File name: | HitmanPro.Alert.3.7.10.Build.789.zip |
Full analysis: | https://app.any.run/tasks/dfad302f-bf52-4ad3-87d4-3953ad739ee2 |
Verdict: | Malicious activity |
Analysis date: | September 18, 2019, 16:24:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | AE13C1E1D49A4F2A6603C99B1805B19D |
SHA1: | 38F656555CC2C82804C4F916AC016508667FA46E |
SHA256: | DEB3DAA2AFBD18A1BADB9416AE246A6780CA7C5E6981FC849C3AA5D943D9D470 |
SSDEEP: | 49152:nkl0MZNn4cLPLSxU5AJMvGg7Sck8C2SJyjAHNJEhdDqRH13TVG+fltIMS3b2bukv:n80M/n4lWQgGWAsHD03RGyl+Nqbd |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2019:09:06 21:08:23 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | HitmanPro.Alert 3.7.10 Build 789 Multilingual/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3568 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HitmanPro.Alert.3.7.10.Build.789.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
812 | "C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe" | C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe | — | explorer.exe |
User: admin Company: SurfRight B.V. Integrity Level: MEDIUM Description: HitmanPro.Alert Exit code: 1 Version: 3.7.10.789 | ||||
3952 | "C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe" /elevated /scan | C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe | hmpalert3.exe | |
User: admin Company: SurfRight B.V. Integrity Level: HIGH Description: HitmanPro.Alert Version: 3.7.10.789 | ||||
3620 | "C:\Program Files\HitmanPro.Alert\hmpalert.exe" /service | C:\Program Files\HitmanPro.Alert\hmpalert.exe | services.exe | |
User: SYSTEM Company: SurfRight B.V. Integrity Level: SYSTEM Description: HitmanPro.Alert Version: 3.7.10.789 | ||||
2608 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3496 | "C:\Program Files\HitmanPro.Alert\hmpalert.exe" /tray | C:\Program Files\HitmanPro.Alert\hmpalert.exe | hmpalert.exe | |
User: admin Company: SurfRight B.V. Integrity Level: MEDIUM Description: HitmanPro.Alert Version: 3.7.10.789 | ||||
3196 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\Patch.zip" "C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3340 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3904 | "C:\Users\admin\AppData\Local\Temp\HitmanPro.exe" /noupdate /scan /quiet | C:\Users\admin\AppData\Local\Temp\HitmanPro.exe | — | hmpalert.exe |
User: admin Company: SurfRight B.V. Integrity Level: HIGH Description: HitmanPro 3.8 Version: 3, 8, 15, 306 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3620 | hmpalert.exe | C:\ProgramData\HitmanPro\localcache.db-journal | — | |
MD5:— | SHA256:— | |||
3952 | hmpalert3.exe | C:\Windows\system32\hmpalert.dll | executable | |
MD5:84A42A99E951A99D0E73E51CFB0CFA2C | SHA256:3BBF372926671376CA4660CEC53FECE9136316E6FA4714C1331D302E3B522889 | |||
3952 | hmpalert3.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert\HitmanPro.Alert.lnk | lnk | |
MD5:52E315CE08A8BEA8E18C07379E5D1FD5 | SHA256:45A964D3452711DBEAC98845C0A1581F5DC945E7C8CFEFB309BEBFC6964DF4DE | |||
3620 | hmpalert.exe | C:\ProgramData\HitmanPro\localcache.db | sqlite | |
MD5:447A472A60880B7BDF3B410A8216984E | SHA256:734031E81A8534BCB24B6C60019420F1A16AD8B8E2E9E30F54D9246725291F40 | |||
3568 | WinRAR.exe | C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\Patch.zip | compressed | |
MD5:A0CEE0F7EDB93B0D23487466CF44C338 | SHA256:B0AF5357C4D3E773DBF16ECD4047D2C63D3DE66A5BEC6D37838AECE66A4A9EC7 | |||
3620 | hmpalert.exe | C:\ProgramData\HitmanPro.Alert\excalibur.db | sqlite | |
MD5:3632289B94E0E288CA91E92945942E79 | SHA256:7449B9B7DABC20012E488B70A44B1FA59DCC0ED66922671467B55567110DA379 | |||
3620 | hmpalert.exe | C:\ProgramData\HitmanPro.Alert\excalibur.db-journal | binary | |
MD5:E4AA063DC5CB25D89BA2A738E777261F | SHA256:F955FAD66F0D1D00E7B25EB3C470F9EB31F070FE18764AAC8704A3069F7009F0 | |||
3568 | WinRAR.exe | C:\Users\admin\Desktop\HitmanPro.Alert 3.7.10 Build 789 Multilingual\hmpalert3.exe | executable | |
MD5:E8FE4B6D76994174F3A84086993ADC2A | SHA256:F0A9340F09F2CB58C5B7F0CE694376520AC5D0B36B8072E080C66CFA92C4F18D | |||
3952 | hmpalert3.exe | C:\Program Files\HitmanPro.Alert\hmpalert.exe | executable | |
MD5:E8FE4B6D76994174F3A84086993ADC2A | SHA256:F0A9340F09F2CB58C5B7F0CE694376520AC5D0B36B8072E080C66CFA92C4F18D | |||
3952 | hmpalert3.exe | C:\Windows\system32\drivers\hmpalert.sys | executable | |
MD5:105249813BDB57627FDB2DB9B5D47D3A | SHA256:1F49716B6BB6D2EACF8C50BCCC6D3928716E557FAD4299735284AD67F1CCC2C9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3620 | hmpalert.exe | POST | 200 | 40.71.250.191:80 | http://activate.hitmanpro.nl/activaterequest.aspx | US | — | — | suspicious |
3620 | hmpalert.exe | POST | 200 | 40.71.250.191:80 | http://activate.hitmanpro.nl/activaterequest.aspx | US | — | — | suspicious |
3620 | hmpalert.exe | POST | 200 | 40.71.250.191:80 | http://activate.hitmanpro.nl/activaterequest.aspx | US | text | 428 b | suspicious |
3496 | hmpalert.exe | GET | 200 | 185.105.204.28:80 | http://updates.hitmanpro.com/hmpalert-blm1.bf | NL | binary | 7.76 Kb | suspicious |
3952 | hmpalert3.exe | GET | 200 | 91.199.212.52:80 | http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt | GB | der | 1.37 Kb | whitelisted |
3952 | hmpalert3.exe | GET | 302 | 185.105.204.28:80 | http://get.hitmanpro.com/ | NL | html | 157 b | suspicious |
3620 | hmpalert.exe | POST | 200 | 40.71.250.191:80 | http://activate.hitmanpro.nl/activaterequest.aspx | US | text | 1.50 Kb | suspicious |
— | — | GET | — | 172.217.22.4:80 | http://www.google.com/ | US | — | — | whitelisted |
3496 | hmpalert.exe | POST | 200 | 23.97.160.56:80 | http://alert.hitmanpro.com/report.ashx | NL | text | 29 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3952 | hmpalert3.exe | 91.199.212.52:80 | crt.usertrust.com | Comodo CA Ltd | GB | suspicious |
— | — | 172.217.22.4:80 | www.google.com | Google Inc. | US | whitelisted |
3620 | hmpalert.exe | 40.71.250.191:80 | activate.hitmanpro.nl | Microsoft Corporation | US | whitelisted |
3952 | hmpalert3.exe | 185.105.204.28:443 | get.hitmanpro.com | Astralus B.V. | NL | suspicious |
— | — | 185.105.204.28:80 | get.hitmanpro.com | Astralus B.V. | NL | suspicious |
— | — | 87.249.108.117:80 | cloud.hitmanpro.com | Virtu Secure Webservices B.V. | NL | suspicious |
3496 | hmpalert.exe | 23.97.160.56:80 | alert.hitmanpro.com | Microsoft Corporation | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
activate.hitmanpro.nl |
| suspicious |
get.hitmanpro.com |
| suspicious |
files.surfright.nl |
| whitelisted |
crt.usertrust.com |
| whitelisted |
alert.hitmanpro.com |
| suspicious |
updates.hitmanpro.com |
| suspicious |
cloud.hitmanpro.com |
| whitelisted |
www.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3952 | hmpalert3.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
Process | Message |
---|---|
hmpalert.exe | Service: starting
|
hmpalert.exe | Service: mode 1
|
hmpalert.exe | FalsePositiveManager: not initialized
|
hmpalert.exe | Antivirus: startup
|
hmpalert.exe | Antivirus: initialize
|
hmpalert.exe | Antivirus: creating C:\ProgramData\HitmanPro\localcache.db
|
hmpalert.exe | Antivirus: created (result 0)
|
hmpalert.exe | Antivirus: opening (result 0) C:\ProgramData\HitmanPro\localcache.db
|
hmpalert.exe | Antivirus: read 0 hashes from store
|
hmpalert.exe | Antivirus: opening (result 0) C:\ProgramData\HitmanPro\localcache.db
|