njrat | c4b37931430ff96bbfe77cc77658e6d4f552930d5f7d16ae376e2332d2d42734

Analysis

max time kernel
150s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
19-07-2023 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

splwow64.exe
Size

89KB
MD5

a46e3a000ca82c5d2a7e6058f8a04a6c
SHA1

884591c7815b7db86a171188acb9b62631636e06
SHA256

c4b37931430ff96bbfe77cc77658e6d4f552930d5f7d16ae376e2332d2d42734
SHA512

3dd2236c21a77e2c0a6477a5281fdb3192272760efdc037f0c4f4c28981e1fe9630c0dae5de803d00a8eaee7ef367023cba638faf104735d7ec3bd590da8d8c1
SSDEEP

1536:LhpbXXqwJcvVto3dS9uPsCerVt3A7HPd4n+lbeRZIbSQPYZ:LhpjqwOVtwdS9uPs3HQbPRyZ2pPYZ

Score

10^/10

njrat victim discovery trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

Victim

no-sofa.at.ply.gg:80

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	splwow64.exe

Executes dropped EXE 5 IoCs

pid	Process
4336	splwow64.exe
5300	splwow64.exe
5572	processhacker-2.39-setup.exe
5680	processhacker-2.39-setup.tmp
5428	ProcessHacker.exe

Loads dropped DLL 12 IoCs

pid	Process
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File created	C:\Program Files\Process Hacker 2\is-ECOTV.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-EBRR0.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-GSGU8.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-2TGSF.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-1BN8F.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-TCIMQ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-SEL8K.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-4BAUB.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-K0QL3.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-M6SGH.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-R136E.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-CC1GJ.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-21USC.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-KUSJF.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-M0FVF.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-HE7FM.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-MA3QT.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-ESG1A.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-QVIDJ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-9A6GT.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-P6F2D.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-8NR1H.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-IL0ET.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-6GVO5.tmp	processhacker-2.39-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4624	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ProcessHacker.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5680	processhacker-2.39-setup.tmp
5680	processhacker-2.39-setup.tmp
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5428	ProcessHacker.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
640	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	splwow64.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: SeDebugPrivilege	4336	splwow64.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: SeDebugPrivilege	4112	firefox.exe
Token: SeDebugPrivilege	4112	firefox.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: SeDebugPrivilege	5300	splwow64.exe
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5680	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5428	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	5428	ProcessHacker.exe
Token: 33	5428	ProcessHacker.exe
Token: SeLoadDriverPrivilege	5428	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	5428	ProcessHacker.exe
Token: SeRestorePrivilege	5428	ProcessHacker.exe
Token: SeShutdownPrivilege	5428	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	5428	ProcessHacker.exe
Token: 33	4516	splwow64.exe
Token: SeIncBasePriorityPrivilege	4516	splwow64.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
4112	firefox.exe
4112	firefox.exe
4112	firefox.exe
4112	firefox.exe
5680	processhacker-2.39-setup.tmp
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
4112	firefox.exe
4112	firefox.exe
4112	firefox.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe
5428	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4112	firefox.exe
4112	firefox.exe
4112	firefox.exe
4112	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4624	4516	splwow64.exe	68
PID 4516 wrote to memory of 4624	4516	splwow64.exe	68
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 1232 wrote to memory of 4112	1232	firefox.exe	75
PID 4112 wrote to memory of 604	4112	firefox.exe	76
PID 4112 wrote to memory of 604	4112	firefox.exe	76
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 3572	4112	firefox.exe	77
PID 4112 wrote to memory of 708	4112	firefox.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\splwow64.exe
"C:\Users\Admin\AppData\Local\Temp\splwow64.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "splwow64" /tr "C:\ProgramData\splwow64.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4624

C:\ProgramData\splwow64.exe
C:\ProgramData\splwow64.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.0.965527890\1069312439" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 20858 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53a52299-3343-4e2d-8bcc-b15997c8e280} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 1784 2d7762c1158 gpu
    3⤵
    PID:604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.1.1115147788\1555066563" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20939 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d74bf52-8a9f-4691-8060-9494baa7204f} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 2136 2d775e31a58 socket
    3⤵
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.2.1840859514\46714621" -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3172 -prefsLen 21042 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b14f8d69-0c59-4361-a7f2-f049a30c4282} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 2788 2d77a5ad458 tab
    3⤵
    PID:708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.3.1743128970\1882516352" -childID 2 -isForBrowser -prefsHandle 2996 -prefMapHandle 988 -prefsLen 26402 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92c46ef9-31be-4b93-a7f2-3b51b5bf3bb4} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 3504 2d778c0d358 tab
    3⤵
    PID:4140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.4.1871383075\2023249956" -childID 3 -isForBrowser -prefsHandle 3552 -prefMapHandle 3692 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9de5ba64-6f61-4728-a022-81f10d2c2849} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 3976 2d77b94e658 tab
    3⤵
    PID:3308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.5.421911846\1791302710" -childID 4 -isForBrowser -prefsHandle 4744 -prefMapHandle 4748 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e602a07b-cca4-4933-86c2-193cf49898c6} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 4488 2d77c19b858 tab
    3⤵
    PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.7.2097551159\630257966" -childID 6 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a17edc9e-3093-4ecf-8543-148cf3ba0b6f} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 5072 2d7789e3d58 tab
    3⤵
    PID:4196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.6.1746739262\233647526" -childID 5 -isForBrowser -prefsHandle 4924 -prefMapHandle 4928 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {110afbd5-7db9-4124-bc41-ea5f3d1d0406} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 4936 2d7789e3a58 tab
    3⤵
    PID:1548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.8.2141670093\1919079733" -childID 7 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 26715 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3964b007-f210-4888-981f-0df08d834afd} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 5624 2d77ed4ff58 tab
    3⤵
    PID:4832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.9.2091527408\1877821736" -childID 8 -isForBrowser -prefsHandle 4844 -prefMapHandle 4832 -prefsLen 26715 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70ea8e25-03df-4e70-a5f6-f28985f21607} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 4196 2d77caf6158 tab
    3⤵
    PID:1792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.10.1439498432\314507118" -childID 9 -isForBrowser -prefsHandle 9800 -prefMapHandle 9804 -prefsLen 26980 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e956f0af-7c7d-4a71-8943-ff9b07b1e532} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 8444 2d77f59a758 tab
    3⤵
    PID:312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.11.1108233562\1685098549" -childID 10 -isForBrowser -prefsHandle 9764 -prefMapHandle 9756 -prefsLen 26980 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7979e489-eb89-4853-8ccb-0e754a2e7193} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 8436 2d77e0efb58 tab
    3⤵
    PID:1016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.12.851979335\1174902686" -childID 11 -isForBrowser -prefsHandle 9504 -prefMapHandle 9500 -prefsLen 26980 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fed7865-dbf4-4990-bdab-029199b53e57} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 9512 2d77e0ef558 tab
    3⤵
    PID:4496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.13.1583815189\1880624171" -childID 12 -isForBrowser -prefsHandle 9464 -prefMapHandle 9416 -prefsLen 26980 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bde9cf87-6a54-42fd-940d-32eaaa3aea20} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 8252 2d779ea2e58 tab
    3⤵
    PID:5304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.14.1681081192\30834354" -childID 13 -isForBrowser -prefsHandle 9324 -prefMapHandle 9320 -prefsLen 26980 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2522d2c-8ac6-49fb-81a1-7974464f4558} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 9328 2d77a5aef58 tab
    3⤵
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.16.980011689\249263171" -childID 15 -isForBrowser -prefsHandle 6800 -prefMapHandle 6796 -prefsLen 26980 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee8595f4-bee2-4703-bdc9-92b5fc11db81} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 6808 2d77f862858 tab
    3⤵
    PID:5776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.15.718350395\163666453" -childID 14 -isForBrowser -prefsHandle 9220 -prefMapHandle 6944 -prefsLen 26980 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10d9276d-29b1-40eb-a3eb-7332cea3760c} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 9288 2d77f860d58 tab
    3⤵
    PID:5768
- - C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
    "C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
    3⤵
    - Executes dropped EXE
    PID:5572
  - - C:\Users\Admin\AppData\Local\Temp\is-J7CH7.tmp\processhacker-2.39-setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-J7CH7.tmp\processhacker-2.39-setup.tmp" /SL5="$701B8,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5680
    - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
        
        "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.19.982592390\1556042640" -childID 18 -isForBrowser -prefsHandle 9352 -prefMapHandle 9364 -prefsLen 27156 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f2db1d6-0621-4f58-93da-57b0d9759adc} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 9536 2d77e8cdb58 tab
    3⤵
    PID:4120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.18.1965503146\773109266" -childID 17 -isForBrowser -prefsHandle 9792 -prefMapHandle 9700 -prefsLen 27156 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4d9599-7f5a-401e-ae76-ef20cefa400f} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 9528 2d77e7b9858 tab
    3⤵
    PID:4828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.17.785788755\1494105423" -childID 16 -isForBrowser -prefsHandle 8336 -prefMapHandle 8416 -prefsLen 27156 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {822946b9-8519-4ae7-8bba-01fca1a3b94c} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 8344 2d77e7b7458 tab
    3⤵
    PID:5864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.20.593320215\2134119334" -childID 19 -isForBrowser -prefsHandle 9696 -prefMapHandle 9684 -prefsLen 27156 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71f1b3f3-7b4c-45f1-9043-d6ca0d7dd030} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 9732 2d77ef36858 tab
    3⤵
    PID:4240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.21.563673390\1655848298" -childID 20 -isForBrowser -prefsHandle 9344 -prefMapHandle 8208 -prefsLen 27156 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f76135ea-33dd-425f-a021-6f21c3f4f476} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 8252 2d77f096b58 tab
    3⤵
    PID:3716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4112.22.1090521620\771641406" -childID 21 -isForBrowser -prefsHandle 5632 -prefMapHandle 9728 -prefsLen 27156 -prefMapSize 232645 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5078776-b359-4ef2-be7b-61374e277436} 4112 "\\.\pipe\gecko-crash-server-pipe.4112" 9664 2d77f9bbc58 tab
    3⤵
    PID:5172

C:\ProgramData\splwow64.exe
C:\ProgramData\splwow64.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig

Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\ProgramData\splwow64.exe

Filesize
89KB

MD5
a46e3a000ca82c5d2a7e6058f8a04a6c

SHA1
884591c7815b7db86a171188acb9b62631636e06

SHA256
c4b37931430ff96bbfe77cc77658e6d4f552930d5f7d16ae376e2332d2d42734

SHA512
3dd2236c21a77e2c0a6477a5281fdb3192272760efdc037f0c4f4c28981e1fe9630c0dae5de803d00a8eaee7ef367023cba638faf104735d7ec3bd590da8d8c1

Download Submit
C:\ProgramData\splwow64.exe

Filesize
89KB

MD5
a46e3a000ca82c5d2a7e6058f8a04a6c

SHA1
884591c7815b7db86a171188acb9b62631636e06

SHA256
c4b37931430ff96bbfe77cc77658e6d4f552930d5f7d16ae376e2332d2d42734

SHA512
3dd2236c21a77e2c0a6477a5281fdb3192272760efdc037f0c4f4c28981e1fe9630c0dae5de803d00a8eaee7ef367023cba638faf104735d7ec3bd590da8d8c1

Download Submit
C:\ProgramData\splwow64.exe

Filesize
89KB

MD5
a46e3a000ca82c5d2a7e6058f8a04a6c

SHA1
884591c7815b7db86a171188acb9b62631636e06

SHA256
c4b37931430ff96bbfe77cc77658e6d4f552930d5f7d16ae376e2332d2d42734

SHA512
3dd2236c21a77e2c0a6477a5281fdb3192272760efdc037f0c4f4c28981e1fe9630c0dae5de803d00a8eaee7ef367023cba638faf104735d7ec3bd590da8d8c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\splwow64.exe.log

Filesize
1KB

MD5
ada37846cea22757d6153e65b720a367

SHA1
d9c9e33987d095b32c364fe40dd6f054feaf7ea9

SHA256
7daa4e8a6296b9e3df9669f6a574cbe481f2df9c751affbeb41a541173264520

SHA512
592640e40ad0c6bcd8719f2cdbf828f2e322ad729c23ac3b44dd252a9c0b08d370a1cfcbcb9038cdffed0866ae4d2f8762c421f5e1a89c8d9273f482d9d2662f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bbvefu0b.default-release\activity-stream.discovery_stream.json.tmp

Filesize
139KB

MD5
ee76b3d15a048f2f7a93b0d164f9dabc

SHA1
72245d5cda97830034def8648f399ee40dbd39f6

SHA256
2a51160ff95292ef45b25c3fb07c5f1d46d0017cfe2c14e3f0345a06963640f1

SHA512
0d8b27bf3481c6683044c001b162d875e683ed922cf2f3a1575749a972ed6ddb8bce165f835da07762cff5768e9ac9eae1f90774ef2a718fdcc058f73fbd9f8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bbvefu0b.default-release\cache2\doomed\16144

Filesize
9KB

MD5
f1f2980fe6874d2cb3465031a8acf18c

SHA1
d18d1d5b1db3fbf2c3be408e4d34febad8749bca

SHA256
920e15133b8faaabbf563f5fe1bb1824568fe1a567df4784b5535d90d7983e02

SHA512
4b8a26adda081f1544b3234265d1cb475fb2407b14d83b02f8057c4f5e0f0fbf6d457ac2765c079286f6106b39eb4b5de7b6965894d2cf495b6bd25dfac7806c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bbvefu0b.default-release\cache2\doomed\26625

Filesize
7KB

MD5
294261dddb59fda90e4094b951f45f82

SHA1
50627ba8593ae4f7486a2bd3e8d2c4f5b46fd625

SHA256
ccc70a31668c9436f6c00dc8a4c2c9ebca667c1441e0c1e586fa125c3379efb7

SHA512
ddcf75c60597aaac86a5ea57660d13c94eec067eff3b6570a1d6f7876748d2e1dd0da3a947d9274b749709ec2f1323d5991c8fcb4e6059c0d9b713d50fbc8f04

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bbvefu0b.default-release\cache2\doomed\31349

Filesize
8KB

MD5
b08d1d703387c5467c347d28c6608210

SHA1
82c79159e846fa199864073054fd8af0e40e48a7

SHA256
5f0c0224a38da3cc48f159199b7ae42ec36410e997b4b77f07e015b9cfe0b051

SHA512
81c7078d1417024e5ce676d303ae954e4f79673d37511083a68cfd02f72924b65673876a126234be322529828bd9a1baa8ae2d3e4f5c7085bafa0c5a70d6888e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bbvefu0b.default-release\cache2\entries\6E1895B33D5F91F34072ECC4DEA16128B135F807

Filesize
900KB

MD5
9be79f0d18dda040706525d5467e39e8

SHA1
647bc89e4fbdc07f1576c0d0550ed3edf55852bf

SHA256
af9344a15d121267f1650e03ff349ce6e781c75591e306418367b15541a2d5db

SHA512
38d5550f6b5cd4f69949882c866f183e326903f7dd9c717f642436215fd7f4cd4a236db7dba702f4acad4672e451ebfeac725987432670f8f9c43a5f814d0de2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bbvefu0b.default-release\cache2\entries\8E242CAEAA55B76AA55D0BE7E474E3814F81818A

Filesize
119KB

MD5
b126872b43ee580b58f2a00f064be71f

SHA1
89266518f397cc79223e1bebb832c87b36b864fc

SHA256
71bcdcdafb7fed67c141fa46f6da189228c7348c9f02b29e1475adcc3af7150c

SHA512
0ed92da8419b5892a696004b59bffbd8bc4e69698eda758e85967ad58e5571dacf8bbad549baae638682477beaa32299534f782d9c2c297934c8c7c8299feaac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J7CH7.tmp\processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J7CH7.tmp\processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\prefs-1.js

Filesize
6KB

MD5
c8f9238776c39b2c8b5fa324a79cea93

SHA1
a7b0acb30a02ebf767364624a74afa815ad6c032

SHA256
d5f9fa33809e64f230116557b8e923377725ed777af2ad513a0c9e9c592afc30

SHA512
0470b897b729e2b9bb1761c5824dc6bdda8c615b517598c10a9e4c669e475734c2ecffb8e861fafd78015af8bdccb3927ca5ef08edfeecdf1a5852ebc634afa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\prefs-1.js

Filesize
6KB

MD5
b375bc09b577c3b57436942438be7e74

SHA1
2bcc5d3e0c528f16813f835e2199bef77eee40cc

SHA256
293b0dcf9c1c3c787a87b70d96441e835b8b27f41f62d093cb6c901a44eae56b

SHA512
f3221f694633aa1486966e6c4eba6a8b7974134af306af054e01a8c09c76f1db3cf67f02dbb4b1159a3b08e40c2d6b86f43217a85593fe64396e0f1d71890b96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\prefs.js

Filesize
6KB

MD5
27e4b9cb6bee08aa4cc9eced34260b78

SHA1
a1f0c28d78f7a8da129d8154d47ec908120166d7

SHA256
4c82fbbd2116afc9d5c3610c0c6cc981634aaf457ab5044026427f236bf680c5

SHA512
b369a7c48ff54eabec9ffbffe05c2b40619f6de84bffb0c403a8c2469ff899aa43433b9c42dbcd399ae22439c69192bd55dc854d434630d03f6615bbee71aedc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
3f6209fe78704481adb207027d595522

SHA1
f65645a5b4722019ef8e3d87c3bba9c5e59c2bc6

SHA256
ca68e8cdb8306a1baefcaf129ba54ad71d009a60ad527b81a6515d4dd1c8f730

SHA512
9c9176d7c048a5398f23c8770d66d7ab2013fbdd8ca6279bb95b8658927b7928381bb6403648953f97512dbcb23f7b965358de231fd079fcbe9866c51b8c784d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
1399366d7de5a7d392286fbbf362c30f

SHA1
3d9d29de00042ea32a0521c0227e2aa24b0ee511

SHA256
8346b7a67a02fc5490d5639dae1da73eb572c14456cec0f58edd25eeb47e4b45

SHA512
02025c77d51b0f875b0e71a73a15ce399a925e0b36e27756b2fddbd6de535d9eaf7e38620f67240dbeddee2ef8f241efb10a4aa5acfe89c275a32bda7043db4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
444a4997abd6ff0ea2a029d6878e94c7

SHA1
b6b9436cf52cbeae98da2b4e40e2666eb1de0e86

SHA256
ee95fbbfeaa316dbd1d9676e8ae30b24c3d6f6fd3aaf83989a8a2fdc8114982b

SHA512
4557057aee4c1125a142a44932586c390fbf1272f1734e43677e2b97803bc92bf19be3c20c53037e7be4a35a0e7859fed3c9ea4390a963c3a3322896ba14f754

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
d52662f4f0162dc581582b12a5fa85f2

SHA1
94e828e44e29fa3d081d79d75d2a9be4f46a5692

SHA256
7e176a3a72ba3172186af88605f791a125fa247202509369fdb8cf4674e26860

SHA512
45dff75e856234e8fd6c6641ded9658d412d8f69bd4cd7d260560956a1ad16b9ffa4a2557b469bf45c56ce610d4bf9ab0d63488d99d59fcd0e188fc087b32801

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
49065a6574576f0a0f6013a571da8beb

SHA1
836fb14cbb0dbda9a829ce8ea025de5c4a1579ba

SHA256
5a9fbd47c3c20919743abae63d99950193c5a413adccea8b443ac1f65af55a0a

SHA512
2b1bcc03094ccbef5a2380b08e806dcdd94bdb5c6381f72e04cf223b94821cca59fb84be1ce59dd5f0cc44ca53a9d34db4cab58706f99eb2de4ac76eef0c17fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bbvefu0b.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
1f74a9151ba5aea0e1c532205db2a080

SHA1
b2d3e64beda82371de5320cc1986ccd301f4ee9a

SHA256
397f92ec8b3a5f23fe8508381410bd908fbfad8a3a2b842d4a0f84ffd5fd83b2

SHA512
60592e7e9668e9147d975c8b818e246f23cda091e1139fda6399674cf45c543830bc812743c0c05a17f8a0d55739b9eeb900b0c6ef76e11027bddbc1ad2777f5

Download Submit
C:\Users\Admin\Downloads\processhacker-2.39-setup.exe

Filesize
2.2MB

MD5
54daad58cce5003bee58b28a4f465f49

SHA1
162b08b0b11827cc024e6b2eed5887ec86339baa

SHA256
28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

SHA512
8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829

Download Submit
C:\Users\Admin\Downloads\processhacker-2.39-setup.exe

Filesize
2.2MB

MD5
54daad58cce5003bee58b28a4f465f49

SHA1
162b08b0b11827cc024e6b2eed5887ec86339baa

SHA256
28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

SHA512
8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829

Download Submit
C:\Users\Admin\Downloads\processhacker-2.kGwxrCr6.39-setup.exe.part

Filesize
31KB

MD5
d60976f5e596c737a3e30d375a353310

SHA1
0b42538f16bf9e009274201929290a9fdbe8c380

SHA256
76873ffccb71ac8dbb7bf5b5e2e0da3ffa176838abde57a5881c0d6f64ad9cc4

SHA512
2980f3de48c027c0ea19e75dd2e6752fe9a6a5db7e12513d3348d8330bb2c96b5e1efbcaccd999861ce53dd8db9353887c3c26b16819dabc7a995e7d0ab2b236

Download Submit
\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
memory/4336-134-0x00007FFD94AE0000-0x00007FFD954CC000-memory.dmp

Filesize
9.9MB

Download
memory/4336-132-0x00007FFD94AE0000-0x00007FFD954CC000-memory.dmp

Filesize
9.9MB

Download
memory/4516-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4516-129-0x000000001B090000-0x000000001B0A0000-memory.dmp

Filesize
64KB

Download
memory/4516-128-0x00007FFD94AE0000-0x00007FFD954CC000-memory.dmp

Filesize
9.9MB

Download
memory/4516-125-0x00000000026C0000-0x00000000026CE000-memory.dmp

Filesize
56KB

Download
memory/4516-124-0x000000001B090000-0x000000001B0A0000-memory.dmp

Filesize
64KB

Download
memory/4516-122-0x00007FFD94AE0000-0x00007FFD954CC000-memory.dmp

Filesize
9.9MB

Download
memory/5300-606-0x00007FFD94AE0000-0x00007FFD954CC000-memory.dmp

Filesize
9.9MB

Download
memory/5300-577-0x00007FFD94AE0000-0x00007FFD954CC000-memory.dmp

Filesize
9.9MB

Download
memory/5572-772-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5572-591-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5680-601-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/5680-762-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download