skuld | hxxps://cdn[.]discordapp[.]com/attachments/1282151429091495947/1284316095909462066/hitman_pro_cleaner[.]exe?ex=66e63012&is=66e4de92&hm=58f5e507c5c932cb81c124dd0a79635bfd349657f1b2d1d54fffd523b312e7df&

Analysis

max time kernel
900s
max time network
1152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1282151429091495947/1284316095909462066/hitman_pro_cleaner.exe?ex=66e63012&is=66e4de92&hm=58f5e507c5c932cb81c124dd0a79635bfd349657f1b2d1d54fffd523b312e7df&

Score

10^/10

skuld discovery persistence stealer upx

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1284308524209274920/ikoVoSu3wRmliQXetlfjDeJ0If_LEtLUXWl74ye3m44Z-EW5J-32znogAKGrVj1xQJDa

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

hitman pro cleaner.exehitman pro cleaner.exehitman pro cleaner.exehitman pro cleaner.exe

pid process

5196 hitman pro cleaner.exe
5472 hitman pro cleaner.exe
5660 hitman pro cleaner.exe
5700 hitman pro cleaner.exe

pid	process
5196	hitman pro cleaner.exe
5472	hitman pro cleaner.exe
5660	hitman pro cleaner.exe
5700	hitman pro cleaner.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 977378.crdownload	upx
behavioral1/memory/5196-73-0x0000000000110000-0x000000000104B000-memory.dmp	upx
behavioral1/memory/5196-75-0x0000000000110000-0x000000000104B000-memory.dmp	upx
behavioral1/memory/5472-95-0x00000000009A0000-0x00000000018DB000-memory.dmp	upx
behavioral1/memory/5472-98-0x00000000009A0000-0x00000000018DB000-memory.dmp	upx
behavioral1/memory/5700-102-0x00000000009A0000-0x00000000018DB000-memory.dmp	upx
behavioral1/memory/5660-103-0x00000000009A0000-0x00000000018DB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hitman pro cleaner.exehitman pro cleaner.exehitman pro cleaner.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	hitman pro cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	hitman pro cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	hitman pro cleaner.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 977378.crdownload:SmartScreen msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

1012 msedge.exe
1012 msedge.exe
4472 msedge.exe
4472 msedge.exe
4440 identity_helper.exe
4440 identity_helper.exe
2260 msedge.exe
2260 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4472 msedge.exe
4472 msedge.exe
4472 msedge.exe
4472 msedge.exe
4472 msedge.exe
4472 msedge.exe
4472 msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 977378.crdownload:SmartScreen	msedge.exe

pid	process
1012	msedge.exe
1012	msedge.exe
4472	msedge.exe
4472	msedge.exe
4440	identity_helper.exe
4440	identity_helper.exe
2260	msedge.exe
2260	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

hitman pro cleaner.exehitman pro cleaner.exehitman pro cleaner.exehitman pro cleaner.exe

description	pid	process
Token: SeDebugPrivilege	5196	hitman pro cleaner.exe
Token: SeDebugPrivilege	5472	hitman pro cleaner.exe
Token: SeDebugPrivilege	5660	hitman pro cleaner.exe
Token: SeDebugPrivilege	5700	hitman pro cleaner.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

msedge.exe

pid	process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4472 wrote to memory of 712	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 712	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 2852	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1012	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1012	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4044	4472	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

5340 attrib.exe
5580 attrib.exe
5772 attrib.exe

pid	process
5340	attrib.exe
5580	attrib.exe
5772	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1282151429091495947/1284316095909462066/hitman_pro_cleaner.exe?ex=66e63012&is=66e4de92&hm=58f5e507c5c932cb81c124dd0a79635bfd349657f1b2d1d54fffd523b312e7df&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc136f46f8,0x7ffc136f4708,0x7ffc136f4718
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,17243240326163639366,12627360752088979838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Users\Admin\Downloads\hitman pro cleaner.exe
  "C:\Users\Admin\Downloads\hitman pro cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5196
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\Downloads\hitman pro cleaner.exe"
    3⤵
    - Views/modifies file attributes
    PID:5340
- C:\Users\Admin\Downloads\hitman pro cleaner.exe
  "C:\Users\Admin\Downloads\hitman pro cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5472
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\Downloads\hitman pro cleaner.exe"
    3⤵
    - Views/modifies file attributes
    PID:5580
- C:\Users\Admin\Downloads\hitman pro cleaner.exe
  "C:\Users\Admin\Downloads\hitman pro cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5660
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\Downloads\hitman pro cleaner.exe"
    3⤵
    - Views/modifies file attributes
    PID:5772
- C:\Users\Admin\Downloads\hitman pro cleaner.exe
  "C:\Users\Admin\Downloads\hitman pro cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8385b26fc64b81a0b48d5319858b6304

SHA1
6add506a00cdd096684e92f3973c84ba3ce30e22

SHA256
f6928cddfcda16da4d236e2e4ab66d531248a5375f257c67be0393fc1b0e8132

SHA512
86d19aac6ee942d029755879a8d2901f861ebbdf9b5f3974a19b6d6dd47bc562837e7b537a11bba632e495cb711ba2600929e4421e55ee347e5bd6b05ed79dec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e956f5bb8166489a17cee8f24caa4137

SHA1
0fcd23493bbaca1cedea4f4c14681a58406fe5db

SHA256
6d68f285694dde8cbc3fd7987be36ebf34f1d40df4d5a3ab3f05db116e929497

SHA512
b1ff7d2bd5c7f9ae19868b1e49aa55ae9dd70c377147fe1119d5c729b4e22ed314061032b1b38eb842eac675751d23306ed235ef6bae5b5b26f201b2423e4b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02d0b3d3a70394307ca080f6b63117fb

SHA1
9f49ad5330bf75acd60831352fef2df1cf272131

SHA256
db36d1634af241b91828cb8cffa9cba432a0e78ae25ce33d757c62a595f13f2c

SHA512
1dbc89634f34b07032ae133edb685e1b56b0d3b1b23b7a2294f88261ce00332eef6d4c34b25bdc0436f48dc9d60c89ff5ccac2144c2a6ddae8c25e3586b2b06f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8558ffbdc1e950fda5ee3c9d2b8a25f8

SHA1
deda23974c28a94a87fd8aa63aaba6bd500f5045

SHA256
fad4ec0a317e2611ab456f502de18f7ecdd750aeb8201a7a14b9d95c9562576f

SHA512
de1d536bc9ecabc686a811f343f5da347c45459d1b39f02c3d554a58aea5317bd5c1322977c4fedce2638f9e2f4b48e36b97d1fbb593f12e02e071db60138744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
520b6e470b08c2fb4d2fd6f17298ec73

SHA1
f81dda60bf4c728496968717451acb006bfc13b3

SHA256
6edf4b16294da2079e6be27029f6b6226eee61e25928391972bd431922573fb2

SHA512
15e3c7a8a23fe3518f3d9cffed56bc0a34a6c6ddfbc511f9ab996e7f9e8818945f52f5680191e94dac12526855abf30d3a4cdc6b38da4f5bd94665000a0c34ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
66ccd143578a24d87bdf4f8db382bb73

SHA1
0f28603de324852fb5385e9d95f097b45854876f

SHA256
46fb544216e4a5189c3682021ca25a8293778942979f5c144f5f274d5b80b8d0

SHA512
c0bd45b8d7e8785be07efe76928f9df241423ef8b44ee035a8118828c29d200db025f0fffad0ffb8eaadceaa0ed9af7c13475ae1f0035e151f724a10d2b6c704

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 977378.crdownload

Filesize
7.5MB

MD5
da56ecff09a43bb300bbdfe6325ee20b

SHA1
dba4ecdfea5b7e64381a9ba0ce8d0eee9e74510c

SHA256
d874d04dda760e71c5b24ba65007094640d479ab3376a36bcada69de54749fdb

SHA512
3b051dc73e736577433dd565098c163533ea7c9987e301aa06119ce0a805f6fb74fc04f166df614a69e80b6b1980307d092d84ffddec21bfb8664bbfd6b2bc17

Download Submit
\??\pipe\LOCAL\crashpad_4472_KOGBANXESWOZTYMM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5196-73-0x0000000000110000-0x000000000104B000-memory.dmp

Filesize
15.2MB

Download
memory/5196-75-0x0000000000110000-0x000000000104B000-memory.dmp

Filesize
15.2MB

Download
memory/5472-98-0x00000000009A0000-0x00000000018DB000-memory.dmp

Filesize
15.2MB

Download
memory/5472-95-0x00000000009A0000-0x00000000018DB000-memory.dmp

Filesize
15.2MB

Download
memory/5660-103-0x00000000009A0000-0x00000000018DB000-memory.dmp

Filesize
15.2MB

Download
memory/5700-102-0x00000000009A0000-0x00000000018DB000-memory.dmp

Filesize
15.2MB

Download