963edcc0ef0f02a227e40c4d1f7eb319ae32559baa290b24264aee027053ff62

Resubmissions

21-10-2023 12:44

231021-pyrxkagb77 10

21-10-2023 12:08

231021-pbd27aga69 10

21-10-2023 11:58

231021-n5h3kaga48 10

08-10-2023 18:41

231008-xb6ffafb9s 10

Analysis

max time kernel
197s
max time network
239s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
21-10-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mathway20Database20Leaked20January202020.txt
Size

545.2MB
MD5

21da4ab437bc44fe51239d0d74bd1910
SHA1

72406887174c2631fbdeaa638e58c4725957ce65
SHA256

963edcc0ef0f02a227e40c4d1f7eb319ae32559baa290b24264aee027053ff62
SHA512

61fbd111860700f84cd43fe2a52c21f2ffde763f504bf06c73fcaafe3fa968996c6439e5074bb14a01f75e770d1dde61e24b9939dff278414c913e4c888af327
SSDEEP

786432:n8mrDuYVNa3Z8+Q6c3iBmGzFUQN4fmm1S39Z2dfmMY65rUPxgRH:8ip

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exe

pid process

5204 processhacker-2.39-setup.tmp
5600 ProcessHacker.exe

Loads dropped DLL 12 IoCs

Processes:

ProcessHacker.exe

pid	process
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 42 IoCs

Processes:

processhacker-2.39-setup.tmp

description	ioc	process
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-4MTSU.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-JHD31.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-NC16U.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-41D3P.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-N16BD.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-I4Q6P.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-P3AI2.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-KLHKR.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-B0AB4.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-8N7PA.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-EDKN9.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-ACN0R.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-GFOJB.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-QTK6J.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-9RQF3.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-MVG62.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-6PH57.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-STKDQ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-1TFD7.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-PAAK2.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-PQHCB.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-94UBM.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-Q3DUH.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-3BIJB.tmp	processhacker-2.39-setup.tmp

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ProcessHacker.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe

Modifies registry class 1 IoCs

Processes:

ProcessHacker.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4047565704-754001510-1218967575-1000_Classes\Local Settings ProcessHacker.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

752 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4047565704-754001510-1218967575-1000_Classes\Local Settings	ProcessHacker.exe

pid	process
752	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exe

pid	process
5204	processhacker-2.39-setup.tmp
5204	processhacker-2.39-setup.tmp
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ProcessHacker.exe

pid process

5600 ProcessHacker.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

604

pid	process
604

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5204	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5600	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	5600	ProcessHacker.exe
Token: 33	5600	ProcessHacker.exe
Token: SeLoadDriverPrivilege	5600	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	5600	ProcessHacker.exe
Token: SeRestorePrivilege	5600	ProcessHacker.exe
Token: SeShutdownPrivilege	5600	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	5600	ProcessHacker.exe
Token: SeDebugPrivilege	2092	taskmgr.exe
Token: SeSystemProfilePrivilege	2092	taskmgr.exe
Token: SeCreateGlobalPrivilege	2092	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exe

pid	process
5204	processhacker-2.39-setup.tmp
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ProcessHacker.exe

pid	process
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe
5600	ProcessHacker.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

processhacker-2.39-setup.exeprocesshacker-2.39-setup.tmp

description	pid	process	target process
PID 3228 wrote to memory of 5204	3228	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 3228 wrote to memory of 5204	3228	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 3228 wrote to memory of 5204	3228	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 5204 wrote to memory of 5600	5204	processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 5204 wrote to memory of 5600	5204	processhacker-2.39-setup.tmp	ProcessHacker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Mathway20Database20Leaked20January202020.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.12.541138080\731463176" -childID 11 -isForBrowser -prefsHandle 8720 -prefMapHandle 8724 -prefsLen 26874 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6823d5a6-e5d2-4533-9c61-180fcb30bb02} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 8712 2554f30ae58 tab
1⤵
PID:944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.13.1243902603\820342348" -childID 12 -isForBrowser -prefsHandle 9656 -prefMapHandle 9652 -prefsLen 26874 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c20ed102-a744-45cd-8961-a099f4463055} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 9664 2554f792258 tab
1⤵
PID:3304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.14.1837764238\1031040175" -childID 13 -isForBrowser -prefsHandle 8476 -prefMapHandle 8576 -prefsLen 26874 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1742730-66cf-4a29-ab50-e1caba0d852e} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 8484 2554f896d58 tab
1⤵
PID:4864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.15.780859185\1775568704" -childID 14 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27139 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f224b34b-65ca-4c3d-a4eb-01ce7da76cc7} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 5764 2554dee7458 tab
1⤵
PID:912

C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
"C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Users\Admin\AppData\Local\Temp\is-USIH2.tmp\processhacker-2.39-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-USIH2.tmp\processhacker-2.39-setup.tmp" /SL5="$4025A,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5204

C:\Program Files\Process Hacker 2\ProcessHacker.exe
"C:\Program Files\Process Hacker 2\ProcessHacker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.16.1326085118\484033814" -childID 15 -isForBrowser -prefsHandle 8900 -prefMapHandle 8936 -prefsLen 30418 -prefMapSize 232645 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfd1e339-9ad4-4070-85b9-5bebf0b0df81} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 8916 2553b76d658 tab
1⤵
PID:360

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig

Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-USIH2.tmp\processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-USIH2.tmp\processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
memory/3228-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3228-107-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5204-105-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/5204-6-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download