ID: 284831 Sample Name: HitmanPro_x64.exe Cookbook: default.jbs Time: 12:18:18 Date: 13/09/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report HitmanPro_x64.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Analysis Advice 5 Startup 5 Malware Configuration 5 Yara Overview 5 Memory Dumps 5 Sigma Overview 6 Signature Overview 6 Persistence and Installation Behavior: 6 Boot Survival: 6 Hooking and other Techniques for Hiding and Protection: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 8 Thumbnails 8 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Domains and IPs 10 Contacted Domains 10 Contacted URLs 10 URLs from Memory and Binaries 10 Contacted IPs 11 Public 11 General Information 11 Simulations 12 Behavior and APIs 12 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 13 Dropped Files 13 Created / dropped Files 13 Static File Info 14 General 14 File Icon 14 Static PE Info 14 General 14 Authenticode Signature 14 Entrypoint Preview 15 Rich Headers 16 Data Directories 16 Sections 16 Resources 17 Imports 20 Version Infos 20 Possible Origin 21 Copyright null 2020 Page 2 of 27 Network Behavior 21 Network Port Distribution 21 TCP Packets 21 UDP Packets 23 DNS Queries 23 DNS Answers 23 HTTP Request Dependency Graph 23 HTTP Packets 24 Code Manipulations 25 Statistics 25 System Behavior 25 Analysis Process: HitmanPro_x64.exe PID: 6760 Parent PID: 5732 25 General 25 File Activities 25 File Created 25 File Deleted 25 File Written 26 File Read 27 Registry Activities 27 Key Created 27 Key Value Created 27 Disassembly 27 Code Analysis 27

Copyright null 2020 Page 3 of 27 Analysis Report HitmanPro_x64.exe

Overview

General Information Detection Signatures Classification

Sample HitmanPro_x64.exe Name: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo iiinnfffeeccttt ttthhee bb…

Analysis ID: 284831 HCHiioiddneetsas ittnthhsaa ttft u ttthnhece t sisoaanmaplpitlllyee thhoaa isns fbbeeecete ntnh dedo obww… MD5: aaa78858180664… CHCoiodnnetttasa iiintnhssa fftfu utnhncectt tiisiooannmaallpliiitttlyye ttthooa ccsaa bllllll e nneaantttii ivdveeo wfff… SHA1: 81e4f3285715f74… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchahelel ccnkka itiiffif v aae d df… SHA256: cb1e8b96648330… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa dd… Most interesting Screenshot: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk ttithfh eae pdp…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ccohomecmk uuthnneiiicc apa…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ecenonumummeeurrrnaaitttceea …

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qequnueuerrmryy e llloroacctaaellle e…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh qiiiccuhhe mrya aloyy c bbaeele… Score: 36 Range: 0 - 100 DCDeoettnteetcacttitenedsd pfpuoontttecetnniotttiiinaaalll clcitrrryy ppwtttoho i fcffuuhnn mcctttiaiiooynn be

Whitelisted: false FDFooeuutenncddt e ppdoo ttpteeonntttetiiiaanlllt issatttlrrr iicinnrggy p ddteoec cfrrruyynppctttiitiooionnn /// aa… Confidence: 40% HFHoTTuTTnPPd G pEoEtTTe nootrrri a PPl OstSSriTnT g ww diiitttehhcooruuyttpt atai o uunss e/e rrar …

MHTaayTy P iiinn fGffeeEccttTt UU oSSr BBP OddrrrSiiivvTee sws ithout a user

Maayy sisnlllefeeeecppt ((U(eeSvvaBass diiivvreiev lelloosooppss))) tttoo hhiiinnddeerrr …

Maayy ususlseeee bpbc c(dedevedadisiittt i tvttooe mloooddpiiisfffyy) ttthohe eh Windiiinneddr …

PMPEEa y fffii illulees cecoo bnnctttadaiieinndssi taa tnno iiimnnvvoaadllliiidfdy c cthheec cWkkssiunumd

PPEE fffiiilllee ccoonntttaaiiinnss eaexnxe eicncuvutattaalbibdllle ec hrrreesscookusururrccmee…

PPEE fffiiilllee ccoonntttaaiiinnss sesttxtrrraeancnuggteea brrreeless ooreuusrrrcoceeussrce

SPSaEam fiplpellle ec foffiiillnleet aiiissin ddsiii fffsfffeetrrrraeenngttt ettthh raaenns oourrriiriggciiiennsaalll …

TSTrrariiiemessp tttloeo llflooilaead di s m diiisisfsfseiiinrneggn DDt LtLhLLassn original

YTYarairerraas sstoiiigg nlnoaatttduu rrrmee imssaaintttccghh DLLs

Yara signature match

Copyright null 2020 Page 4 of 27 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Startup

System is w10x64 HitmanPro_x64.exe (PID: 6760 cmdline: 'C:\Users\user\Desktop\HitmanPro_x64.exe' MD5: AAA7885818066476AB337A1CBBD427D9) cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Copyright null 2020 Page 5 of 27 Source Rule Description Author Strings 00000000.00000002.484922913.00007FF75024 SUSP_XORed_MSDOS_S Detects suspicious Florian Roth 0x74cc:$xo1: \xBA\x86\x87\x9D\xCE\x9E\x9C\x81\x89\ F000.00000002.00020000.sdmp tub_Message XORed MSDOS x9C\x8F\x83\xCE\x8D\x8F\x80\x80\x81\x9A\xCE\x8C\x stub message 8B\xCE\x9C\x9B\x80\xCE\x87\x80\xCE\xAA\xA1\xBD\x CE\x83\x81\x8A\x8B 0xa2cc:$xo1: \xBA\x86\x87\x9D\xCE\x9E\x9C\x81\x89\ x9C\x8F\x83\xCE\x8D\x8F\x80\x80\x81\x9A\xCE\x8C\x 8B\xCE\x9C\x9B\x80\xCE\x87\x80\xCE\xAA\xA1\xBD\x CE\x83\x81\x8A\x8B 00000000.00000000.204838234.00007FF75024 SUSP_XORed_MSDOS_S Detects suspicious Florian Roth 0x74cc:$xo1: \xBA\x86\x87\x9D\xCE\x9E\x9C\x81\x89\ F000.00000002.00020000.sdmp tub_Message XORed MSDOS x9C\x8F\x83\xCE\x8D\x8F\x80\x80\x81\x9A\xCE\x8C\x stub message 8B\xCE\x9C\x9B\x80\xCE\x87\x80\xCE\xAA\xA1\xBD\x CE\x83\x81\x8A\x8B 0xa2cc:$xo1: \xBA\x86\x87\x9D\xCE\x9E\x9C\x81\x89\ x9C\x8F\x83\xCE\x8D\x8F\x80\x80\x81\x9A\xCE\x8C\x 8B\xCE\x9C\x9B\x80\xCE\x87\x80\xCE\xAA\xA1\xBD\x CE\x83\x81\x8A\x8B

Sigma Overview

No Sigma rule has matched

Signature Overview

• Spreading • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Boot Survival:

Contains functionality to infect the boot sector

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Mitre Att&ck Matrix

Copyright null 2020 Page 6 of 27 Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Command Bootkit 1 1 Process Virtualization/Sandbox OS System Time Replication Archive Exfiltration Encrypted Eavesdrop on Through and Scripting Injection 1 2 Evasion 1 Credential Discovery 1 Through Collected Over Other Channel 1 Insecure Removable Interpreter 2 Dumping Removable Data 1 Network Network Media 1 Media 1 Medium Communication Default Scheduled DLL Side- DLL Side- Process LSASS Security Software Remote Data from Exfiltration Ingress Tool Exploit SS7 to Accounts Task/Job Loading 1 Loading 1 Injection 1 2 Memory Discovery 4 1 Desktop Removable Over Transfer 1 Redirect Phone Protocol Media Bluetooth Calls/SMS

Domain At (Linux) Logon Script Logon Script Deobfuscate/Decode Security Virtualization/Sandbox SMB/Windows Data from Automated Non- Exploit SS7 to Accounts (Windows) (Windows) Files or Information 1 Account Evasion 1 Admin Shares Network Exfiltration Application Track Device Manager Shared Layer Location Drive Protocol 2 Local At (Windows) Logon Script Logon Script Hidden Files and NTDS Process Discovery 3 Distributed Input Scheduled Application SIM Card Accounts (Mac) (Mac) Directories 1 Component Capture Transfer Layer Swap Object Model Protocol 2 Cloud Cron Network Network Obfuscated Files or LSA Peripheral Device SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Information 1 Secrets Discovery 1 Transfer Channels Device Size Limits Communication

Replication Launchd Rc.common Rc.common Bootkit 1 1 Cached Remote System VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup Items DLL Side-Loading 1 DCSync File and Directory Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Discovery 2 Remote Capture Over Used Port Access Points Services Management Alternative Protocol Drive-by Command Scheduled Scheduled Indicator Removal Proc System Information Shared Credential Exfiltration Application Downgrade to Compromise and Scripting Task/Job Task/Job from Tools Filesystem Discovery 1 4 Webroot API Over Layer Protocol Insecure Interpreter Hooking Symmetric Protocols Encrypted Non-C2 Protocol

Behavior Graph

Copyright null 2020 Page 7 of 27 Hide Legend Legend: Process Behavior Graph Signature ID: 284831 Created File Sample: HitmanPro_x64.exe DNS/IP Info Startdate: 13/09/2020 Is Dropped

Architecture: WINDOWS Is Windows Process Score: 36 Number of created Registry Values

Number of created Files started Visual Basic

Delphi HitmanPro_x64.exe Java

.Net C# or VB.NET

C, C++ or other language 4 2 Is malicious

Internet

cloud.hitmanpro.com files.surfright.nl

87.249.108.117, 49719, 80 185.105.204.28, 49718, 80 EQUINIX-NL-ASNNL ASTRALUSNL Netherlands Netherlands

Hides that the sample Contains functionality has been downloaded to infect the boot sector from the Internet (zone.identifier)

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 8 of 27 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link HitmanPro_x64.exe 1% Virustotal Browse HitmanPro_x64.exe 3% Metadefender Browse HitmanPro_x64.exe 3% ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link activate.hitmanpro.nl/activaterequest.aspxHitmanPro.licProductCodeComputerversion= 0% Avira URL Cloud safe activate.hitmanpro.nl/activaterequest.aspx 0% Virustotal Browse

Copyright null 2020 Page 9 of 27 Source Detection Scanner Label Link activate.hitmanpro.nl/activaterequest.aspx 0% Avira URL Cloud safe www.surfright.com/hitmanpro 0% Virustotal Browse www.surfright.com/hitmanpro 0% Avira URL Cloud safe www.hitmanpro.com0 0% Avira URL Cloud safe www.surfright.nlD 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation cloud.hitmanpro.com 87.249.108.117 true false high files.surfright.nl 185.105.204.28 true false high

Contacted URLs

Name Malicious Antivirus Detection Reputation cloud.hitmanpro.com/banner.aspx?lc=en&v=3.8.18.312&c=&lic=free false high files.surfright.nl/banners/HitmanPro-Alert-Banner.png false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation dl.surfright.nl/QuickSupport.exe HitmanPro_x64.exe false high www.hitmanpro.com/kickstart HitmanPro_x64.exe false high https://www.hitmanpro.com/en-us/buy-now.aspx? HitmanPro_x64.exe false high cmp=701j0000001noQUAAYLogicalDisk%s files.surfright.nl/HitmanPro_x64.exeThe HitmanPro_x64.exe false high files.surfright.nl:80/banners/HitmanPro-Alert-Banner.png HitmanPro_x64.exe, 00000000.00 false high 000003.337706116.000002218864C 000.00000004.00000001.sdmp https://waes.surfright.nl/HitmanPro_x64.exe HitmanPro_x64.exe, 00000000.00 false high 000003.337846644.0000022186336 000.00000004.00000001.sdmp https://www.hitmanpro.com/en-us/alert.aspx? HitmanPro_x64.exe, 00000000.00 false high cmp=37808 000003.337895578.000002218633A 000.00000004.00000001.sdmp, Hi tmanPro_x64.exe, 00000000.0000 0003.337819047.00000221862EF00 0.00000004.00000001.sdmp files.surfright.nl/ HitmanPro_x64.exe, 00000000.00 false high 000002.478789459.00000221885F6 000.00000004.00000001.sdmp www.surfright.nl/downloads/#x64Display HitmanPro_x64.exe false high cloud.hitmanpro.com/banner.aspx? HitmanPro_x64.exe, 00000000.00 false high lc=en&v=3.8.18.312&c=&lic=freekv 000003.337895578.000002218633A 000.00000004.00000001.sdmp HitmanPro_x64.exe false high dl.surfright.nl/QuickSupport.exeQuickSupport.exeErrors/WinSt a0 HitmanPro_x64.exe false Avira URL Cloud: safe unknown activate.hitmanpro.nl/activaterequest.aspxHitmanPro.licProdu ctCodeComputerversion= https://www.virustotal.com/#/join- HitmanPro_x64.exe false high usLabels/InvalidApiKeyLabels/EwsDefaultLabels/EwsEnable activate.hitmanpro.nl/activaterequest.aspx HitmanPro_x64.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.surfright.nl/downloads/#x64 HitmanPro_x64.exe false high dl.surfright.nl/custom/ HitmanPro_x64.exe false high files.surfright.nl/HitmanPro_x64.exe HitmanPro_x64.exe, HitmanPro_x false high 64.exe, 00000000.00000003.3378 19047.00000221862EF000.0000000 4.00000001.sdmp www.surfright.com/hitmanpro HitmanPro_x64.exe false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.hitmanpro.com/kickstart#boot HitmanPro_x64.exe false high https://www.hitmanpro.com/en-us/buy-now.aspx? HitmanPro_x64.exe false high cmp=701j0000001noQUAAY

Copyright null 2020 Page 10 of 27 Name Source Malicious Antivirus Detection Reputation HitmanPro_x64.exe false high www.hitmanpro.com/kickstart#boot%I64u%sMBKickstart/Warn ing2Kickstart/Warning1InitKickstart/Su www.surfright.nl/support/fix-2286198Failed HitmanPro_x64.exe false high twitter.com/# HitmanPro_x64.exe false high www.hitmanpro.com0 HitmanPro_x64.exe false Avira URL Cloud: safe unknown www.surfright.nlD HitmanPro_x64.exe false Avira URL Cloud: safe unknown files.surfright.nl/banners/HitmanPro-Alert- HitmanPro_x64.exe, 00000000.00 false high Banner.png%~T 000003.337912546.0000022186349 000.00000004.00000001.sdmp files.surfright.nl/HitmanPro.exe HitmanPro_x64.exe false high files.surfright.nl/banners/HitmanPro-Alert-Banner.png. HitmanPro_x64.exe, 00000000.00 false high 000003.337819047.00000221862EF 000.00000004.00000001.sdmp HitmanPro_x64.exe false high https://www.virustotal.com/vtapi/v2/file/scanresponse_codecon tent-type: https://www.virustotal.com/vtapi/v2/file/report HitmanPro_x64.exe false high dl.surfright.nl/custom/%sp HitmanPro_x64.exe false high www.akamai.com HitmanPro_x64.exe false high cloud.hitmanpro.com/banner.aspx? HitmanPro_x64.exe, 00000000.00 false high lc=en&v=3.8.18.312&c=&lic=freeOy 000003.337912546.0000022186349 000.00000004.00000001.sdmp www.surfright.nl HitmanPro_x64.exe false high

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50%

50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 185.105.204.28 Netherlands 48635 ASTRALUSNL false 87.249.108.117 Netherlands 47886 EQUINIX-NL-ASNNL false

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Copyright null 2020 Page 11 of 27 Analysis ID: 284831 Start date: 13.09.2020 Start time: 12:18:18 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 12s Hypervisor based Inspection enabled: false Report type: light Sample file name: HitmanPro_x64.exe Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 12 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus36.evad.winEXE@1/1@2/2 EGA Information: Failed HDC Information: Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 19% Quality standard deviation: 13.9% HCA Information: Successful, ratio: 68% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.158.208.111, 52.184.221.185, 51.11.168.160, 52.164.221.179, 23.10.249.43, 23.10.249.26, 23.54.113.104, 93.184.221.240 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, arc.msn.com, wu.azureedge.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2- 0.edgecastdns.net, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr- 52dd2.edgecastdns.net, au-bg- shim.trafficmanager.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Copyright null 2020 Page 12 of 27 Time Type Description 12:19:10 API Interceptor 2x Sleep call for process: HitmanPro_x64.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context ASTRALUSNL Kq21EkXP3r.doc Get hash malicious Browse 185.182.59.33 S2L8241Q0T.doc Get hash malicious Browse 185.182.59.33 tXKf9mHIxT.doc Get hash malicious Browse 185.182.59.33 ZZj2IGrdIz.doc Get hash malicious Browse 185.182.59.33 qZ3q6C0Y82.doc Get hash malicious Browse 185.182.59.33 Qif7o8fkpW.doc Get hash malicious Browse 185.182.59.33 cxYL9xIMPS.doc Get hash malicious Browse 185.182.59.33 xe98CG6cWm.doc Get hash malicious Browse 185.182.59.33 IWNcNl1UAB.doc Get hash malicious Browse 185.182.59.33 NvSZ0w8NSY.doc Get hash malicious Browse 185.182.59.33 5gCWItLYpt.doc Get hash malicious Browse 185.182.59.33 DUTm7CTPMZ.doc Get hash malicious Browse 185.182.59.33 YnR0V7kdMa.doc Get hash malicious Browse 185.182.59.33 mGpjZM0XQT.doc Get hash malicious Browse 185.182.59.33 49OsP7Y21j.doc Get hash malicious Browse 185.182.59.33 kkAJqa4IzQ.doc Get hash malicious Browse 185.182.59.33 pw3PSD27Wv.doc Get hash malicious Browse 185.182.59.33 Nb3lPt7rvs.doc Get hash malicious Browse 185.182.59.33 xOcgMeuyfc.doc Get hash malicious Browse 185.182.59.33 AQ3tOqILUq.doc Get hash malicious Browse 185.182.59.33

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\HitmanPro\Banner.bin Process: C:\Users\user\Desktop\HitmanPro_x64.exe File Type: PNG image data, 704 x 252, 8-bit/color RGB, non-interlaced Size (bytes): 77424 Entropy (8bit): 7.984125714528784 Encrypted: false MD5: F79F2071422CCF62A8FCBF6AF0236294 SHA1: 0C787653D99D1A3DCA460431E60A75CB2FCCCD4D SHA-256: 391CA5066623A5EAE271D2374611217A3EC4F197357D98C9B1956D37175F657A SHA-512: 2DE734B2CBD49CF952DB1E9F4BCE12F73338BBF687E171D64F9125C24560A444E51094D8E31757C52801C73BA48542B32D08D26E342BAFF700BEF4EF0C32AF97 Malicious: false

Copyright null 2020 Page 13 of 27 C:\ProgramData\HitmanPro\Banner.bin Reputation: low Preview: .PNG...... IHDR...... j.G....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..}...U.v..../a..eH\.A..#... .3...g.....P$...... F.qfD....G.D....x..{..'.M.l.(3..

Static File Info

General File type: PE32+ executable (GUI) x86-64, for MS Windows Entropy (8bit): 7.181243024962871 TrID: Win64 Executable GUI (202006/5) 53.71% Windows ActiveX control (116523/4) 30.98% Win32 EXE PECompact compressed (generic) (41571/9) 11.05% Win64 Executable (generic) (12005/4) 3.19% Generic Win/DOS Executable (2004/3) 0.53% File name: HitmanPro_x64.exe File size: 11429976 MD5: aaa7885818066476ab337a1cbbd427d9 SHA1: 81e4f3285715f74ae4cda178b9015ec6f495b389 SHA256: cb1e8b96648330e188c3a2b0f5c599d1b45fd916fab7612 44efab8e25ce457b0 SHA512: dbef7db9e4809c27f54acf9878a9ba56b169d809838d06c bc5f23f3eb1b2db3d55c73cb1505e78845c70a1586f6569 0ae16bda194e44fc9d423f6dfe46e4b258 SSDEEP: 196608:q03K9asPrT5JzE7I4Tczr8Pu8WgLiZ2Mf7N/c/C :z3casPrTDE7czr8PL/Lib7N/SC File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... ]6!..WO. .WO..WO._....WO._....VO../...WO..WO..WO._...GWO../.. .WO../...WO../...WO..WN.6UO...... VO...... WO..W...WO...... WO.Rich.WO

File Icon

Icon Hash: f0e8ccd2dedc98d0

Static PE Info

General Entrypoint: 0x1402bc9a8 Entrypoint Section: .text Digitally signed: true Imagebase: 0x140000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x5E7876DD [Mon Mar 23 08:44:13 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 2 File Version Major: 5 File Version Minor: 2 Subsystem Version Major: 5 Subsystem Version Minor: 2 Import Hash: 56ba0ac689587fa38a8c95ee361835e9

Authenticode Signature

Signature Valid: true

Copyright null 2020 Page 14 of 27 Signature Issuer: CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 1/6/2020 4:00:00 PM 2/18/2021 4:00:00 AM Subject Chain CN=SurfRight B.V., O=SurfRight B.V., L=Hengelo, C=NL Version: 3 Thumbprint MD5: A181CE179A724E854CAA80392AB7B18B Thumbprint SHA-1: DA8D1A698FF1FF6163DB8960A7EF274518697987 Thumbprint SHA-256: 2115EC0526B0E08A371C91E9DD34BC748523994546A9771A57C1F14C336ECA97 Serial: 06F0CC431E71C7675C8DD6EBB9ADD13A

Entrypoint Preview

Instruction dec eax sub esp, 28h call 00007F3E6C72D7D0h dec eax add esp, 28h jmp 00007F3E6C71E97Bh int3 int3 dec eax mov dword ptr [esp+08h], ebx dec eax mov dword ptr [esp+10h], esi push edi dec eax sub esp, 20h dec eax mov ebx, edx dec eax mov edi, ecx dec eax test ecx, ecx jne 00007F3E6C71EB4Ch dec eax mov ecx, edx call 00007F3E6C718D07h jmp 00007F3E6C71EBACh dec eax test edx, edx jne 00007F3E6C71EB49h call 00007F3E6C718CBBh jmp 00007F3E6C71EB9Eh dec eax cmp edx, FFFFFFE0h jnbe 00007F3E6C71EB85h dec eax mov ecx, dword ptr [0016A497h] mov eax, 00000001h dec eax test ebx, ebx dec eax cmove ebx, eax dec esp mov eax, edi xor edx, edx dec esp mov ecx, ebx call dword ptr [000427E5h] dec eax mov esi, eax dec eax test eax, eax Copyright null 2020 Page 15 of 27 Instruction jne 00007F3E6C71EBB1h cmp dword ptr [0016AAB7h], eax je 00007F3E6C71EB92h dec eax mov ecx, ebx call 00007F3E6C724696h test eax, eax je 00007F3E6C71EB6Dh dec eax cmp ebx, FFFFFFE0h jbe 00007F3E6C71EAFFh dec eax mov ecx, ebx call 00007F3E6C724684h call 00007F3E6C71FF17h mov dword ptr [eax], 0000000Ch xor eax, eax dec eax mov ebx, dword ptr [esp+30h] dec eax mov esi, dword ptr [esp+38h] dec eax add esp, 20h pop edi ret call 00007F3E6C71FEFAh dec eax mov ebx, eax call dword ptr [000425A0h] mov ecx, eax call 00007F3E6C71FF0Ah

Rich Headers

Programming Language: [LNK] VS2013 UPD5 build 40629 [RES] VS2013 build 21005 [ C ] VS2008 SP1 build 30729 [IMP] VS2008 SP1 build 30729

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x40f940 0x28 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x44a000 0x683328 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x42c000 0x1d214 .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0xac9e00 0x1ca58 IMAGE_DIRECTORY_ENTRY_BASERELOC 0xace000 0x4e94 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x2ff940 0x38 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x389720 0x70 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2ff000 0x768 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x40cc80 0x2a0 .rdata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x2fdbde 0x2fdc00 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x2ff000 0x112230 0x112400 False 0.398892398302 data 5.29948483452 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Copyright null 2020 Page 16 of 27 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .data 0x412000 0x198e0 0x14200 False 0.204192546584 data 4.82129746341 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0x42c000 0x1d214 0x1d400 False 0.491920405983 data 6.32523727091 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .rsrc 0x44a000 0x683328 0x683400 unknown unknown unknown unknown IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .reloc 0xace000 0x4e94 0x5000 False 0.200244140625 data 5.43698113953 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0x93a068 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x93a4d0 0x988 data RT_ICON 0x93ae58 0x10a8 dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 6799083, next used block 7587311 RT_ICON 0x93bf00 0x25a8 dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 RT_ICON 0x93e4a8 0x8e9d PNG image data, 256 x 256, 8-bit/color RGBA, non- interlaced RT_ICON 0x947398 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x947818 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x947c98 0x300 data RT_ICON 0x947fb0 0x300 data RT_ICON 0x9482c8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x948748 0x580 data RT_ICON 0x948ce0 0x580 data RT_ICON 0x949278 0x8dc data RT_ICON 0x949b70 0x8dc data RT_ICON 0x94a468 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94a8e8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94ad68 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94b1e8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94b668 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94bae8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94bf68 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94c3e8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94c868 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94cce8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94d168 0x10a8 data RT_ICON 0x94e228 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94e6a8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94eb28 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94efa8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94f428 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94f8a8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x94fd28 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x9501a8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x950628 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x950aa8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x950f28 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x9513a8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x951828 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x951ca8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x952128 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x9525a8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x952a28 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x952ea8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x953328 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x9537a8 0x10828 dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0 RT_ICON 0x963fd0 0x25a8 data RT_ICON 0x966578 0x10a8 data

Copyright null 2020 Page 17 of 27 Name RVA Size Type Language Country RT_ICON 0x967620 0x988 data RT_ICON 0x967fa8 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x968460 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295 RT_ICON 0x96c6a0 0x988 data RT_ICON 0x96d040 0x10a8 data RT_RCDATA 0x8b9560 0x30c ASCII text, with CRLF line terminators RT_RCDATA 0x8c98a0 0x981b PNG image data, 704 x 485, 8-bit/color RGB, non- interlaced RT_RCDATA 0x8d30c0 0x6cf9 PNG image data, 704 x 485, 8-bit/color RGBA, non- interlaced RT_RCDATA 0x8d9dc0 0x42dd PNG image data, 704 x 485, 8-bit/color RGBA, non- interlaced RT_RCDATA 0x8de7a8 0x11c5 PNG image data, 98 x 34, 8-bit/color RGBA, non- interlaced RT_RCDATA 0x8de0a0 0x708 PNG image data, 22 x 22, 8-bit/color RGBA, non- interlaced RT_RCDATA 0x8df970 0x5a6f7 PNG image data, 2264 x 150, 8-bit/color RGBA, non-interlaced RT_RCDATA 0x44e1b0 0xe180 PE32+ executable (DLL) (native) x86-64, for MS Windows RT_RCDATA 0x81edd0 0x3248 PE32 executable (native) Intel 80386, for MS Windows RT_RCDATA 0x874798 0x2fbf0 PE32+ executable (DLL) (GUI) x86-64, for MS Windows RT_RCDATA 0x8a4388 0x188 data RT_RCDATA 0x822018 0x27a58 PE32+ executable (GUI) x86-64, for MS Windows RT_RCDATA 0x849a70 0x2ad28 PE32+ executable (DLL) (GUI) x86-64, for MS Windows RT_RCDATA 0x45c330 0x3c2aa0 data RT_RCDATA 0x8a4510 0x7043 ASCII text, with CRLF line terminators RT_RCDATA 0x8ab558 0x1d30 ASCII text, with CRLF line terminators RT_RCDATA 0x8ad288 0x2273 ASCII text, with CRLF line terminators RT_RCDATA 0x8af500 0xa05d UTF-8 Unicode (with BOM) text, with CRLF line terminators RT_RCDATA 0x8b9870 0x29b8 ASCII text, with CRLF line terminators RT_RCDATA 0x8bc228 0x200 DOS/MBR boot sector MS-MBR XP english at offset 0x12c "Invalid partition table" at offset 0x144 "Error loading operating system" at offset 0x163 "Missing operating system", disk signature 0x123c123b RT_RCDATA 0x8bc428 0x200 DOS/MBR boot sector MS-MBR Vista english at offset 0x162 "Invalid partition table" at offset 0x17a "Error loading operating system" at offset 0x199 "Missing operating system", disk signature 0xfa40f735 RT_RCDATA 0x8bc628 0x200 DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating system" RT_RCDATA 0x8bc828 0x49 data RT_RCDATA 0x8bc878 0x6000 data RT_RCDATA 0x8c2878 0x6e00 data RT_RCDATA 0x44c1b0 0x2000 data RT_RCDATA 0x9750f0 0x6969 XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0x96e100 0x6fea XML 1.0 document, ISO-8859 text, with very long lines, with CRLF line terminators RT_RCDATA 0x97ba60 0x77aa XML 1.0 document, Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators RT_RCDATA 0x98f688 0x751e XML 1.0 document, ISO-8859 text, with very long lines, with CRLF line terminators RT_RCDATA 0x996ba8 0x67f0 XML 1.0 document, Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators RT_RCDATA 0x99d398 0x6f4c XML 1.0 document, ISO-8859 text, with very long lines, with CRLF line terminators RT_RCDATA 0x9a42e8 0x7461 XML 1.0 document, ISO-8859 text, with very long lines, with CRLF line terminators RT_RCDATA 0x9ab750 0xdc92 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0x9b93e8 0xd5f6 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators

Copyright null 2020 Page 18 of 27 Name RVA Size Type Language Country RT_RCDATA 0x9c69e0 0xcfba XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0x9d39a0 0xda24 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0x9e13c8 0xd9e4 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0x9eedb0 0x7173 XML 1.0 document, ISO-8859 text, with very long lines, with CRLF line terminators RT_RCDATA 0xa03860 0xe376 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xa11bd8 0xcf88 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xa1eb60 0xd914 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xa2c478 0x6dd4 XML 1.0 document, ISO-8859 text, with very long lines, with CRLF line terminators RT_RCDATA 0xa33250 0xce1a XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xa40070 0xd750 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xa4d7c0 0xb0ae XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xa58870 0x873e XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators RT_RCDATA 0xa60fb0 0xe11e XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xa6f0d0 0x6dea XML 1.0 document, ISO-8859 text, with very long lines, with CRLF line terminators RT_RCDATA 0xa75ec0 0xdcfc XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators RT_RCDATA 0xa83bc0 0xdd26 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xa918e8 0xd758 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xa9f040 0xda04 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0x9f5f28 0xd934 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xaaca48 0xd7d8 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators RT_RCDATA 0xaba220 0xd814 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators RT_RCDATA 0x983210 0xc472 XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators RT_RCDATA 0xaca7b0 0x2735 Rich Text Format data, version 1, ANSI RT_RCDATA 0xac7a38 0x2d71 Rich Text Format data, version 1, ANSI RT_RCDATA 0x8c9678 0xa ASCII text, with no line terminators RT_RCDATA 0x8c9688 0xc8 data RT_RCDATA 0x8c9750 0x150 data RT_GROUP_ICON 0x947348 0x4c data RT_GROUP_ICON 0x947800 0x14 data RT_GROUP_ICON 0x947c80 0x14 data RT_GROUP_ICON 0x948730 0x14 data RT_GROUP_ICON 0x94ccd0 0x14 data RT_GROUP_ICON 0x947f98 0x14 data RT_GROUP_ICON 0x9482b0 0x14 data RT_GROUP_ICON 0x948cc8 0x14 data RT_GROUP_ICON 0x949260 0x14 data RT_GROUP_ICON 0x949b58 0x14 data RT_GROUP_ICON 0x94a450 0x14 data RT_GROUP_ICON 0x94e690 0x14 data RT_GROUP_ICON 0x94eb10 0x14 data RT_GROUP_ICON 0x94ef90 0x14 data RT_GROUP_ICON 0x94f410 0x14 data RT_GROUP_ICON 0x94f890 0x14 data RT_GROUP_ICON 0x94fd10 0x14 data RT_GROUP_ICON 0x94c3d0 0x14 data RT_GROUP_ICON 0x94bad0 0x14 data

Copyright null 2020 Page 19 of 27 Name RVA Size Type Language Country RT_GROUP_ICON 0x94bf50 0x14 data RT_GROUP_ICON 0x952e90 0x14 data RT_GROUP_ICON 0x953310 0x14 data RT_GROUP_ICON 0x953790 0x14 data RT_GROUP_ICON 0x96c688 0x14 data RT_GROUP_ICON 0x968410 0x4c data RT_GROUP_ICON 0x96d028 0x14 data RT_GROUP_ICON 0x94d150 0x14 data RT_GROUP_ICON 0x96e0e8 0x14 data RT_GROUP_ICON 0x94b1d0 0x14 data RT_GROUP_ICON 0x94a8d0 0x14 data RT_GROUP_ICON 0x94ad50 0x14 data RT_GROUP_ICON 0x94b650 0x14 data RT_GROUP_ICON 0x950190 0x14 data RT_GROUP_ICON 0x950610 0x14 data RT_GROUP_ICON 0x950a90 0x14 data RT_GROUP_ICON 0x950f10 0x14 data RT_GROUP_ICON 0x951390 0x14 data RT_GROUP_ICON 0x951810 0x14 data RT_GROUP_ICON 0x951c90 0x14 data RT_GROUP_ICON 0x952110 0x14 data RT_GROUP_ICON 0x952590 0x14 data RT_GROUP_ICON 0x952a10 0x14 data RT_GROUP_ICON 0x94e210 0x14 data RT_GROUP_ICON 0x94c850 0x14 data RT_VERSION 0x44beb0 0x2fc data RT_MANIFEST 0xaccee8 0x43b XML 1.0 document, UTF-8 Unicode (with BOM) text, English United States with very long lines, with CRLF line terminators

Imports

DLL Import KERNEL32.dll GetModuleHandleW, GetLastError, WaitForMultipleObjects, CreateEventW, CloseHandle, SetEvent, ResetEvent, WaitForSingleObject, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, CreateThread, SignalObjectAndWait, TerminateThread, Sleep, VirtualAlloc, VirtualFree, OpenProcess, VirtualQueryEx, WaitForSingleObjectEx, CreateWaitableTimerW, SetWaitableTimer, GetVersion, LocalAlloc, LocalFree, GetProcAddress, GlobalMemoryStatus, FreeLibrary, Heap32ListNext, Heap32Next, QueryPerformanceCounter, Heap32First, Heap32ListFirst, GetTickCount, GetSystemTimeAsFileTime, Thread32First, Thread32Next, VirtualUnlock, LoadLibraryA, Process32FirstW, VirtualLock, Module32FirstW, GetSystemInfo, Process32NextW, CreateToolhelp32Snapshot, GetCurrentThreadId, Module32NextW, GetCurrentProcessId, QueryPerformanceFrequency, SetThreadPriority, GetCurrentThread, LocalFileTimeToFileTime, FileTimeToSystemTime, GetSystemDirectoryW, GetWindowsDirectoryW, CreateFileW, DeviceIoControl, GetFileInformationByHandle, GetModuleHandleA, GetProcessHeap, HeapFree, HeapAlloc, HeapReAlloc, SystemTimeToFileTime, CompareFileTime, GetLocalTime, FindResourceW, SizeofResource, LoadResource, LockResource, FreeResource, OutputDebugStringW, WriteFile, ReadFile, PeekNamedPipe, WaitNamedPipeW, GetCalendarInfoW, SetLastError, GetFileSizeEx, FormatMessageW, FileTimeToLocalFileTime, GetLocaleInfoW, TryEnterCriticalSection, GetTempPathW, RemoveDirectoryW, FindFirstFileW, FindClose, FindNextFileW, GetFileAttributesW, GetCurrentProcess, RegisterWaitForSingleObject, UnregisterWaitEx, FlushFileBuffers, DisconnectNamedPipe, GetOverlappedResult, GetComputerNameW, GetFileAttributesExW, GetFileTime, SetFileTime, VerifyVersionInfoW, VerSetConditionMask, ResumeThread, GetCommandLineW, CreateProcessW, ConvertDefaultLocale, GetLogicalDriveStringsW, QueryDosDeviceW, SetThreadAffinityMask, DeleteFileW, GetModuleFileNameW, SetErrorMode, GetStdHandle, GetDriveTypeW, GetVolumeInformationW, GetFileSize, SetFileAttributesW, CopyFileW, TerminateProcess, GetNumberFormatW, GetVersionExW, WTSGetActiveConsoleSessionId, ProcessIdToSessionId, GetProcessTimes, LoadLibraryW, GlobalAlloc, OpenEventW, AllocConsole, LoadLibraryExW, MultiByteToWideChar, SetUnhandledExceptionFilter, VirtualProtect, VirtualQuery, OpenThread, SuspendThread, GetThreadContext, SetThreadContext, SearchPathW, GetSystemDirectoryA, LoadLibraryExA, DuplicateHandle, CreateSemaphoreW, ReleaseSemaphore, GetEnvironmentVariableW, WideCharToMultiByte, GetSystemWow64DirectoryW, GetSystemTime, GetExitCodeProcess, CreateHardLinkW, InitializeCriticalSectionAndSpinCount, RaiseException, DecodePointer, GetVolumeInformationA, ExpandEnvironmentStringsW, SetHandleInformation, CreateNamedPipeW, ConnectNamedPipe, GetThreadPriority, GetLongPathNameW, VirtualAllocEx, ReadProcessMemory, VirtualFreeEx, MoveFileW, GetCurrentDirectoryW, GetCurrentDirectoryA, GlobalFree, SetEndOfFile, SetFilePointerEx, FormatMessageA, GetFullPathNameW, GetFullPathNameA, CreateFileA, CreateMutexW, HeapCompact, SetFilePointer, MapViewOfFile, UnmapViewOfFile, UnlockFile, LockFile, UnlockFileEx, HeapDestroy, GetFileAttributesA, HeapCreate, HeapValidate, HeapSize, LockFileEx, GetDiskFreeSpaceW, CreateFileMappingA, CreateFileMappingW, GetDiskFreeSpaceA, OutputDebugStringA, GetVersionExA, GetTempPathA, AreFileApisANSI, DeleteFileA, ExitProcess, SetNamedPipeHandleState, GetStringTypeW, EncodePointer, IsDebuggerPresent, IsProcessorFeaturePresent, GetModuleHandleExW, GetConsoleMode, ReadConsoleInputA, SetConsoleMode, GetACP, RtlUnwindEx, RtlPcToFileHeader, RtlLookupFunctionEntry, GetCPInfo, RtlCaptureContext, RtlVirtualUnwind, UnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, CompareStringW, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, IsValidCodePage, GetOEMCP, GetFileType, GetConsoleCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, ReadConsoleW, GetTimeZoneInformation, SetStdHandle, WriteConsoleW, SetEnvironmentVariableW, SetEnvironmentVariableA, lstrlenA

Version Infos

Copyright null 2020 Page 20 of 27 Description Data LegalCopyright 2006-2020 SurfRight, a Sophos company InternalName HitmanPro38 FileVersion 3, 8, 18, 312 CompanyName SurfRight B.V. ProductName HitmanPro ProductVersion 3.8.18.312 FileDescription HitmanPro 3.8 OriginalFilename HitmanPro.exe Translation 0x0000 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

Network Port Distribution

Total Packets: 49 • 53 (DNS) • 80 (HTTP)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Sep 13, 2020 12:19:09.927895069 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:09.932061911 CEST 49719 80 192.168.2.4 87.249.108.117 Sep 13, 2020 12:19:09.974023104 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:09.974173069 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:09.974581003 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:09.981877089 CEST 80 49719 87.249.108.117 192.168.2.4 Sep 13, 2020 12:19:09.981995106 CEST 49719 80 192.168.2.4 87.249.108.117 Sep 13, 2020 12:19:09.982309103 CEST 49719 80 192.168.2.4 87.249.108.117 Sep 13, 2020 12:19:10.024100065 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.039978027 CEST 80 49719 87.249.108.117 192.168.2.4 Sep 13, 2020 12:19:10.065584898 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.081150055 CEST 49719 80 192.168.2.4 87.249.108.117 Sep 13, 2020 12:19:10.122903109 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.169147968 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.169197083 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.169234991 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.169296026 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.169306993 CEST 80 49718 185.105.204.28 192.168.2.4

Copyright null 2020 Page 21 of 27 Timestamp Source Port Dest Port Source IP Dest IP Sep 13, 2020 12:19:10.169409037 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.215086937 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.215133905 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.215172052 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.215208054 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.215246916 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.215282917 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.215296030 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.215331078 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.215373039 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.215374947 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.215492010 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.263101101 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263187885 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263226986 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263262033 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.263266087 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263303041 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263340950 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263365984 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.263379097 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263427019 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263442039 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.263468027 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263504028 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263537884 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.263540983 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263577938 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263580084 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.263613939 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263648033 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.263652086 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263688087 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263717890 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.263735056 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.263806105 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.317564964 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.317617893 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.317656040 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.317689896 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.317724943 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.317759037 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.317775011 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.317792892 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.317827940 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.317886114 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.317938089 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.317967892 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.317975998 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318011999 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318044901 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318072081 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.318080902 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318116903 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318159103 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318181992 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.318197012 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318229914 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318239927 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.318264961 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318298101 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318299055 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.318331003 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318361998 CEST 49718 80 192.168.2.4 185.105.204.28

Copyright null 2020 Page 22 of 27 Timestamp Source Port Dest Port Source IP Dest IP Sep 13, 2020 12:19:10.318365097 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318399906 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318417072 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.318443060 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318480968 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318495989 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.318514109 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318547964 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318581104 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.318582058 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318615913 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318633080 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.318649054 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318684101 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318715096 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:19:10.318717003 CEST 80 49718 185.105.204.28 192.168.2.4 Sep 13, 2020 12:19:10.318809032 CEST 49718 80 192.168.2.4 185.105.204.28 Sep 13, 2020 12:20:10.368211031 CEST 49719 80 192.168.2.4 87.249.108.117

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Sep 13, 2020 12:19:00.058700085 CEST 57199 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:00.086124897 CEST 53 57199 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:00.957366943 CEST 58963 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:00.983900070 CEST 53 58963 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:01.817234993 CEST 64705 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:01.843977928 CEST 53 64705 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:02.709395885 CEST 61585 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:02.737044096 CEST 53 61585 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:03.707639933 CEST 63540 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:03.741456985 CEST 53 63540 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:09.889734030 CEST 50757 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:09.889796019 CEST 59058 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:09.917051077 CEST 53 50757 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:09.930888891 CEST 53 59058 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:23.883682966 CEST 53809 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:23.909323931 CEST 53 53809 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:25.359307051 CEST 52224 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:25.408026934 CEST 53 52224 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:26.416493893 CEST 57637 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:26.450814962 CEST 53 57637 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:35.856462002 CEST 63419 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:35.922446966 CEST 53 63419 8.8.8.8 192.168.2.4 Sep 13, 2020 12:19:50.721412897 CEST 54357 53 192.168.2.4 8.8.8.8 Sep 13, 2020 12:19:50.748044968 CEST 53 54357 8.8.8.8 192.168.2.4

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Sep 13, 2020 12:19:09.889734030 CEST 192.168.2.4 8.8.8.8 0xaea9 Standard query files.surfright.nl A (IP address) IN (0x0001) (0) Sep 13, 2020 12:19:09.889796019 CEST 192.168.2.4 8.8.8.8 0x869 Standard query cloud.hitm A (IP address) IN (0x0001) (0) anpro.com

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Sep 13, 2020 8.8.8.8 192.168.2.4 0xaea9 No error (0) files.surfright.nl 185.105.204.28 A (IP address) IN (0x0001) 12:19:09.917051077 CEST Sep 13, 2020 8.8.8.8 192.168.2.4 0x869 No error (0) cloud.hitm 87.249.108.117 A (IP address) IN (0x0001) 12:19:09.930888891 anpro.com CEST

HTTP Request Dependency Graph

Copyright null 2020 Page 23 of 27 cloud.hitmanpro.com files.surfright.nl

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.4 49718 185.105.204.28 80 C:\Users\user\Desktop\HitmanPro_x64.exe

kBytes Timestamp transferred Direction Data Sep 13, 2020 73 OUT HEAD /HitmanPro_x64.exe HTTP/1.1 12:19:09.974581003 CEST Connection: Keep-Alive Accept: */* Host: files.surfright.nl Sep 13, 2020 74 IN HTTP/1.1 200 OK 12:19:10.024100065 CEST Content-Length: 11429976 Content-Type: application/octet-stream Last-Modified: Mon, 23 Mar 2020 08:44:18 GMT Accept-Ranges: bytes ETag: "4ceba03def0d61:0" Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Sun, 13 Sep 2020 10:19:08 GMT Sep 13, 2020 74 OUT GET /banners/HitmanPro-Alert-Banner.png HTTP/1.1 12:19:10.122903109 CEST Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: */* Host: files.surfright.nl Sep 13, 2020 76 IN HTTP/1.1 200 OK 12:19:10.169147968 CEST Content-Type: image/png Last-Modified: Thu, 31 Oct 2019 13:20:55 GMT Accept-Ranges: bytes ETag: "d1c9e56ee8fd51:0" Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Sun, 13 Sep 2020 10:19:08 GMT Content-Length: 77424 Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 c0 00 00 00 fc 08 02 00 00 00 f6 6a 85 47 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 01 2e 12 49 44 41 54 78 da ec 7d 09 a0 1c 55 95 76 dd da ab b7 d7 2f 61 11 86 65 48 5c 06 41 14 82 23 bb a2 09 20 8b 33 82 01 01 67 d4 01 13 96 d9 50 24 01 7f 1c c7 05 f3 46 91 71 66 44 f2 06 f5 1f 47 b6 44 18 95 dd 3c 41 65 53 7f 02 ca 36 e3 20 41 41 51 20 c9 7b af f7 da ff 73 ee ad ae ae ad d7 d7 6f 49 52 65 1b fa 55 df ba 75 bb ba ea 9e ef 7e e7 3b e7 10 69 c9 49 1c c7 11 5e 24 82 c0 f5 b0 b9 b6 ed 3a 16 bc 71 1c 78 63 c3 7f 1c db e2 d2 6d e7 d8 c8 0e d0 63 fa 0b a5 17 7b 67 bb 39 c9 7c 9f 92 24 ee 24 6d 0f 21 ed 76 26 1d 42 92 3a 21 ed bf 7c fc bc a4 fd f8 7b 1a 79 62 3f 1d 7b e8 7c 05 48 cf d7 30 7a 05 3a 5f ae f6 27 25 9d 7f 3b d2 e7 c8 7b b9 02 24 e9 aa 44 af a1 08 ff d8 96 c1 71 06 62 02 cb e4 5c b7 fd 2d 07 30 43 62 6f 79 41 e2 79 81 83 7f 45 09 76 13 5e 70 6c 93 61 0b e8 cd b5 2d d7 71 e2 1d 60 63 5e 80 f6 d8 06 50 88 9b 4e 61 e9 74 9a 6e 29 7a 48 b7 1d ea f9 27 03 1f 4d ba 37 ee 80 5a 66 88 1e fa 1d 2e 21 b3 78 5d c9 90 ba 23 33 be 86 5c 3f e8 21 f6 a7 68 d6 2b bd 8e dc 75 1d d3 60 6f fd 37 11 78 01 c0 42 90 54 5e c3 37 00 29 1c 53 07 ac e0 e3 12 7c c3 99 d0 52 90 55 41 2e f0 82 68 35 aa 82 a4 58 7a cd b1 2d c2 f3 ed 90 47 ba a5 90 24 dd d2 2d a5 1f 66 93 7e 98 1b 23 d4 ff 97 27 b3 79 9d 49 ef e7 18 94 7e e8 0b c4 90 d9 b9 86 b3 02 65 70 13 87 76 4f 52 78 11 04 16 80 0f 88 28 89 72 86 cf ca f0 a9 6d ea 8e 65 d8 46 03 df eb 75 78 01 62 10 95 0c 40 0d 39 37 0a 1f 99 d5 69 b5 b8 07 f6 c3 3c 23 d0 18 0f 31 d3 a9 2e b5 f5 e9 96 d2 0f e9 b6 70 6f 43 32 e3 1b 78 58 a8 25 a5 1f 66 95 7e 20 71 c4 b4 d7 31 9d 87 cc 4b b2 ff 3e 81 78 e8 f1 7b f3 3c 2f 29 82 a8 08 b2 6a 23 8c a8 3b a6 ee 93 0d a2 9a 95 32 05 04 16 46 1d 1a 38 b6 49 04 ea 19 21 9c 63 59 7a 79 3b 8a 2d d2 6d 07 03 10 a9 4d 4b 01 44 8a 97 17 e0 58 e6 46 fd c0 75 d3 1c f4 7c 5e d2 17 13 d0 de 5e 92 de 7a e8 e9 0a cc 5c fd c0 f5 20 5c 68 7f 0d 07 f8 ed 66 ae 7e 48 04 10 c2 fe cb 79 41 44 0b 4f f5 0d 84 17 e0 4f 58 fa 77 bd 0d 79 01 db 83 b1 6f 62 0b 9d fe 69 21 83 d0 51 4b 01 88 44 90 54 00 0a d0 c6 d2 6b 00 1a e0 08 38 a9 52 d8 0d b0 85 20 22 5e 71 2c 83 fa 44 3c ec 62 54 26 91 ba 48 b7 1d 69 0a 4b 6d da 1c 5e cc f4 62 ef a0 37 e7 8e 25 9f 1c dc 08 75 83 20 fd a2 07 ae 47 f1 20 d7 83 90 73 6e e5 93 fd 9e 94 cc 3b f2 eb 74 0d 89 b4 e4 a4 99 c6 53 34 c5 95 3c d2 06 84 88 32 fc c3 34 10 2e 6c 96 01 dd 3a a8 9a 74 62 10 44 e4 25 45 54 32 f0 9e c9 20 94 dc a8 51 9b 86 c3 a5 cc 08 00 11 5b af 89 6a 8e 9e 81 00 80 d0 2b 93 9d 34 9e e9 96 d2 0f 29 fd 90 6e 29 fd 90 d2 0f 7d 40 99 19 d3 0f dc 60 e1 27 bd 9d 77 61 d3 0f 5c 2f 2e 8c 19 dc ab 9e ac 12 59 0d 31 59 56 e9 35 e4 79 00 0a 82 ac 02 68 80 66 66 6d da d2 eb ea c8 ee 08 1c f0 22 12 38 50 10 65 40 23 7a 79 db c0 6e 94 74 4b e9 87 94 7e 48 b7 94 7e 48 e9 87 79 a3 1f b8 81 a3 37 7b 40 2d ed be 3e d7 97 27 a5 4d d0 6c 1b 28 33 9b 00 22 b6 31 59 a5 20 2a a8 ab 08 ca 2a 03 0d a4 ec 88 20 29 f0 91 55 af 48 99 02 52 23 3c 8f e0 c3 32 78 ca 6d 58 46 dd 28 4f a6 b3 60 4a 3f a4 bf 50 7a b1 53 fa 61 46 e7 9b 23 23 94 d2 0f 3b 27 fd 30 d7 00 22 f2 6d 31 98 93 82 09 f4 71 98 3a 13 43 c0 27 82 a2 29 b9 51 c0 Data Ascii: PNGIHDRjGtEXtSoftwareAdobe ImageReadyqe<.IDATx}Uv/aeH\A# 3gP$FqfDGDx{'Ml(3"1Y ** )UHR#<2xmXF(O`J?PzSaF##;'0"m1q:C')Q

Session ID Source IP Source Port Destination IP Destination Port Process 1 192.168.2.4 49719 87.249.108.117 80 C:\Users\user\Desktop\HitmanPro_x64.exe

kBytes Timestamp transferred Direction Data Sep 13, 2020 73 OUT GET /banner.aspx?lc=en&v=3.8.18.312&c=&lic=free HTTP/1.1 12:19:09.982309103 CEST Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: */* Host: cloud.hitmanpro.com Copyright null 2020 Page 24 of 27 kBytes Timestamp transferred Direction Data Sep 13, 2020 74 IN HTTP/1.1 200 OK 12:19:10.039978027 CEST Cache-Control: private Content-Length: 132 Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 Date: Sun, 13 Sep 2020 10:19:18 GMT Data Raw: 48 69 74 6d 61 6e 50 72 6f 41 6c 65 72 74 0d 0a 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 69 74 6d 61 6e 70 72 6f 2e 63 6f 6d 2f 65 6e 2d 75 73 2f 61 6c 65 72 74 2e 61 73 70 78 3f 63 6d 70 3d 33 37 38 30 38 0d 0a 68 74 74 70 3a 2f 2f 66 69 6c 65 73 2e 73 75 72 66 72 69 67 68 74 2e 6e 6c 2f 62 61 6e 6e 65 72 73 2f 48 69 74 6d 61 6e 50 72 6f 2d 41 6c 65 72 74 2d 42 61 6e 6e 65 72 2e 70 6e 67 0d 0a Data Ascii: HitmanProAlerthttps://www.hitmanpro.com/en-us/alert.aspx?cmp=37808http://files.surfright.nl/banner s/HitmanPro-Alert-Banner.png

Code Manipulations

Statistics

System Behavior

Analysis Process: HitmanPro_x64.exe PID: 6760 Parent PID: 5732

General

Start time: 12:19:08 Start date: 13/09/2020 Path: C:\Users\user\Desktop\HitmanPro_x64.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\HitmanPro_x64.exe' Imagebase: 0x7ff74f990000 File size: 11429976 bytes MD5 hash: AAA7885818066476AB337A1CBBD427D9 Has administrator privileges: true Programmed in: C, C++ or other language Yara matches: Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000002.484922913.00007FF75024F000.00000002.00020000.sdmp, Author: Florian Roth Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000000.204838234.00007FF75024F000.00000002.00020000.sdmp, Author: Florian Roth Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\ProgramData\HitmanPro\Banner.bin read attributes | device synchronous io success or wait 1 7FF74FB9A03B CreateFileW synchronize | non alert | non generic write directory file

File Deleted

Copyright null 2020 Page 25 of 27 Source File Path Completion Count Address Symbol C:\Users\user\Desktop\HitmanPro_x64.exe:Zone.Identifier success or wait 1 7FF74FA9A68F DeleteFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol unknown unknown 52 4e 6f 20 6c 69 63 65 No license invalid handle 1 7FF74FC55AF9 WriteFile 6e 73 65 20 43 3a 5c C:\ProgramData\Hitm 50 72 6f 67 72 61 6d anPro\HitmanPro.lic... 44 61 74 61 5c 48 69 74 6d 61 6e 50 72 6f 5c 48 69 74 6d 61 6e 50 72 6f 2e 6c 69 63 0d 0d 0a unknown unknown 52 4e 6f 20 6c 69 63 65 No license invalid handle 1 7FF74FC55AF9 WriteFile 6e 73 65 20 43 3a 5c C:\ProgramData\Hitm 50 72 6f 67 72 61 6d anPro\HitmanPro.lic... 44 61 74 61 5c 48 69 74 6d 61 6e 50 72 6f 5c 48 69 74 6d 61 6e 50 72 6f 2e 6c 69 63 0d 0d 0a unknown unknown 52 4e 6f 20 6c 69 63 65 No license invalid handle 1 7FF74FC55AF9 WriteFile 6e 73 65 20 43 3a 5c C:\ProgramData\Hitm 50 72 6f 67 72 61 6d anPro\HitmanPro.lic... 44 61 74 61 5c 48 69 74 6d 61 6e 50 72 6f 5c 48 69 74 6d 61 6e 50 72 6f 2e 6c 69 63 0d 0d 0a unknown unknown 52 4e 6f 20 6c 69 63 65 No license invalid handle 1 7FF74FC55AF9 WriteFile 6e 73 65 20 43 3a 5c C:\ProgramData\Hitm 50 72 6f 67 72 61 6d anPro\HitmanPro.lic... 44 61 74 61 5c 48 69 74 6d 61 6e 50 72 6f 5c 48 69 74 6d 61 6e 50 72 6f 2e 6c 69 63 0d 0d 0a unknown unknown 52 4e 6f 20 6c 69 63 65 No license invalid handle 1 7FF74FC55AF9 WriteFile 6e 73 65 20 43 3a 5c C:\ProgramData\Hitm 50 72 6f 67 72 61 6d anPro\HitmanPro.lic... 44 61 74 61 5c 48 69 74 6d 61 6e 50 72 6f 5c 48 69 74 6d 61 6e 50 72 6f 2e 6c 69 63 0d 0d 0a C:\ProgramData\HitmanPro\Banner.bin unknown 8192 89 50 4e 47 0d 0a 1a .PNG...... IHDR...... success or wait 10 7FF74FB9A47E WriteFile 0a 00 00 00 0d 49 48 j.G....tEXtSoftware.Adobe 44 52 00 00 02 c0 00 Imag 00 00 fc 08 02 00 00 eReadyq.e<....IDATx..}...U. 00 f6 6a 85 47 00 00 v...../a..eH\.A..#... .3...g..... 00 19 74 45 58 74 53 P$...... F.qfD....G.D... 6f 66 74 77 61 72 65

Copyright null 2020 Page 26 of 27 File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\System32\ntdll.dll unknown 1946304 success or wait 1 7FF74FAD6968 ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro success or wait 1 7FF74FA7A1E1 RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Hi UID unicode {9A80B8B2-1704-4BAA-81F6-F9F20 success or wait 1 7FF74FA9F6CA RegSetValueExW tmanPro 8F3442F} HKEY_LOCAL_MACHINE\SOFTWARE\Hi LastCFU unicode 2020-09-13 12:19:05 success or wait 1 7FF74FA95191 RegSetValueExW tmanPro HKEY_LOCAL_MACHINE\SOFTWARE\Hi BannerURL unicode https://www.hitmanpro.com/en-u success or wait 1 7FF74FA8351A RegSetValueExW tmanPro s/alert.aspx?cmp=37808 HKEY_LOCAL_MACHINE\SOFTWARE\Hi BannerID unicode HitmanProAlert success or wait 1 7FF74FA8392D RegSetValueExW tmanPro

Disassembly

Code Analysis

Copyright null 2020 Page 27 of 27