hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

10-04-2024 22:59

240410-2ynlcsgg71 8

10-04-2024 22:58

10-04-2024 22:56

10-04-2024 22:53

10-04-2024 19:14

Analysis

max time kernel
273s
max time network
347s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

hmpalert3.exeHitmanPro_x64.exe

description	ioc	process
File created	C:\Windows\system32\drivers\hmpalert.sys	hmpalert3.exe
File created	C:\Windows\system32\drivers\hitmanpro37.sys	HitmanPro_x64.exe
File opened for modification	C:\Windows\system32\drivers\hitmanpro37.sys	HitmanPro_x64.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hmpalert3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hmpalert.exe	hmpalert3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hmpalert.exe\MitigationAuditOptions = 00000000201000000000000000000000	hmpalert3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hmpalert.exe\MitigationOptions = 00000000112000000000000000000000	hmpalert3.exe

Executes dropped EXE 3 IoCs

Processes:

hmpalert3.exeHitmanPro_x64.exehmpsched.exe

pid process

1380 hmpalert3.exe
2112 HitmanPro_x64.exe
864 hmpsched.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1380	hmpalert3.exe
2112	HitmanPro_x64.exe
864	hmpsched.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

hmpalert3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}\InprocServer32	hmpalert3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}\InprocServer32\ = "%SystemRoot%\\system32\\hmpshell.dll"	hmpalert3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}\InprocServer32\ThreadingModel = "Apartment"	hmpalert3.exe

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 185.228.168.9
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

HitmanPro_x64.exe

description ioc process

File opened (read-only) \??\D: HitmanPro_x64.exe
File opened (read-only) \??\F: HitmanPro_x64.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

34 camo.githubusercontent.com
40 camo.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Endermanch@MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Endermanch@MEMZ.exe

description	ioc
Destination IP	185.228.168.9

description	ioc	process
File opened (read-only)	\??\D:	HitmanPro_x64.exe
File opened (read-only)	\??\F:	HitmanPro_x64.exe

flow	ioc
34	camo.githubusercontent.com
40	camo.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Endermanch@MEMZ.exe

Drops file in System32 directory 3 IoCs

Processes:

hmpalert3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hmpalert.dll	hmpalert3.exe
File created	C:\Windows\system32\hmpalert.dll	hmpalert3.exe
File created	C:\Windows\system32\hmpshell.dll	hmpalert3.exe

Drops file in Program Files directory 5 IoCs

Processes:

HitmanPro_x64.exehmpalert3.exe

description	ioc	process
File created	C:\Program Files\HitmanPro\HitmanPro.exe	HitmanPro_x64.exe
File opened for modification	C:\Program Files\HitmanPro\HitmanPro.exe	HitmanPro_x64.exe
File created	C:\Program Files\HitmanPro\hmpsched.exe	HitmanPro_x64.exe
File created	C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe	hmpalert3.exe
File opened for modification	C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe	hmpalert3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133572635948676755"	chrome.exe

Modifies registry class 6 IoCs

Processes:

hmpalert3.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}\ = "HitmanPro.Alert Icon Overlay Handler"	hmpalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}\InprocServer32	hmpalert3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}\InprocServer32\ = "%SystemRoot%\\system32\\hmpshell.dll"	hmpalert3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}\InprocServer32\ThreadingModel = "Apartment"	hmpalert3.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FAC02B7-77D6-418B-AC11-962C65CDE8DD}	hmpalert3.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

HitmanPro_x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HitmanPro_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HitmanPro_x64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeHitmanPro_x64.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exe

pid	process
3988	chrome.exe
3988	chrome.exe
2816	chrome.exe
2816	chrome.exe
2112	HitmanPro_x64.exe
2112	HitmanPro_x64.exe
2112	HitmanPro_x64.exe
2112	HitmanPro_x64.exe
2112	HitmanPro_x64.exe
2112	HitmanPro_x64.exe
4504	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
2104	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
2104	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
2896	Endermanch@MEMZ.exe
2896	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
2104	Endermanch@MEMZ.exe
2104	Endermanch@MEMZ.exe
2104	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
2104	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
2896	Endermanch@MEMZ.exe
2896	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
2896	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
2896	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
2104	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
2104	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe

Suspicious behavior: LoadsDriver 11 IoCs

Processes:

pid process

676
676
676
676
676
676
676
676
676
676
676
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

3988 chrome.exe
3988 chrome.exe
3988 chrome.exe
3988 chrome.exe
3988 chrome.exe
3988 chrome.exe
3988 chrome.exe
3988 chrome.exe
3988 chrome.exe

pid	process
676
676
676
676
676
676
676
676
676
676
676

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe
Token: SeShutdownPrivilege	3988	chrome.exe
Token: SeCreatePagefilePrivilege	3988	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exeHitmanPro_x64.exe

pid	process
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
2112	HitmanPro_x64.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Endermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exe

pid	process
5020	Endermanch@MEMZ.exe
4504	Endermanch@MEMZ.exe
1380	Endermanch@MEMZ.exe
2468	Endermanch@MEMZ.exe
2896	Endermanch@MEMZ.exe
2104	Endermanch@MEMZ.exe
936	Endermanch@MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3988 wrote to memory of 4324	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4324	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4080	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 1932	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 1932	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 2064	3988	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffe87b79758,0x7ffe87b79768,0x7ffe87b79778
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:2
2⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2808 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:1
2⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2816 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:1
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5316 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:1
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5700 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:1
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5832 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6020 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=6336 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:1
2⤵
PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6680 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:1
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=7008 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:1
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4704 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5816 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:1
2⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7036 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6708 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7032 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5776 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7004 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:2548

C:\Users\Admin\Downloads\hmpalert3.exe
"C:\Users\Admin\Downloads\hmpalert3.exe"
2⤵
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=7080 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:1
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5760 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5824 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:3340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4548 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 --field-trial-handle=1860,i,42047273280764552,2714409097919321005,131072 /prefetch:8
2⤵
PID:4552

C:\Users\Admin\Downloads\HitmanPro_x64.exe
"C:\Users\Admin\Downloads\HitmanPro_x64.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3044

C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe
"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe
"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe
"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe
"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe
"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe
"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe
"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\Endermanch@MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:3952

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:1520

C:\Program Files\HitmanPro\hmpsched.exe
"C:\Program Files\HitmanPro\hmpsched.exe"
1⤵
- Executes dropped EXE
PID:864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HitmanPro\hmpsched.exe
Filesize
151KB

MD5
37c82e90529078c1dffc65c59050f4cd

SHA1
697495fba0dfa323e11fe73c0bc64ae44b2033fa

SHA256
e37128b0a2599fc950263d9c2e800a41ffbdc9b63eb74f3c48f44e8213817a0c

SHA512
154df1633c7011c96fbd96728912fda15e0848ce39a1348704a1a83132b220e8f40834fd54771b723ce066e720915d2decb50c923906014e446d8c3c6a01dd90

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert\HitmanPro.Alert.lnk
Filesize
2KB

MD5
bbd8186eb818fda1fca86ac4915892e0

SHA1
dbf76d0d3eecb2d639aea7c219d74f34b0be10c7

SHA256
d25a9069446aeffc83365fe52d165f707b5a7be94c82e49fa2ae14ec20f8dd8b

SHA512
fa1ec01d80d9eb1834cddacbf823a5b680a19ef40a54285aad7208769bf001e822a90aa0946c0c43fb21ace9c77dadaf44645e7a4b8e764f00bde999ecf8a15e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e
Filesize
103KB

MD5
5ca2446e2ecbed7346343d58f1691fb9

SHA1
058d256017bad264a5ccf680a7d76bb06cc08290

SHA256
74d4dc5b6adfa39afb1650e35d59591ceaedf806c36b28baf27391f5781810ee

SHA512
c69fa6fe2ebd4d5dfd0da9b7eea7367001a90184c506b0011170e12ab40648771357bd58f470a452d75a991b251e38ffc927843878b2d9f508e3ce1330024f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f
Filesize
83KB

MD5
5987593383ef9eb38e574192c280ad8a

SHA1
fbc14f75c07879dd1aa19bef290dcd936f47fffe

SHA256
5595210574ba09e2fe45327ca5777a7b214b65fb2d910ba35aed2caf98cfe6dc

SHA512
52e128b4dfe8f3d60531b0e3a5a229e3957de36a861ff987dd0c3a784d0cfdcba6a9552b90904a67a2a83841d801f701dfdaa734bba9620b589943e34f2d4a24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020
Filesize
21KB

MD5
97e9eb8daf9e8eb2bb8123a2e411796b

SHA1
4845de99b05cec039d5fea18de354ce9b16af1b7

SHA256
4968459c5711516ec4a3a8283e8f162cdc6f894c5d42d986048eadae6edcdbdf

SHA512
d302cc873f227a616cba16153d6804f4145bc4e10ee8b5b0e03bfc73cdf27a85ca90999a03eb078c40a3e3bf43e2a2ad708ba2a7812dc27a681b8e1a872a4fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021
Filesize
99KB

MD5
30d010d541283f65a573407d5e457768

SHA1
9e1ef31e3f7a1ca7a7233c47e77f283f3b74dbad

SHA256
eb1b7794be384931e51c6e7ac01367fb6b03473729215813d734593c48547618

SHA512
c2e791e99b7936a8c8aa3dab997dd5b5bed3b0fe766b7125808551cad89bc248e73ddf19da77bdbdaef6303ac15b22a531c4bef4be7f9ab1fa00bb8a2e9e77c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024
Filesize
70KB

MD5
169e4b4b7f04067a85da188332e770aa

SHA1
3bd6036233fc1747ac9004e0b7e6c1beb1cde387

SHA256
e7bea25ffe98b80d7e320c147dba4f7b86dde00fe17338b03f7e9192f787ad6a

SHA512
c20aa0734fde7f0cd5f295bee55ec664b1c89b7d3dfb9041d560fa1e6c1c1d64a6111af2d4ce0ee478fb7a0ee4b83a435aac153e6e3c49990e64692af7ff6ee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
2KB

MD5
70d7b981d392567a944cf01ca39c3d9a

SHA1
2b7d88f724e8d856e83b5889930b5ed53268c427

SHA256
504139978838c66141d6661141ddaea595164eadef8820b65f4d4e186a6afb4f

SHA512
089f004ff513cb64ae18632d5c578205f57f966d779204c27264ff4d6bf9a81ffa26231e68464229dd55e5b697bbac68113a9341f48a26061d9b2ee57799c6bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
2KB

MD5
0bd3c43dfe788af0b74b1bb6d7bf1e07

SHA1
a3d990d9ba7fd768577b665e724397129dd89588

SHA256
910b717dc306d29032a5a8268ea36e7e668816de6e75cecc4c6db232002264d3

SHA512
31da2768d29d4fbdc66b90bf1d954d487d8a15ab414c7c9e5875697e0d1afd810e6bafba58a65b3b7ffd006fe469efcac17309df31fe7eddd7fb4a10077d1400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
375efcdfa2d4d66997a0cc27c8ac05e9

SHA1
9d7270bcd8d1349b29114b1b0cd7f9e6372240ff

SHA256
3fa952f2f80c7d22e3803035be77754ee2a429338a3f3f25259355308af4a93d

SHA512
06165035edfbac372273af40ac94c9ccf65d38d15999d39fabe3513e4c1c1cc74191d8bdde6e5affd45c61f12eb76657d60c672bf028f5378dd948ce6a0a1511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
28KB

MD5
3aeb807b66754789eef0f26f814c9985

SHA1
7075d78106f6b858305a174beac957fa4d0ecbd3

SHA256
6f79d3653fd20eaec41e89db6e84e20b0f9e456c430006af78dc84eaa41550fe

SHA512
3691b8db47fa87379f5f6326b076e1a233ad91b17162421af2a692ece1b625dd70021e5bd0f856da100dd2f1d526ae0b8e7e1f04e7b9aada478031e0d438d7e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
38980cfe87be7bf8fed65ece5b3a521a

SHA1
47bb51fa84758081525c5507ae0a3ee41052c3ab

SHA256
4e6ad52b9410b44436b2f9ed19db851faba9cc0ef629906b0870dc919b9d37dc

SHA512
e46f5d39164db454a5e269a7c9434be5da3eb0ee7a81fb9e5f90739adacf40eced1c9a8d1b630267115375109bd70fd013b036513df9b32270f475773b1900ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
b97bccca4668f9b78e7258ff02db67ee

SHA1
a766c44cb2e631e226bfd9243d08a23cc5a85c38

SHA256
005bb923bacabee3d4963dd7737d3627fe9208c2a04e51b5b5e08a90e977bbb8

SHA512
39f9b788b9deeb425ba689a4bb0f3a07d86024cdeecbc923691e59af1c450f0c7eb46c43219e2ad02a433d59460562c85b0c87e894be8b634b589d0d4056b2ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
e4ca703d67b872b78579e9b0e4564260

SHA1
dd786dd74f0d0cef8170779794c0124fabedfc15

SHA256
4d29bf6218b2c27f4bd681c5056c194da28fed2272631dc12e7d843543955b1a

SHA512
70b07ce7940344ab3d7b4459d015e30d8fcd377dd7a68f2a6b70dfc897acab827d7d6198316371bcf03d1d9763bb7fdd2350246b7485a459c40029984c3505ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
caa63cf2b36117121db2508b59620437

SHA1
5fcce493a2bdb9bef7b826f280bdb3209737e8c8

SHA256
7e785568410183a108e3a073f2a9ae32eadf186add556f00727829245b3f9e58

SHA512
fc886931325c10f571a2f124a969cd2934e9b08a21082a8e60fab90442e42bc3eec982495478ad7bf834e80b9f9be8e3d5cfa9895c4fa5cc4ebd9ac3c0a4ab54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
74cd5d3e90c62afe7af0af6ddcc41515

SHA1
9a518440217b0e668a27fa0e0546ac43aafbe30d

SHA256
70ad0fa8b7046ed1f7fd2e8fdd7fbbc58a8571396bb770a1af20945a54332f76

SHA512
f7a92299db39fa904db9dc4b136dc9feecf9a64e6eb547142a3eb2bb999980fd4cbdf90e192dd92727e6602c35619814a6ab4aff9c2985913f9eb4d90012de09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
26de714cba5df39e92006838d9ce5506

SHA1
436e62bd124fd87031e9eeb05601b0d72cd630c8

SHA256
a194d70edb874cfda1a456717ca17a75a9442795b05075a7973531e785619dd1

SHA512
ceac30fd2142e94de7255ec727aab69d10757dbc0db1d448c57815c5972d6e5f20ae25708edd11cbe373356edbb50eedbbb34a7221fbb6127d00f3b199ff64e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
544c4fb321181e710e564385114d6f22

SHA1
7c6e7c19a8093c7c514b9ba85def079ed23ae5fa

SHA256
9d142437e5532684bf0c7096457a0cfd2ad58d3d364f008a2537eeee79416495

SHA512
1eecf5820fd83da9f0cc6359e6f803e459fc24332af8748701e027aeaab001600c5c15c900fe354767d79c9de8a80f0efc7e958bf7224c8af5e56a68b2765e31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6e2f3c96aa52e7af7b9cfc02b9f83585

SHA1
03e83fc474267a2c028f71551a7fb2c4e3d161b6

SHA256
f1cca4e292d1b6c72fdf263d13897460089721d51b21f3db7d2c8d9efb2ffb53

SHA512
59ab31c40eb17b38e915c0d3414d108334c2cb410f1a209217f788086257d326d7f4eceebd6aef211dd71654aa3bacce57c5a1d1a804ef5e01fe715e9c7c0a67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2b7782372f7a73e9c75e0bd8b5c20869

SHA1
5c53f5b24fb4b12f3961d21b9cff2300a3c6c563

SHA256
586abe94cdfd2e3c7baa6230d1bc1247cfcd1480c054080a63bb1285c090aa45

SHA512
b34b64680157de80066f31894dc6ceeafe501f07b6b68d6c63a8157b47a24842e4a505b8aaf4060155999585c9a42a0864607e4673c2f6e310bbbd14c785cf45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
19b3744790a85917e406014c2dd9b041

SHA1
b5c4c40b8971eaa18eca2018e4b59f628380c35e

SHA256
b2631445df586b0c84aaff42807081fe303392c6d4c8fb6b4b72d6e7123ab9e2

SHA512
a5dbfc086bf1b8b58047dfc5540436662fe75ae4e3ac4e07537353121f4063c23f88e7280ac94642a11e491712ebfc940b619168b21e9fcdddadb72ddf0b7039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5426df527e29e419744afe53ee93727e

SHA1
170853127dfaf81e4767201964ea446dc6c42323

SHA256
1d7bfeefa695fac515df78d89a8350867887fe4aee5f91efb96bf4300e586fab

SHA512
5202ba4886fa090d7494a060b47e1f43492bf7be135a92fb417ebbe5a98f8c741cf625dc58e8d9128b5fe16a4134c1c33356d14c090850043597be4d5482789d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1c970e58b2a263996a755da46b8202b1

SHA1
580148e707f1a3d099372725da815b0c299f01a4

SHA256
24b787ba34773b1eefb3e212927064c55e8c48a21becb1459c1634c9ae514202

SHA512
09b2e974b23486ed076e7dab046e692751857554635c8b7b75c451acee97cbeb05011cbdf4c24522115028e280195bd592c6ec7cc6fe9c6964aab44df0002024

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
Filesize
92KB

MD5
c576513d31123f1e1b71e13304a38e78

SHA1
9fc489250c8fb8fade3a8a7e9e7b510b1022f5f3

SHA256
2624f18c597910d57dedc80819ead6932f8a6467a506d86fcce60e7c5599c780

SHA512
fcfb639b9347da275eaf7051d4d2152c74f449e4a061fa4325de1ec6c7f07287e13e5d6d72cbd6b15208fa644bcf557e68b1d75c63c3e9fc8bef9b2455455c5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
fa82d91e3ee0f1a7788d28908e361e5c

SHA1
27eef6e01492d54523a384561ce40e736ff2a7cb

SHA256
e1c1556a1e467e5d407e083bfa5e242035ef00c7939d7c32bcafae3458cc851b

SHA512
70fdfc5bde6d16973dedfabb8181391865c285153bb782e9a6591dc0e189b2f4146406400803817528f20790e691058e3395075f031c714678ac2c1300718f71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
b421718b8c4932ddfde869960048aac0

SHA1
b2a38b0e66db444223164b1ccd094075441aa677

SHA256
cd8619baa9b94ee5650bdf7018a878b576e86fecba8699d06430cc8108906148

SHA512
b8d1aa624d8fd2ae77df2f5e476d1f60ff9f364da95de3dd4e3c9544a1db490ad8260f9b31d6fc54f4eac68986882a04144177e942c347a3fbba0573691389e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
6f8132c8993062fd9d4b0ce6eda664f7

SHA1
6cddc7557710ff62535539706c104ff971037238

SHA256
c8a7f2126f088a3bad5eb4d98d87ada624d76507d296153894e87843d55a6394

SHA512
d6d57defefac7d8ab29ca73356c34868ccbf4458ce8cc311199752f99fb15e3b22ed2b6e5edd9ad4f292bd8dcec7209ec35dfe99c95398ae04a8bd94ecbe3687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
d7f2321e18ccd3825e9344b0f82556b0

SHA1
78a997a8e4a88d0ef9581a41280ad6a5e9f0ed3d

SHA256
0702dbd0911986e0555a1d822721284748274d8b879574f5b8f2aef9fa7dc734

SHA512
b4fd4e5131d70eb0dc3d0180a772e4d41d057f04a5c8e3ca3fbdaefc1c3a5208ae7ec4f22ab30572d6c70d8041974eb944b9b3942f7ed52466c8fcd02e57a440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
114KB

MD5
0bcbc676d985da68f934f9bd6b7a1f4c

SHA1
f38f2f946199fc197584251dab00448e27fbcec8

SHA256
ca1b63626a912035ab693a308510d5fac7a8965e79c8385811bd6456120d654c

SHA512
d424457f45e087d856fb21470945cc56f048cc5c7d5827e3a28cba8c048613c8dd4428a5773bcdb85e889d6748adda424fa34acb60fbbc7a945cbfef51264d0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe599282.TMP
Filesize
108KB

MD5
361b1f8a0b046d6533713529512a6ead

SHA1
3c4ec3738f4fd4b4417f1293fa209b252bf3fb89

SHA256
29680fe98b708ae894ec41b484ab412ec4868353d69d0905b1cd53a13aa1d79b

SHA512
831f7e4117b3ccf3e2fa8f96c66a9df49c7591ac1c1298a301fa1f8338750c7178fe4a0f0660bc6bbe71f82e4fbdea745a5eae7357b78f5221871529ce4b4f4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b6fd81ab-01b1-4ea6-9b7b-e824bd1971c0.tmp
Filesize
115KB

MD5
c5a5dce6a0065e225504fe1dbc2f11ad

SHA1
5984e48ee5348ee47e8efe8367bd68b28e9e32eb

SHA256
d0567327e0b574f5356a2d5d27303899a2997faa4042cf8c01046b66519445a9

SHA512
5d6efc5772769e82c97674dc84afcef7f001880f6f24a7fed70f144c46d3c9e6405764422bfbae8cfbaafe240beb4f509f4d673305b5bbfc00a89ba4e5c52439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 265026.crdownload
Filesize
5.6MB

MD5
19468ee76fbcafb0bcb1eb9604f5748c

SHA1
453a81aaf0f4ec0e86077a21befea8392e749f3f

SHA256
93b3eccd9e2cf130c9f21a44a14db9646b6a2ae8f03b585410f8a69d460253d3

SHA512
f3b7462194d202ab604fd441b9336953fc3d49a93b6449ad722f6746ef2c9d36f0b4af501e631b36154d91a36ec2ec083af51394b1f21bec306117e1c4f91baa

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 348476.crdownload
Filesize
13.6MB

MD5
57ae72bca137c9ec15470087d2a4c378

SHA1
e4dd10c770a7ec7993ed47a37d1f7182e907e3ed

SHA256
cfeea4ea5121d1e6b1edbd5ca6e575830a0a4cbaf63120bc36639c44e1b89781

SHA512
f80d6732e86a8d38db1ff43c0c5058013bd456c4b86b87018166ca073bc84fb8e7676b55371ae9cec668a77d198e1e7f6854a9a93581ed21a32167e3b9533f6e

Download Submit
C:\Windows\SysWOW64\hmpalert.dll
Filesize
1.2MB

MD5
a630c80e5ac02d0e01f6b274dbe5b500

SHA1
d6d8b4bc986746cbeba87ac3714032b57eca0a66

SHA256
2256f66af17a95ae06c7f4763986a09e043ba22f41e6aa21eb212a9df12fb042

SHA512
b7210d08da333a04fed0bb5d736cad91242a021fcbfa382094349573bd90ab16295ec51f4c7db5b993230a1153df05b7d2e99f13004bc9f3b64e0534d58394a0

Download Submit
C:\Windows\System32\drivers\hitmanpro37.sys
Filesize
41KB

MD5
55b9678f6281ff7cb41b8994dabf9e67

SHA1
95a6a9742b4279a5a81bef3f6e994e22493bbf9f

SHA256
eb5d9df12ae2770d0e5558e8264cbb1867c618217d10b5115690ab4dcfe893c6

SHA512
d2270c13dc8212b568361f9d7d10210970b313d8cd2b944f63a626f6e7f2feb19671d3fcdbdf35e593652427521c7c18050c1181dc4c114da96db2675814ab40

Download Submit
C:\Windows\system32\drivers\hmpalert.sys
Filesize
411KB

MD5
2dc1291ce25f3e6d8f5b6ea24e989233

SHA1
e947f8716020bab264523ddcea0f2083f55ca376

SHA256
35811432feb75e73f923f517e580ddf0aa3dce824338dbf895609f9c8290a558

SHA512
1f6c5af45fed885e6901ad40009849c6b2f90d415c4e25799a43b3de1405fff0ffca8afe0ada63e2b6b9f01e0e6575c2f45d134546c13f9657557485e44762df

Download Submit
C:\Windows\system32\hmpalert.dll
Filesize
1.2MB

MD5
b9481cd3c3dacb35d6bbb1bd320b4b66

SHA1
e65a589eae2f74f2f083cdc1b88c5efa4106694d

SHA256
b7666db6046392d8706ea7ca4633ea30ed905eeec1a8fbcce927d12e34e1bb80

SHA512
a62bc4daf815ecda8b1c59a2b61344c2e126eafc60ab28db3fcd828bfe8f56f7ef9774444e200f40ff8620fea36843b1d2d41f5fa500ebf3b834245fc2a6f2bb

Download Submit
C:\Windows\system32\hmpshell.dll
Filesize
251KB

MD5
ce5bb830414080a5f09c79c2f771152b

SHA1
539c1aced67b5de7c9a5b82b2c9da54f48d523bc

SHA256
200c7d843075dc7ae0751f531abc272ce7aebcbcd50c5e1c0121a48ef86093aa

SHA512
04e04ca0e53b7e8a9ef7aef52bef791bf539f4205e2547095cd6d65a4b5fd3fa702f65b7a1ef9f74431b043ad2487285ce4b3160afeb43cd3d59c89a7c88ba42

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_3988_YGHLDCWBLONOHLJH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit