Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-08-2024 15:21
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/aaguct1m2lg1la9/HITMAN_3_v3.10_Plus_11_Trainer.exe/file
Resource
win11-20240802-en
General
-
Target
https://www.mediafire.com/file/aaguct1m2lg1la9/HITMAN_3_v3.10_Plus_11_Trainer.exe/file
Malware Config
Signatures
-
r77 rootkit payload 1 IoCs
Detects the payload of the r77 rootkit.
resource yara_rule behavioral1/files/0x000100000002a984-244.dat r77_payload -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1100 HITMAN 3 v3.10 Plus 11 Trainer.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe:Zone.Identifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 655417.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1032 msedge.exe 1032 msedge.exe 952 msedge.exe 952 msedge.exe 1560 msedge.exe 1560 msedge.exe 3096 identity_helper.exe 3096 identity_helper.exe 2220 msedge.exe 2220 msedge.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
pid Process 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe Token: SeDebugPrivilege 1100 HITMAN 3 v3.10 Plus 11 Trainer.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe 952 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1660 HITMAN 3 v3.10 Plus 11 Trainer.exe 1100 HITMAN 3 v3.10 Plus 11 Trainer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 952 wrote to memory of 3124 952 msedge.exe 81 PID 952 wrote to memory of 3124 952 msedge.exe 81 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 3196 952 msedge.exe 83 PID 952 wrote to memory of 1032 952 msedge.exe 84 PID 952 wrote to memory of 1032 952 msedge.exe 84 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85 PID 952 wrote to memory of 4616 952 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/aaguct1m2lg1la9/HITMAN_3_v3.10_Plus_11_Trainer.exe/file1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeb0d73cb8,0x7ffeb0d73cc8,0x7ffeb0d73cd82⤵PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:22⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:2052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:12⤵PID:3472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:12⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7116 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:12⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:12⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:12⤵PID:3168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:12⤵PID:2968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3752 /prefetch:82⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:12⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:12⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:12⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:82⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10801772833462067493,18227118169925416805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:12⤵PID:4584
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3944
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4904
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3456
-
C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe"C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1660
-
C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe"C:\Users\Admin\Downloads\HITMAN 3 v3.10 Plus 11 Trainer.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD5100ad43a6e39d44013fad7f3aa343e3b
SHA1dc8050bdee8a74354cb4a2057e4e703e7a460943
SHA256a7b15ee77dd0db946e7fdbf574889bd30c23fa3d7bff6d509df118595ee14ec5
SHA51220f9b26416804f917d0642d35de32ccae0849c34bff4eb75c6450b1ee83756f3275850101d7482eb59c78356b1489c2d4db6cd95ae9b72b64d5eeab700d36ba8
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
152B
MD54c3889d3f0d2246f800c495aec7c3f7c
SHA1dd38e6bf74617bfcf9d6cceff2f746a094114220
SHA2560a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4
SHA5122d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37
-
Filesize
152B
MD5c4a10f6df4922438ca68ada540730100
SHA14c7bfbe3e2358a28bf5b024c4be485fa6773629e
SHA256f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02
SHA512b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c
-
Filesize
31KB
MD5c03ff64e7985603de96e7f84ec7dd438
SHA1dfc067c6cb07b81281561fdfe995aca09c18d0e9
SHA2560db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526
SHA512bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692
-
Filesize
212KB
MD52257803a7e34c3abd90ec6d41fd76a5a
SHA1f7a32e6635d8513f74bd225f55d867ea56ae4803
SHA256af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174
SHA512e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD563b8385278a0d6613c3439eb0134e7b0
SHA1e9db17c7073de53c7c3d8b8abb41a6d3f55f7592
SHA2568e742625930347894626259fbb2666b4630ad322cf7b1d38af1711534120a8fb
SHA512248abbdfd0761761d57c843e4405dc10d1656ccc42718487276aefbecbe91ef43d396d0ba6523d3849d5975538017032d0380f2a8d77434dce380b251ab3d6a8
-
Filesize
9KB
MD5836d138f02148c6125a854001275d146
SHA197f143697296de628c4dd01ef85ce742fbedf1f4
SHA2569c15e261d5f8a2ee2e07410bbc4b95b06ef32bf3ec5ac823e965107a9f458700
SHA51277f020061cfbe8562c0151f919a9d0aaac37f30a3658b21005eb4d12de601a8727250449a82f78edde6292a4a647eaa9d53396aa8ef4c97468c842e29fab16ec
-
Filesize
5KB
MD5e6054d9dc4431cac1f31a29e93907fc2
SHA10b295633900adc611a8b9965b3a3767a4afe1806
SHA256178ccf7ebc61eac5bab99298043c50d1b6e4bed813c5dff13c04b35bfe47d022
SHA512c3dc1df7e3c60a4d6c7590988f2042d2f09754a74aad192a0d3d52dccc6c395a53519ebd44b557ab91f6a562687a40bd3143972ce72723e2dd51974c2b021435
-
Filesize
10KB
MD52337747f8cb3c1f35e24ebbc2ef984b7
SHA167faf8e592ab404b30c31e3165bc098ab18f0c9e
SHA256d0802275996e7ec3698e69ea3a8092e5465d93c2b74b5ff1a7ec5a73fc23e9a4
SHA512ff0a9a46188a91d2fc7c6360021b05e91a42b398d4768b5cdd33d698ab5748bcf42d8805996ce4d2847d08217f3e1613786bf72a6f289255d3ad4b219da605e4
-
Filesize
11KB
MD5a4385861107b740e0f0faf06a0cd792f
SHA18c20682dfee66d79ca5ee295272025fc28f57e08
SHA256c8764f8e7e81ddfc56b6fd9b262a223c2cd33db08b1cf823e43cd109104a7dc2
SHA5129338bb13e241686cc750470682a7163661523ac928b5150f84742d550b315845253e5e36245e411e78b9016765f01c8e3315bbfb2c482d92787a321e575a234a
-
Filesize
8KB
MD5ae940c3e594a1b161a6065b63c3961d3
SHA157e55e7307a80a6edb523e4bf4cc883b5259fbc5
SHA256460ecac7a488d51010d6ab720cc3c1ef0ef96755d6314664debbdead35e05328
SHA512a10df1c41b80d77e5077612488d63824a1ceb26738f2c887541f5764cabbde785bc650ec92f76eaee35b7b4923ee6fdae363df3e7bebd6538c100f4c228bf4a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5efdb04d75203e1b7bc74f41cfa7c891d
SHA1b0afc2d4c4a54526faabed5b508e2d6e3037724c
SHA2563555b513c86c02bee4b66d1806d3fbdf24ff3c1a0d26c77021490051345f7218
SHA5128511cad0fd3cc839cb13b1b15d4eea65162ed7151d52b5f29254acf1ee825e373f42d152247007918a304110ce812a2a823dc3a3a27168520a9fe2a4eebd494f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586a00.TMP
Filesize48B
MD5143322cb5d58deacd7f65cd13f4fa013
SHA13eb9839060afbf39e78778d00a27a7baf5b751e9
SHA256d8201b6f5eca02322842606188afe1321385e2dbae3d5b771e33c077c6476984
SHA51286c463df7fc702896f3d64c1c9c3f7f41ee7fc8c61ecec939f97a1b8628d7c3b2f9fbf5887e0448c79745d48ac32ea3765326d56fe8e2f9e1214d399ef25aeff
-
Filesize
1KB
MD50290c94da608dfdba078a4c7a3ae0e65
SHA13675959208fd7ff6058f9197886576790b61105d
SHA256f44df8ea57b03e7f98c9fc42a02901f6307821f6a1bbfa1cd186f8fe09a13992
SHA512a65829a915591b9c09addb9c45ca4421c2c1dadcbc46ef3cf198f169e8c0a834648ed912cac346b3b5ec007b2b1a92cd0b94f33206c9486f3202c7572247a35f
-
Filesize
1KB
MD526430fedd7ceb9221bd61b73835c542c
SHA1c15272e7e62d8ea68bc27a1a071ffd51b1b0073c
SHA256022dfb3aebc36933a11023c0f933c2407c6f96bd5b5f5c59c0850fe8e9460223
SHA5129354d6463a5476e825c1f15d1ab19b1c3c61831097afee3a50af1771a8547acffa8595d6ab7d22de85e9b3ecfbd13a391ce0b3b0f9e76a4ec8715305595a0e4a
-
Filesize
872B
MD50a9d3824796a294706dc0296d98b9064
SHA10e40eff1a328aa6696a65d544acdf981b0325b41
SHA256a992f3463494ec80d83ebf3bd0b43ca03b067f608ab72b62476df664b9716c78
SHA5125db963052d605f42e30d48602d1f3327cf5cb4c0a90ae073a2be7277e8ecf2a8708f321253ef1398a83c8dc32db8211a91885e7c43a345a6d144ca98e9649119
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5e3bc0196b34c94c4b242cb5a82f71ae6
SHA1b936f34a0c256b5fce02846dc386f715eea71da8
SHA2561acb93cbca042ae25181c5ccc9209d1d6d610cd01084598ce8e9f18bd2abdba0
SHA512646249afb70fbc1512f2ffbc770e16192fa1405f2082238074f8c24d492b9de923fd56406afc77e1470d557f955df42d8e511a0d6b504e15166c301bb9c23e9c
-
Filesize
11KB
MD56999bfa47112d0edf00e321fa6c52f39
SHA18c533507a20906b821bd360043bb8dda6f28741f
SHA25634da7e794e2f6b100a201c896a5952926131c834a64f772bb8da25e855927437
SHA512672c6f5faf6b5fe952476ddd177e83369afbd91e5281cde47d0fd5903fe4ca0a53dce0b09d110721b3f9dbf54d1c607925c5299f5ba7b9d4a7bcda2769daeb64
-
Filesize
11KB
MD55d868000918f3daf9594e43ac27b5741
SHA19c4c39736bde01eab066e3f7ecb2873569eb4a4a
SHA25607abca70a8bc5be339ef7fc363a8d7200203b61fa2ef9c007d0598aabe889d1d
SHA512a7ffa28041b0f5af8945cc07a8eba332d9256fd604952c79caa13720c8a552178fd545b5add6ab6dbc176dbfd2bec6fcfc44440e8b7611c479c0758d38f4912c
-
Filesize
1.2MB
MD5f257a0e7008656f9e2fa44a8a14f8d0d
SHA13469c35ce974b4c7f0531af5116266393779d903
SHA2560e99e5e385e731404a25342a226633594e160f2081bbe4c84a756186ea08a9e8
SHA512e9d9dbadd01ebfcf4ea40d49cbacaab4ac43faaa21c7c0a173032e1382eab52bcf18bc2d26c5618cdd4d7d3642581d5d08a48330551f51617e388ac88e5622ee
-
Filesize
66B
MD591a932dcd7bffe18428528359af8f18f
SHA1bee30924f7cdee4b6332c7e53726c14e0e5acf36
SHA256467b8610308d08ee1a4d30fd9ed93e238352b3020d19a8417c51df22eed98b3e
SHA5120f2e141a64a55088b078d789159fde7bf407ebcd5583528a380cde89f573b104c29045dc1dd923fff562e4bbf1f710443a2ba5d617292cbd625030bcab074fc2