File name:

HitmanPro.Alert.3.7.10.Build.789.zip

Full analysis: https://app.any.run/tasks/59151bcb-6211-454b-b25f-32857e316520
Verdict: Malicious activity
Analysis date: September 18, 2019, 16:40:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

AE13C1E1D49A4F2A6603C99B1805B19D

SHA1:

38F656555CC2C82804C4F916AC016508667FA46E

SHA256:

DEB3DAA2AFBD18A1BADB9416AE246A6780CA7C5E6981FC849C3AA5D943D9D470

SSDEEP:

49152:nkl0MZNn4cLPLSxU5AJMvGg7Sck8C2SJyjAHNJEhdDqRH13TVG+fltIMS3b2bukv:n80M/n4lWQgGWAsHD03RGyl+Nqbd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2512)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2940)
      • hmpalert3.exe (PID: 3500)
      • hmpalert3.exe (PID: 2368)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 3932)
      • hmpalert.exe (PID: 2880)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)
      • hmpalert.exe (PID: 2340)
      • hmpalert.exe (PID: 2736)
      • hmpalert.exe (PID: 3588)
      • hmpalert.exe (PID: 3960)

    • Loads dropped or rewritten executable

      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2940)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3696)
      • WinRAR.exe (PID: 3492)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2940)
      • hmpalert3.exe (PID: 3500)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)

    • Creates files in the program directory

      • hmpalert3.exe (PID: 3500)
      • hmpalert.exe (PID: 2880)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)

    • Creates files in the driver directory

      • hmpalert3.exe (PID: 3500)

    • Creates a software uninstall entry

      • hmpalert3.exe (PID: 3500)
      • hmpalert.exe (PID: 2880)
      • hmpalert.exe (PID: 3960)

    • Creates files in the Windows directory

      • hmpalert3.exe (PID: 3500)

    • Creates or modifies windows services

      • hmpalert3.exe (PID: 3500)

    • Executed as Windows Service

      • hmpalert.exe (PID: 2880)
      • hmpalert.exe (PID: 3960)

    • Reads internet explorer settings

      • mmc.exe (PID: 2552)
      • mmc.exe (PID: 3184)

    • Application launched itself

      • hmpalert.exe (PID: 2880)
      • taskmgr.exe (PID: 3988)
      • hmpalert.exe (PID: 2340)
      • hmpalert3.exe (PID: 2368)

  • INFO

    • Manual execution by user

      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2512)
      • WinRAR.exe (PID: 3492)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2940)
      • hmpalert3.exe (PID: 2368)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 2432)
      • hitmanpro.alert.v3.7.0.717-patch.exe (PID: 3932)
      • taskmgr.exe (PID: 3988)
      • mmc.exe (PID: 3008)
      • mmc.exe (PID: 2552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:09:06 21:08:23
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: HitmanPro.Alert 3.7.10 Build 789 Multilingual/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
19
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe winrar.exe hitmanpro.alert.v3.7.0.717-patch.exe no specs hitmanpro.alert.v3.7.0.717-patch.exe hmpalert3.exe no specs hmpalert3.exe hmpalert.exe hmpalert.exe hitmanpro.alert.v3.7.0.717-patch.exe no specs hitmanpro.alert.v3.7.0.717-patch.exe mmc.exe no specs mmc.exe hmpalert.exe no specs taskmgr.exe no specs mmc.exe no specs mmc.exe taskmgr.exe hmpalert.exe hmpalert.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1860"C:\Windows\system32\taskmgr.exe" /1C:\Windows\system32\taskmgr.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2340"C:\Program Files\HitmanPro.Alert\hmpalert.exe" /trayC:\Program Files\HitmanPro.Alert\hmpalert.exe
hmpalert.exe
User:
admin
Company:
SurfRight B.V.
Integrity Level:
MEDIUM
Description:
HitmanPro.Alert
Exit code:
1
Version:
3.7.10.789
Modules
Images
c:\program files\hitmanpro.alert\hmpalert.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\fltlib.dll
2368"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe" C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exeexplorer.exe
User:
admin
Company:
SurfRight B.V.
Integrity Level:
MEDIUM
Description:
HitmanPro.Alert
Exit code:
1
Version:
3.7.10.789
Modules
Images
c:\users\admin\desktop\hitmanpro.alert 3.7.10 build 789 multilingual\hmpalert3.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\fltlib.dll
2432"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe" C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\hitmanpro.alert 3.7.10 build 789 multilingual\hitmanpro.alert.v3.7.0.717-patch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2468"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" C:\Windows\system32\mmc.exetaskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll
2512"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe" C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\hitmanpro.alert 3.7.10 build 789 multilingual\hitmanpro.alert.v3.7.0.717-patch.exe
c:\systemroot\system32\ntdll.dll
2552"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc" C:\Windows\system32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mfc42u.dll
2736"C:\Program Files\HitmanPro.Alert\hmpalert.exe"C:\Program Files\HitmanPro.Alert\hmpalert.exehmpalert.exe
User:
admin
Company:
SurfRight B.V.
Integrity Level:
MEDIUM
Description:
HitmanPro.Alert
Exit code:
0
Version:
3.7.10.789
Modules
Images
c:\program files\hitmanpro.alert\hmpalert.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\fltlib.dll
2880"C:\Program Files\HitmanPro.Alert\hmpalert.exe" /serviceC:\Program Files\HitmanPro.Alert\hmpalert.exe
services.exe
User:
SYSTEM
Company:
SurfRight B.V.
Integrity Level:
SYSTEM
Description:
HitmanPro.Alert
Exit code:
1
Version:
3.7.10.789
Modules
Images
c:\program files\hitmanpro.alert\hmpalert.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\fltlib.dll
2940"C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe" C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\hitmanpro.alert 3.7.10 build 789 multilingual\hitmanpro.alert.v3.7.0.717-patch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
2 218
Read events
1 979
Write events
236
Delete events
3

Modification events

(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3696) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\HitmanPro.Alert.3.7.10.Build.789.zip
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF43FFFFFFAE00000003030000A3020000
Executable files
7
Suspicious files
7
Text files
10
Unknown types
3

Dropped files

PID
Process
Filename
Type
2880hmpalert.exeC:\ProgramData\HitmanPro.Alert\excalibur.db-journal
MD5:
SHA256:
2340hmpalert.exeC:\Users\admin\AppData\Local\Temp\hmpalert.bf
MD5:
SHA256:
3492WinRAR.exeC:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\README.TXTtext
MD5:
SHA256:
3696WinRAR.exeC:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exeexecutable
MD5:
SHA256:
3500hmpalert3.exeC:\Program Files\HitmanPro.Alert\hmpalert.exeexecutable
MD5:
SHA256:
3696WinRAR.exeC:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\Patch.zipcompressed
MD5:
SHA256:
3492WinRAR.exeC:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hitmanpro.alert.v3.7.0.717-patch.exeexecutable
MD5:
SHA256:
2880hmpalert.exeC:\ProgramData\HitmanPro.Alert\excalibur.db-shmbinary
MD5:
SHA256:
2940hitmanpro.alert.v3.7.0.717-patch.exeC:\Users\admin\AppData\Local\Temp\XNX678.tmpexecutable
MD5:
SHA256:
2340hmpalert.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\hmpalert-blm1[1].bfbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2880
hmpalert.exe
POST
200
40.71.250.191:80
http://activate.hitmanpro.nl/activaterequest.aspx
US
suspicious
2340
hmpalert.exe
GET
304
185.105.204.28:80
http://updates.hitmanpro.com/hmpalert789.exe?f0a9340f09f2cb58c5b7f0ce694376520ac5d0b36b8072e080c66cfa92c4f18d
NL
binary
7.76 Kb
suspicious
2880
hmpalert.exe
POST
200
40.71.250.191:80
http://activate.hitmanpro.nl/activaterequest.aspx
US
text
1.50 Kb
suspicious
2880
hmpalert.exe
POST
200
40.71.250.191:80
http://activate.hitmanpro.nl/activaterequest.aspx
US
text
428 b
suspicious
2340
hmpalert.exe
GET
200
185.105.204.28:80
http://updates.hitmanpro.com/hmpalert-blm1.bf
NL
binary
7.76 Kb
suspicious
2880
hmpalert.exe
POST
200
40.71.250.191:80
http://activate.hitmanpro.nl/activaterequest.aspx
US
suspicious
2340
hmpalert.exe
POST
200
23.97.160.56:80
http://alert.hitmanpro.com/report.ashx
NL
text
29 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2340
hmpalert.exe
23.97.160.56:80
alert.hitmanpro.com
Microsoft Corporation
NL
whitelisted
2880
hmpalert.exe
40.71.250.191:80
activate.hitmanpro.nl
Microsoft Corporation
US
whitelisted
2340
hmpalert.exe
185.105.204.28:80
updates.hitmanpro.com
Astralus B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
alert.hitmanpro.com
  • 23.97.160.56
suspicious
activate.hitmanpro.nl
  • 40.71.250.191
suspicious
updates.hitmanpro.com
  • 185.105.204.28
suspicious

Threats

No threats detected
Process
Message
hmpalert.exe
Driver: IOCTL_002221C8 failed (error 50)
hmpalert.exe
Service: starting
hmpalert.exe
Driver: IOCTL_00222000 failed (error 50)
hmpalert.exe
Service: mode 2
hmpalert.exe
FalsePositiveManager: not initialized
hmpalert.exe
Settings: FlyoutFrequency failed
hmpalert.exe
Settings: WindowBorder failed
hmpalert.exe
Settings: WindowBorderAutoHide failed
hmpalert.exe
Settings: WindowBorderKbdGuard failed
hmpalert.exe
Driver: IOCTL_00222084 failed (error 50)
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HitmanPro.Alert.3.7.10.Build.789.zip