1af6b48f3c8d4f657ac990eeaf4b9a01ae769bca4d3625550011708697d22b69cc

memory/2580-65-0x0000000000400000-0x0000000000625000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8648.tmp

MD5 fb16df60656546f3eed87417838a3342
SHA1 5c8cd1b4fdd2fa57a31fe30a65e332c30a20b4bc
SHA256 ca607854bb6d7a457f80fdadeaf62a5471a71824defc531136c4b8a8452af426
SHA512 2a56a040dee5c375ef8bdffa7c4f3f0a379bcc387655201f744e8fc99e57a6ed3afdbb92f63b783e8d4354e62908c80e8e7aac1636748a117e1507f2ec0f35e8

memory/4792-254-0x0000000000400000-0x00000000019AA000-memory.dmp

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

MD5 22bb5bd901d8b25ac5b41edbb7d5053e
SHA1 8a935dd8d7e104fc553ff7e8b54a404f7b079334
SHA256 8dcaeeebef9b9f3d41d295db145ffb3850f309d089c08125c7fa7034db5fd80e
SHA512 cc3fb68fd6791a08e4a7d1a8db8d07cfcc8c9b9dceec10b53f0cb7ee86473303a19be4f23e379f84c59e02d0568e7c066e21cd1300f6032dac4ba52f609f62e7

memory/4792-304-0x00000000061A0000-0x0000000006562000-memory.dmp

memory/4792-306-0x00000000061A0000-0x0000000006562000-memory.dmp

memory/4792-315-0x00000000061A0000-0x0000000006562000-memory.dmp

memory/4792-326-0x00000000061A0000-0x0000000006562000-memory.dmp

memory/4792-323-0x00000000061A0000-0x0000000006562000-memory.dmp

memory/4792-319-0x00000000061A0000-0x0000000006562000-memory.dmp

memory/4792-312-0x00000000061A0000-0x0000000006562000-memory.dmp

memory/4792-309-0x00000000061A0000-0x0000000006562000-memory.dmp

\??\pipe\crashpad_5112_FECXNQEIDECWBFJW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3652-342-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3964-345-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/3964-354-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/1372-357-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1372-356-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1372-355-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3.exe.log

MD5 ef46129aa52eb53b42a33a6cae6021f2
SHA1 809c987b65cf51a75563f14f179c2e5adbb4db58
SHA256 602ab1dff04cdfee5dbd495e7ed729623437676c186f7e217ddafc8dcfd0617d
SHA512 bdfc36e5e54453173e9943e7c5eaeab30b421e9ca600aa0dbc03fcf46c8ab7651a912f8014bd78d31355aa2dd029232f586b7d5e01de16cdd5d597032460496d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4792-376-0x0000000000400000-0x00000000019AA000-memory.dmp

memory/3420-392-0x0000000000400000-0x0000000000495000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a57c74bc3131cbe65824ba229bf517fd
SHA1 147acecdea0acb52544c1403b0ae6b3c52d209e4
SHA256 2243df7f499a19b5d9d338f773914fe9bef26432ea6f63d56b7c7f33cfc67a50
SHA512 5818f5d1c280c65aced9e286c4b8c2dc511636e29624850fbf2a4ba3d4c758ddf7be220c1134208ddb2cc38779f0d8c2003d7a4a4167fda75898aabbb1d6bfce

memory/3420-390-0x0000000000400000-0x0000000000495000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2e083adeb2a56dae1d1c25c3d3135bcd
SHA1 fe947bb6f2b8faf205e872d908e7aedce94404d4
SHA256 69ddd59666463e8d0caa24ba2ddbe4713638972d975dc93435e5c7d5b1df5d42
SHA512 e2cf96c49fddea4983e41b2886a8bf174979251bfd306014cdcaf8294e99960478646b85314bb32fc3a60b3b1b69764553773e550aeb024044ef9f1e2ab49b2e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f0ce9f283892061c75752a2b75df367b
SHA1 73c50e0d2995cd3958e5f7e1ed9bc8d556344b9e
SHA256 a6011b26481d457f5908c3644423ad1b6bd0003b4c44dec346f33ca43431c392
SHA512 6b145af4d9d84bb5775517ea73bf476f189fa02e3d5d44c6228cc2c2e11fc1f4526df7b3acc39f2f21244df6d89ad6080351da1d9ceb0c522605b0a83367eac6

memory/2640-426-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2640-430-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2640-429-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3540-449-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3540-448-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 fa664fda7f7eb57170b77c19c17d8712
SHA1 9d46b91973d13579156a94569e66fae4543961ae
SHA256 16360e8664e75ba7ecbb75623b853fce6e3646b387b8285f6349df3c500e5750
SHA512 3f852b0a207986b487679dc6a38c9bfed0920213e15d7886aee4e39dcb0e3c242b4cd89d30d2bf482659136a039f3e31c4eccf9f1bc86ec8e3d69a361a511ce2

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3540-469-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1752-471-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1752-472-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1752-474-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir5112_2060521537\c3ba5117-010e-4a18-8db9-2f88b6f7c0d2.tmp

MD5 3f6f93c3dccd4a91c4eb25c7f6feb1c1
SHA1 9b73f46adfa1f4464929b408407e73d4535c6827
SHA256 19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e
SHA512 d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

memory/4352-607-0x00007FF6B1FB0000-0x00007FF6B2530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir5112_2060521537\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 54dd967f4e7984a2ca5bc86eee9b6ccf
SHA1 a1b6823da89c1c1979266f220b035a9a5afe324e
SHA256 6a2fca39e34c1bd6b9448e7afe0282f27b83c0d0ea9f6ef533752931d7baf7bb
SHA512 827e0dbe8eee519b9036d4dc62b19b96ad38419ef052598ad33513a47843aa1000bcd15bc8299b6c2e383b4a6b3bba0e9429823a1128795458b441f74f7acf90

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2a8bfbc26cb8cbc9dcfc244b60427d51
SHA1 eac446ed69cda8be43bc738e96d3619e56ca6b59
SHA256 8bd7ed17fa6f146b17942db528020efc9652a88bf95750e27df18ded30485b62
SHA512 e65a256f72cd3b3608dc6fea85af6964429ec1d550c7607cb919a458d3bc04fbc8653fded28367521968af61466963dbaf734c814eb27976d0d763b75e51b096

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 077208066549b16288cb803930e2ffdc
SHA1 a5d67117b397775d87fefdc9a45db831a45705bc
SHA256 83e974a8ef52ee1a4b166da740bf1c2ea343dd63b5e641ff8d927e55e2df1912
SHA512 d293fc506d1f6451349e025a07f7d1908b0f83cd562045a2e3e997e7df79dc7f7bcf34953f20fcc836dee1f8606e4f6f0d8683b23f4d3127300e9cad4334af74

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d4a30166078301353baa70d29c4cf57a
SHA1 4f6e90b95c5d7c7759e992eb65a008f0f2f5307a
SHA256 2c62e914c7a13d5aabbf5bc9d1ee9d412f95429fc76309488c5bff3d3e7043cb
SHA512 bb2b41a9ff6864a2d5f63760672aaf907d2a05d53932746dd4a2e1306fe69f55c5dc6363de6fb55c95e84c9801e4cfcdcc1a7e971f45464f3be7489fecc4ab4b

memory/4352-948-0x00007FF6B1FB0000-0x00007FF6B2530000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8b157af1cbd675041866e762d853decc
SHA1 2b0c3e6fa06f6d4c7fbddc1621fb26fcbe846f64
SHA256 b74172444ef57ab52a7afb1be170065c8c742bf80b0ba5b77e5f25cd3a964fc6
SHA512 e412940cfadb6a09d999dd4951a2bf3e391b5de2baeab1f3557775ab8b1c5d03a8b30438966168c3b2926f24493c03d8c5fdd1d8e15760ec3b63f9fac8131c7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dc4b4b5d4ce53c45c29909aec272d3f1
SHA1 c4794803f479ff58c56df59d4fd33372cbacfdb3
SHA256 3504c17f959dd99af0d54d940b3a77a1e95664659f88d2b6eae762a66685be11
SHA512 90edfde4b08192cb455009f44fe5df95479145f5c34803faccc150fcba3e00be06d0acbdea487f729df680a26891ad8e3ae07fd916cf27d12d2aebf584b4a022

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 d8971249419d782c10f861a105604903
SHA1 eb4221f2028adbc4c7769956ddb12190fc93f684
SHA256 6c05d12024bb0174d735e2ece97fb46b75f8da6222d63f8e63135a2c850f8a7f
SHA512 8969eeeca6ce01cf74f0d5c1be7f70ecd8a560ea5f804dc93fd550df4082b9fffe73485481ab87379260e79a6514b39cecbb424821a78130b1000a5fd61c2d25

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 bd8ff78b7c138bae4e3b1fb97b832288
SHA1 560e60a14986b8a6b83b8c6ab68a9796d74cec6a
SHA256 fafbc698b506e009ba665191b1e4d9690c16779d8a5c421b18222ad706b4e0d1
SHA512 61668dec342b73ede086648a4edf33d3f291226b6525b55eb3224b11bca2d64c5bcbbb63483e93ad3bcb4d30ad7c51bfdf4bad8064839261196aa5ff09d4db5b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 450bdbb3139c8bbbe3d6101d6e53d770
SHA1 049b63276b203d393fa093858b6cd6e43c1733f6
SHA256 b2b436dcd66ecced895acc96068213c14b8fc769407e311e384113f709e15c6f
SHA512 d6fefa7bb81b37a146c12fbabda2824ce4889a3795c8905b8523eb24b142f21710fa1bc8486aa54da9575ff38eb0720d9f77f9ba3375e213d8065e8f75008ac3

C:\Windows\System32\drivers\hitmanpro37.sys

MD5 55b9678f6281ff7cb41b8994dabf9e67
SHA1 95a6a9742b4279a5a81bef3f6e994e22493bbf9f
SHA256 eb5d9df12ae2770d0e5558e8264cbb1867c618217d10b5115690ab4dcfe893c6
SHA512 d2270c13dc8212b568361f9d7d10210970b313d8cd2b944f63a626f6e7f2feb19671d3fcdbdf35e593652427521c7c18050c1181dc4c114da96db2675814ab40

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d15b78df2b47fe84fc0b8dc0c7315e6f
SHA1 ade4de85f7029b54c244a26bec3aedd3464be4d0
SHA256 18e63065c84fca954b5809ecf533cd1bc1e34e3c2029cf126d7d62b815cea8f6
SHA512 297795943206d7a7dd584cf807d4e4014f645d68ac82e12b5d29f373cc2f63f488a935c7407169aa329f2e4f2b2d55fe3a286dbc06dfcdeba0bf2767f299e598

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dcbd4bda8938d5b4d0b271de2353f818
SHA1 ca6418a27aabe47fc30926efaf14cd23363761c4
SHA256 074f3001dde4961b5edc64b6d04767cef264e6b2d1823e96427936f4fdf8b871
SHA512 f07b553dba2eb6515b5d0edfeb7ca98ef12ae996679d5b3ff0c90105bcb19d2f81b555ed95978e99c1ad59f03302299f1ca6d69b1645f199505ce5c36b89d5a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\03f7f231-f5ab-4cdd-b706-44165166f8e4.tmp

MD5 8e2bc0a0c087a98304fefa8c5bba0302
SHA1 d06a8488429fb9f5cb29aed52a75642c520ab989
SHA256 e032e60e362b0bf8e55471b1ca7b999d34fedc2a3d2fc48e445978617b405875
SHA512 1c2e59f71485ef5c88b48c539c79eff8caca88138320bd078d80f3ddfec91fb437fbd34cbd943f6917885eb0370147a8ecc2c0d18a2c7aff7f5d2cdab95a013e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ede5b1c2086b4380ebc0a8f9be268a55
SHA1 7f2b9b0ad429632417b391f1f1b14ba8a783f6fe
SHA256 e9b62651cb93cc309baf33bc957024aa917034a633f062052a21367b9c338bb5
SHA512 4e64e946a460c865ffe737dc8c8c6cfa6ba0ad00bab3856185aaaa34ba196422475eb552cbd9e18bdccc0bedafea647f309bc0015728fc04df04d0d9cdada5ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d278452c1376945477b5bd74d474ead3
SHA1 748586c24ae34ac6cda05a6fab582ba638d1662d
SHA256 600bdca0e402e6f05daffb6ed342cbdcaea82de0b1a9d029822b1ea05165579b
SHA512 46cbbd5f34cba27ae63366d085d560a6a38ce2f20abd814203fca358a17bb9342cf50eb8edab672258c7530f825e2b310ce571121c438ab461413c0b22a214c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 65a1352c1fe6c67cdb46b109523c6a24
SHA1 6b8148e6765e547de54bddf7e00577b177c8dca0
SHA256 a1cbff1163aeaec44c6a5402bfdc419b48b35c1d10aa171de0a3e0da008fb495
SHA512 acffd996a65aacaeaf86e4f2cfabbbd1c978504efdcf4f0ee6187e7355a4e2680b09d3886f4312057b7fcad4f34b7a144e9f6cf9b9ac496d6dc3e4e6c0b9e768

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 d222b77a61527f2c177b0869e7babc24
SHA1 3f23acb984307a4aeba41ebbb70439c97ad1f268
SHA256 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512 d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 b5ad5caaaee00cb8cf445427975ae66c
SHA1 dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256 b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA512 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2f89eedea2e9ee9cdcb7c48dd9c4bde1
SHA1 584e12face13ee224e01f7d74c20eeedbdfd34b4
SHA256 41ae3928d39fad56e530a5816e4d512c42071c949fe57624d71209d7859b9ceb
SHA512 37f025d32dcc69560201638eae6c030cda7f66b2f1d6ea8581cd1d5105b61adf73954bb1e39ae161c5cb003fcafeea254feca44639555178c33657bf05dd39a1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d057daa0432f6587d90906a2aa917cac
SHA1 df05c740a1f7326409d7f78b89cbb0ea98f8da0d
SHA256 d795d9b66cdce1e9706d99a6936cb8530da97e8f3e78427f76136952f6f68ab0
SHA512 8fc9ce50fba066a9776f363cd1c699695c6fefab4758edb1f948082bdae8c975e3dd4703e8b78d930ec96f2632d30246ccdf2bfb77e4fd6e0bf62093e09d4536

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1dad19f1ca9448930f7d7ab29f4cb7fa
SHA1 95199a7566ec9249d66d1a30cde6bceb2d1a28d0
SHA256 68cf2fb59479c3da83f7e88335053d9ab8d642236bb230d056720d635406d927
SHA512 fb61675974bb836bab35011c1dbb5b8a31d5b05bd4b81ecc90542d094f58103926e7bac7539acdeff6d9bd2f6dd74655708702759e0c33c43b9d54c41eb74813

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 96329c73cc49cd960e2485210d01c4d2
SHA1 a496b98ad2f2bbf26687b5b7794a26aa4470148e
SHA256 4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466
SHA512 e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 847a64ce22adca83e091e5403ef844ed
SHA1 f2cf8559f0eba3d237cee1162b811613d2a0c308
SHA256 1db255895b125edbed50b5296edafaf303dde2b93a600313b6a1aa61f9ec2b88
SHA512 94abff56e498bfd7af0e72a652a0b03d29cbe7d0322f43cb8fa4182cfa829ec6d608c5bb3f6deaaf1dcaae764c90036beedb503109c8080999dfaf2d6a2e9de6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1cca473d591a1374b4ee2b0f19877493
SHA1 4f67a4ef4caad0c2ecf664a40bece6be030fd9a3
SHA256 5bea833ed5f8ae0ded0e73dfd39a4232177d8b618210f923b486c05d497548df
SHA512 ade623f92f477cc09d1569d554362d5dd232e39d4cc0ad05bc20d2c40b11f731d1548675469b5c4f5031f87d18b3c3cb964c257bf757332d1b539b6f2c7b12d8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 79ffc9ecd4837b3f3bb93f34e3041a25
SHA1 f340579da32fb4a98ebea208073876d09494c758
SHA256 864ffd62be0c9376529089a598436f1079207b883ef7bf75d95beb469059e9ef
SHA512 0b66c2ef814c22a592a6a63eb1384003969f3e2b2779a7df16baee585c8800f16ed3547be3474479f9280afe1342c716cdbf70f7e5f6ea55b517c762605dc5d4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9cee423cc765f223e027e03166b10f5d
SHA1 3e93830cfe385722b20cea7615da02d1b8aa7af6
SHA256 9ea47790f502fc7b160a44198eaf04c6a9b8a331e9e038b07dbb680e8c07a30f
SHA512 41a6e73da023529f539c599d15153343779bee73f39692433fd9d95ca45c2b7db8f7e9de8933434477f0b293e749990bfa52bb01846f7329bb377af36b729ea9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 71c796e25ac5a8d5f8e433ffda663b32
SHA1 d8707fbe739498e00672b83622eb5476a6f5ae3a
SHA256 8f38aacba6dae50e7313552009f106cec1f029a834afe3dd246fdcf758344f7e
SHA512 1ebd0ffb239bc79b59da2fccdb68d362816e379429b2b7a26f1945700c17486d8f21f1222c212960f6a6e522e565ea0986e6a032b90c04ddea1740f1acd0a849

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 41c9f95896e4398cdaa94ac6d6e7b1a6
SHA1 0118160aa2304b6a532aa975c4201c8742ab2bdb
SHA256 edd2cb5fbbee6409c1e3d24a404c65dcadbb2c025eca3c12edaf031a4f04ca06
SHA512 39f778b86c0c10cb1344aa4775d28abe82b87ae83607726058ef8e67d4350cf97bea226edad6556bdfc5ce676b337df95ed2278a2cef28911368f23b2f21c877

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

MD5 2be38925751dc3580e84c3af3a87f98d
SHA1 8a390d24e6588bef5da1d3db713784c11ca58921
SHA256 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b
SHA512 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7a057a2ade70474e563c2271fb67d8eb
SHA1 bbb9aea4ceb9bfe80942b0de464826f256aba569
SHA256 784fe54683d14d848bcbc148810b2269b29c29913be90b2e3b20521518b04862
SHA512 0106258e1b3d97afb5e9ecfc4fa2146d7c201db9bf1e9e6e585d8f34ced62ffb6c2630f696d5e2d9a435f671ec3498ca6d1d9cd912196c53023b3f682678c0f8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ed7a3136ee3a5639ca29cee52b651ce2
SHA1 5de6bbb17af4b67d49f2a0705ca37d6abe1f47d4
SHA256 a22d542b9c4aafc4b656fabca06dc147dde094352ecee84f919da04dff61365a
SHA512 a2d48cc89bc20df81aaaede436882b576c3e8a5265b1b4dc4c5f13dcbdeee3eafb7cc245cb5424b12d445b918e0b0557189c4c1dc847bf0baec708e7cc5edf2a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 38d85e904b1c810bc67e3b4137bd0993
SHA1 6e7f3407ad2195f5927560b67ca8311b6843fa29
SHA256 b046a7e4f3334da23c2db9c8dbb8cdaae73eb30d3b18fb6c761566e1bf6369de
SHA512 4698bfffe05c4915a82b84d09df9f6cd23292b2eb8adf756e322e88df7208b1fe2f37d80c31878377f7021fcdb46baf1cf862ab3cb5eb1946fe94de2704b0f6e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 77525a26bf8c6943bf4b86879384f14f
SHA1 217c4c14acc6d8225dc09e4b857bc596411d5282
SHA256 85c3498fb3e449c3c45d10b04f8de201840f55b56c84e4128a4f609ac1b4d037
SHA512 7158fe4ff237a5064331719eae090b6d1ac2ea8b7057f74fe9efed4d923306a48948df21ff8b5696d66a4fccdd5fdbb3cb95cdfa8f132cb92d8ea9c1d6bcaddd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4d174f9772192ac91936c6aa6b35d6bc
SHA1 00484306757962adc9e7c04ba990f4dbd5430da9
SHA256 322c09362f0227c96a1d7928781f42382d394d45d8b6f322262a839760f317c7
SHA512 6b7f22cbb803d91c982878eeb1b62ac3432c5ddddf72e001ceb1c234997af52727a6f2ede964016ebc632ab0408aecd2d3ec1c3a8fdc4b333d2944a5cba87d77

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fc4c34254c6c12401914a4763838cac8
SHA1 1d1c6c670b6ba4f3e30902786767215721010fae
SHA256 2388baaae65af1cd6ce813dbb093ac37e02e8635efb0c631c6f3f285ef948833
SHA512 9c8e3edefe529ded3940227950dfb475638ec032dca1a65afd537dbf665312d7ef41221269a7a2b9b349c4a359a1eb3e0e480c907c6f81bad93aa87848c6d600

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ca63ad1bc44409607b5da2b7f64714d7
SHA1 7f469810487b5de4265b3360f02756e2b2cafecf
SHA256 2dd4e1dc3539f114e84670a80991a03c412de669d7b5fe82be25e4cebee72a9b
SHA512 def6da9f7fa8471d67fce860c5481a2409a45e154897d1f7a5f142c75a48a36d0b64ccd9caf7167460fd257ca8dddd5dacf2e4a1242c1c0e746beb469837f19a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0bd6089c9a79238630a47863f0e99cc2
SHA1 781d4e0e2aeb70b51aa8d5953a6b228b32120f7e
SHA256 9e25de9fa04f2a47c2badce37acf4df69a63d972b852ef902e8372f1dbb88daf
SHA512 90a8d3ee75dd70ca85b6368e93089248abcd49f07aa9b12e7aad8bffc420437922a0691143a1a80ea0c42eb1bfdd64bedd70a305b0b3513de3b12755f6ec7e67

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 225025658d207d5f6c8c8135d601eecf
SHA1 8cdba314b7c08025c301475e160fef9c7ed19a28
SHA256 c5360f371327c77e617f18aabf6c1c2dedd92f9f9f6439ffaf5cd0aa97fdb587
SHA512 9a4b44d95b0a0acf95ea674b5a99b8a7ffb4be0b6c5424dee719aef3013b2e26318dc52fbb8764759ee04946aaef242b7e765d6159f7d8cd7436409eeffa9173

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 72f847fe22996ba89196c5c56146020c
SHA1 debac46dc182ab95556ddb7f7b0dcfe6199e8396
SHA256 12e7906888cadc68def9f97e82ab5ba331be6abc7342071cc76e8c378d088790
SHA512 7748134b7dd8a873c56da8ee9d67f638851c5a57065e58eee12b198829322e03e984773ccffd731ee550cecfcda2e819f457978d4aca4ee5c5930ecb4e226fd6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

MD5 b168c512b43b8a44ff245adebe698224
SHA1 1c2c68d95f3f0ceed70982339d27c0d0d53a1e39
SHA256 13af56496b21a1d7f375f049cd81d517a2b770fc0f4b4de4fc9122ec6a7338e6
SHA512 66728a9e0339513faa1038b9ce5e679e0247c0e47619bcfadfa0cb4edce44d96fe133335a962829dbd5965d16ada8b7bb34a3c7ce9ca64c884f8451917a714d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

MD5 e92faff58b6be9dba9bc283c4f4c8513
SHA1 49588273a413dffd248cd35dd191189ed2c2343c
SHA256 8c6c6736f4650f9bf7af6fe14128a3d173816f3dee2e02c5552240c04852b691
SHA512 52ddb77b600f519eed2343d528b9c9bc03585c82edaa91c63e8850d19be23c2f645bc8faea19c3d75ccffb30e4e69a3605883106fb1783346a8883465051643e

C:\Users\Admin\Downloads\Unconfirmed 496130.crdownload

MD5 048ea3233e0e7611ab414684583c1421
SHA1 026e20baca271cbfea44fa2ce6f3e405ca5d263d
SHA256 b548f01428cb26a5870602e8018adbce814dd2ed53a6b1f74c3b3b7bf23fa965
SHA512 7ced1bb205695c9ed1556f597682ffd74c6207a48961668d2f2e1e2eca84929297a9321e6cc3112d8af1078edc7c9e54b1ff5a2657fbbc45df52e7baaa3565c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1107411adbf75ef9d14a61552a8597a9
SHA1 d84bfcaf1e3afa7b1be549e3569a85e24fabb50a
SHA256 9c07e0c8e04590a50e8df8c6b230dc081f6ec8fed112a6a6e60dac66b4fe1f2f
SHA512 6f26baa04b8809ff1e06fc70fa1cfd0c1114d95aee9270a67addd43f3a05dc154d9caef8246a581d04c29013be0176dad5582cd4478a1745ba98385d51f13478

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 93757993b581b0c1329ea6a80245da32
SHA1 909275c839b0864b30c675bf39a48c0cb561647f
SHA256 4cdc288e517ecb8dbb72dd3a33b38fc30b698d75e39ae74d4f55a4fa5ab79ee9
SHA512 4e3e0cdb36bceedabf6896be554ac15f810ca3d18a59cb37cdc8e6c460d446a0fe6e717a2ced37b194b47c5715434ae6b8dc7ff5acd8fbf1e86f742310f67a83