28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

processhacker-2.39-setup.exe
Size

2.2MB
MD5

54daad58cce5003bee58b28a4f465f49
SHA1

162b08b0b11827cc024e6b2eed5887ec86339baa
SHA256

28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063
SHA512

8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829
SSDEEP

49152:l9hfV/U5NkLXXzGZjt6kFTCVP6hWE0wvmk/eE+FrAl+NGsOSE6IX8pq:Dh9/ULkjKxtTGP6VZd2rAcvOSE6Nq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exe

pid process

2364 processhacker-2.39-setup.tmp
1996 ProcessHacker.exe

Loads dropped DLL 24 IoCs

Processes:

processhacker-2.39-setup.exeprocesshacker-2.39-setup.tmpProcessHacker.exe

pid	process
2256	processhacker-2.39-setup.exe
2364	processhacker-2.39-setup.tmp
2364	processhacker-2.39-setup.tmp
2364	processhacker-2.39-setup.tmp
2364	processhacker-2.39-setup.tmp
2364	processhacker-2.39-setup.tmp
2364	processhacker-2.39-setup.tmp
1192
1192
1192
1192
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1192

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 42 IoCs

Processes:

processhacker-2.39-setup.tmp

description	ioc	process
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-G99RE.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-3AO93.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-OJP0V.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-J2Q7P.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-1LR4L.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-1N4RM.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-FG2NJ.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-79SUD.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-NQKLF.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-KNQHF.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-932UQ.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-SBORT.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-KKS08.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-05HQT.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-OT5RR.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-HKOJR.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-N9CK4.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-RLIKM.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-5GT40.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-5EKUG.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-6MACB.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-OC74F.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-R76L8.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-9PF3R.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ProcessHacker.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ProcessHacker.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exe

pid	process
2364	processhacker-2.39-setup.tmp
2364	processhacker-2.39-setup.tmp
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ProcessHacker.exe

pid process

1996 ProcessHacker.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ProcessHacker.exe

description	pid	process
Token: SeDebugPrivilege	1996	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	1996	ProcessHacker.exe
Token: 33	1996	ProcessHacker.exe
Token: SeLoadDriverPrivilege	1996	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	1996	ProcessHacker.exe
Token: SeRestorePrivilege	1996	ProcessHacker.exe
Token: SeShutdownPrivilege	1996	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	1996	ProcessHacker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exe

pid	process
2364	processhacker-2.39-setup.tmp
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ProcessHacker.exe

pid	process
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe
1996	ProcessHacker.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

processhacker-2.39-setup.exeprocesshacker-2.39-setup.tmp

description	pid	process	target process
PID 2256 wrote to memory of 2364	2256	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 2256 wrote to memory of 2364	2256	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 2256 wrote to memory of 2364	2256	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 2256 wrote to memory of 2364	2256	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 2256 wrote to memory of 2364	2256	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 2256 wrote to memory of 2364	2256	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 2256 wrote to memory of 2364	2256	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 2364 wrote to memory of 1996	2364	processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 2364 wrote to memory of 1996	2364	processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 2364 wrote to memory of 1996	2364	processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 2364 wrote to memory of 1996	2364	processhacker-2.39-setup.tmp	ProcessHacker.exe

C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup.exe
"C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\is-B50F7.tmp\processhacker-2.39-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B50F7.tmp\processhacker-2.39-setup.tmp" /SL5="$8001C,1874675,150016,C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2364

C:\Program Files\Process Hacker 2\ProcessHacker.exe
"C:\Program Files\Process Hacker 2\ProcessHacker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
1.3MB

MD5
3e0bd079559efd36749e756f425348f7

SHA1
55a21f9ddcfdcf56fa18006c915cc675a72786a8

SHA256
5397259487ffcafc6eafc037ab9c3a6bbf1a114494551b21eeaf0da61c01af76

SHA512
ce27a9cc3a5e9472d24449e6155703659f8c26c61545d75054168961823fbe420fab230141f87d9a79245357d136297a40e30dd9266b195ef217f079aa0f690a

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
1.5MB

MD5
353ce7dc8703b11cf2be83816f246831

SHA1
5f10d493c8164a125b83af4264cadeac1d61cb79

SHA256
ae748e5d3a70a1aadb90b0ed6e1a7a49e9a041c588b7638034cbaaf5575c5b90

SHA512
1e5bc6ac790f38eeb1beab803ea46624f4599f6030626c19aa5a389d953bafad1ac4157b4c1e468c85bd2adca43f547b5fbe6d78b72663b6cb00cb6ea31ee509

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig
Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll
Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll
Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll
Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll
Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll
Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll
Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll
Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll
Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCF7.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFD57.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B50F7.tmp\processhacker-2.39-setup.tmp
Filesize
243KB

MD5
3a2b7d00f26474ba1aeba33cfe789234

SHA1
1d5bf77a1b06797c2baf19022d957b9793d6bce3

SHA256
b934e59625a0d2ee5391b7e0bb0862ba5354e7c562366a49b235250a630c8e0f

SHA512
4886d5ade79d8f8af5eb97bddfb4d2d4f7114217e4653afd1912fc1b9d8c07adf585852a91370bb95ad4d860344bfab7307e5ed28191796364a4a311d9b56d32

Download Submit
\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
466KB

MD5
534b8fd0fd9803e98d2058e2c9d41215

SHA1
527cf20e97e06e6cf3ae07f4d03df307d481b997

SHA256
bd8b4939867c658811dcc47cf0352688789230f04cd33ba1645f07274b6d4eb3

SHA512
bcdc34a27176b6a952c8ccef7c62ededc10225477bdf90d8bdb9f895b4fdf4defabf753f733d49da4f2064ec6c47a6bbb02f71328506bd46c2e217d5dc8c6c8b

Download Submit
\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
928KB

MD5
c598692b50d13e17fddbc725d2fe9e9b

SHA1
e7915f2897136be66acbfa226d41bef9cb4b91a3

SHA256
b747f5730796d15d0e531ad08717ca38fa641e019134716713a4f1a327ad65bd

SHA512
d9cd4acae9f4a021d2400e895c995ad53d8179e93d1786515647c8d073a67e0e8aed40208f2093b4d1c7cede53b23fa34eff390edbeec87993e65d249892bb89

Download Submit
\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
850KB

MD5
0746f21a723a487ca2ce3a83cfc6e17a

SHA1
42b9a317cbadc22fbd5b2d30522b68591b20fd1f

SHA256
f57bc3fa4baab921594e3e9d369c2a804e8bc8a20df2610cba6f664d9e8aa4ae

SHA512
ddb04031e024b7a1ea1120a58ba9aa6e869f47548dc80b2aa72cf75ebece7e13adce1711b6d5459dc9d2fe93817d0546cb0fc1f8ef80531a12288b2de827dcd2

Download Submit
\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
374KB

MD5
e9c51b534f4aaa82176d2b7371004c56

SHA1
f4f3b0c4aa5b2bea7dfe711c5811a16088aae4c3

SHA256
b5e40a22df5aa5f30d100d079b1d207422159bc8379d60a88f41795661daf9ac

SHA512
36ff58187419db850b45416fd281f3861f1bc28dc043e205639551ad02df85b640d3ef35ad900eae18c06334cda20da99f50ef19237c037cebdf476c5cea1edd

Download Submit
\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
380KB

MD5
60dc945c1d76e211ca46cb0accd70109

SHA1
9be05c18a2ec4ac5a4bc5d161d6e886c79cb3797

SHA256
fe2f8c5d3d45af31532db780167b5c029f6d840e54822f95f839eab99342c9cc

SHA512
32bd44212c983d8eae2e6f56724184226a57e66459b394e3a4dced998b32df1d68685e072074c4aaa3f8989edcb0ed056112d7e0d604a9a01746d388c307ec47

Download Submit
\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
409KB

MD5
874208d554ac5c9ad3410bf70dd0bc0f

SHA1
e0b2a5e1909e0967a634ccc078954b861094d331

SHA256
3535eaedf3783536d05629ded705fa717c7230e4a757b398d702549b1a4ebbcb

SHA512
3786e302bf839815df786486d351e4e2f5cbac178e3937f28e0f049eb84b72adfdf9b5b535c69026ab5e392be0a66cfc30490546925c22053c44a0e3402e5638

Download Submit
\Program Files\Process Hacker 2\peview.exe
Filesize
229KB

MD5
dde1f44789cd50c1f034042d337deae3

SHA1
e7e494bfadb3d6cd221f19498c030c3898d0ef73

SHA256
4259e53d48a3fed947f561ff04c7f94446bedd64c87f52400b2cb47a77666aaa

SHA512
33060b907c4bc2335328498aac832790f7bc43281788fa51f9226a254f2e4dbd0a73b230d54c2cde499b2f2e252b785a27c9159fc5067018425a9b9dbcdbedbc

Download Submit
\Program Files\Process Hacker 2\plugins\ExtendedServices.dll
Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
\Program Files\Process Hacker 2\plugins\HardwareDevices.dll
Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
\Program Files\Process Hacker 2\plugins\SbieSupport.dll
Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
\Program Files\Process Hacker 2\plugins\ToolStatus.dll
Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
\Program Files\Process Hacker 2\unins000.exe
Filesize
796KB

MD5
43ea49877a2a1508ba733e41c874e16e

SHA1
c15c80a9c3799b654fdca92b44af2521fa41ef06

SHA256
e7c1d4c07728671c3b28295c863bbe681f962196c8a974eb4b3003540338aa04

SHA512
99577f1ef0e7dfd621829186643e750d7b5eedc2a0f766f5e8684f70cc4034eaef059c6991098100627c89cb40fe6fec04ef543f637aebb5fb4979b06d872127

Download Submit
\Users\Admin\AppData\Local\Temp\is-B50F7.tmp\processhacker-2.39-setup.tmp
Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
\Users\Admin\AppData\Local\Temp\is-IKKP5.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1996-123-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1996-122-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1996-124-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1996-191-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2256-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2256-126-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2256-87-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2364-121-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2364-120-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2364-92-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2364-88-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2364-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download