eternity | c4ab641f3560ecb8c3078c928872b3c83af2e79ac00e300aba3bc7111080eff5

Analysis

max time kernel
459s
max time network
461s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pathfinder_2.19.3/Pathfinder_2.19.3.exe
Size

7.2MB
MD5

0c702acbc7d30c865839dcb8a94a4a86
SHA1

06186c0bace78cf632d1bf31566d3e6479ab329c
SHA256

f3c880591e06396f588d5b45c599ba6aef1aae4065d0d55b3560e3547242b697
SHA512

5de2485877995cfe5b74385ed68df580c0ca8105a9089ecd9255c0e273a1677899157d73817f689af667b50da6510a8561c56309937dc32dca408fd5b2f2af7c
SSDEEP

98304:VXoFOv7y5Wm9647jfOzEa+yF0tznDOrq50oE7kwKSRPAb2Zpbq6+QYa:9E647jfOzCyCtL75YRPAkFvZX

Score

10^/10

eternity collection discovery

Malware Config

Extracted

Family

eternity

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3808	processhacker-2.39-setup.exe
6060	processhacker-2.39-setup.tmp
2988	ProcessHacker.exe

Loads dropped DLL 12 IoCs

pid	Process
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ProcessHacker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
61	pastebin.com
62	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	ip-api.com

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ProcessHacker.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 404	5020	Pathfinder_2.19.3.exe	99
PID 2816 set thread context of 3460	2816	Pathfinder_2.19.3.exe	124
PID 2032 set thread context of 5276	2032	Pathfinder_2.19.3.exe	157
PID 3368 set thread context of 5568	3368	Pathfinder_2.19.3.exe	187

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-2G1G4.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-QF2GV.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-97BTA.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-5B5VA.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-TPVNN.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-7ADJJ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-KVCAD.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-1D01M.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-S6216.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-Q4KAU.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-V2QJE.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-FDAKU.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-RR9VI.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-8VC8E.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-LFNVQ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-GAP3V.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-IGC0E.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-PQVLF.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-OQDIQ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-TLLEN.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-N9C5A.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-6EQHL.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-TRB60.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-0MSIM.tmp	processhacker-2.39-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\Control	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\LogConf	ProcessHacker.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	ProcessHacker.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{0030490A-409C-439D-B6CB-6A2946979B75}	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ProcessHacker.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 943086.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
452	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
404	vbc.exe
404	vbc.exe
5208	msedge.exe
5208	msedge.exe
5916	msedge.exe
5916	msedge.exe
5524	msedge.exe
5524	msedge.exe
5840	identity_helper.exe
5840	identity_helper.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
3480	msedge.exe
1812	msedge.exe
1812	msedge.exe
6060	processhacker-2.39-setup.tmp
6060	processhacker-2.39-setup.tmp
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	ProcessHacker.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	vbc.exe
Token: SeDebugPrivilege	1460	firefox.exe
Token: SeDebugPrivilege	1460	firefox.exe
Token: SeDebugPrivilege	2988	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	2988	ProcessHacker.exe
Token: 33	2988	ProcessHacker.exe
Token: SeLoadDriverPrivilege	2988	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	2988	ProcessHacker.exe
Token: SeRestorePrivilege	2988	ProcessHacker.exe
Token: SeShutdownPrivilege	2988	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	2988	ProcessHacker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1460	firefox.exe
1460	firefox.exe
1460	firefox.exe
1460	firefox.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1460	firefox.exe
1460	firefox.exe
1460	firefox.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe
2988	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1460	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 404	5020	Pathfinder_2.19.3.exe	99
PID 5020 wrote to memory of 404	5020	Pathfinder_2.19.3.exe	99
PID 5020 wrote to memory of 404	5020	Pathfinder_2.19.3.exe	99
PID 5020 wrote to memory of 404	5020	Pathfinder_2.19.3.exe	99
PID 5020 wrote to memory of 404	5020	Pathfinder_2.19.3.exe	99
PID 404 wrote to memory of 3040	404	vbc.exe	100
PID 404 wrote to memory of 3040	404	vbc.exe	100
PID 404 wrote to memory of 3040	404	vbc.exe	100
PID 3040 wrote to memory of 4648	3040	cmd.exe	102
PID 3040 wrote to memory of 4648	3040	cmd.exe	102
PID 3040 wrote to memory of 4648	3040	cmd.exe	102
PID 3040 wrote to memory of 4556	3040	cmd.exe	103
PID 3040 wrote to memory of 4556	3040	cmd.exe	103
PID 3040 wrote to memory of 4556	3040	cmd.exe	103
PID 3040 wrote to memory of 2724	3040	cmd.exe	104
PID 3040 wrote to memory of 2724	3040	cmd.exe	104
PID 3040 wrote to memory of 2724	3040	cmd.exe	104
PID 404 wrote to memory of 4676	404	vbc.exe	105
PID 404 wrote to memory of 4676	404	vbc.exe	105
PID 404 wrote to memory of 4676	404	vbc.exe	105
PID 4676 wrote to memory of 3256	4676	cmd.exe	107
PID 4676 wrote to memory of 3256	4676	cmd.exe	107
PID 4676 wrote to memory of 3256	4676	cmd.exe	107
PID 4676 wrote to memory of 4984	4676	cmd.exe	108
PID 4676 wrote to memory of 4984	4676	cmd.exe	108
PID 4676 wrote to memory of 4984	4676	cmd.exe	108
PID 4676 wrote to memory of 2116	4676	cmd.exe	109
PID 4676 wrote to memory of 2116	4676	cmd.exe	109
PID 4676 wrote to memory of 2116	4676	cmd.exe	109
PID 404 wrote to memory of 4784	404	vbc.exe	114
PID 404 wrote to memory of 4784	404	vbc.exe	114
PID 404 wrote to memory of 4784	404	vbc.exe	114
PID 4784 wrote to memory of 3840	4784	cmd.exe	116
PID 4784 wrote to memory of 3840	4784	cmd.exe	116
PID 4784 wrote to memory of 3840	4784	cmd.exe	116
PID 4784 wrote to memory of 452	4784	cmd.exe	117
PID 4784 wrote to memory of 452	4784	cmd.exe	117
PID 4784 wrote to memory of 452	4784	cmd.exe	117
PID 2816 wrote to memory of 3460	2816	Pathfinder_2.19.3.exe	124
PID 2816 wrote to memory of 3460	2816	Pathfinder_2.19.3.exe	124
PID 2816 wrote to memory of 3460	2816	Pathfinder_2.19.3.exe	124
PID 2816 wrote to memory of 3460	2816	Pathfinder_2.19.3.exe	124
PID 2816 wrote to memory of 3460	2816	Pathfinder_2.19.3.exe	124
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 2568 wrote to memory of 1460	2568	firefox.exe	127
PID 1460 wrote to memory of 2732	1460	firefox.exe	128
PID 1460 wrote to memory of 2732	1460	firefox.exe	128
PID 1460 wrote to memory of 2780	1460	firefox.exe	129
PID 1460 wrote to memory of 2780	1460	firefox.exe	129
PID 1460 wrote to memory of 2780	1460	firefox.exe	129
PID 1460 wrote to memory of 2780	1460	firefox.exe	129
PID 1460 wrote to memory of 2780	1460	firefox.exe	129
PID 1460 wrote to memory of 2780	1460	firefox.exe	129
PID 1460 wrote to memory of 2780	1460	firefox.exe	129
PID 1460 wrote to memory of 2780	1460	firefox.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Pathfinder_2.19.3\Pathfinder_2.19.3.exe
"C:\Users\Admin\AppData\Local\Temp\Pathfinder_2.19.3\Pathfinder_2.19.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:404
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3256
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile name="65001" key=clear
      4⤵
      PID:4984
  - - C:\Windows\SysWOW64\findstr.exe
      findstr Key
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:640

C:\Users\Admin\Desktop\Pathfinder_2.19.3\Pathfinder_2.19.3.exe
"C:\Users\Admin\Desktop\Pathfinder_2.19.3\Pathfinder_2.19.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3460

C:\Users\Admin\Desktop\Pathfinder_2.19.3\Pathfinder_2.19.3.exe
"C:\Users\Admin\Desktop\Pathfinder_2.19.3\Pathfinder_2.19.3.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:5276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.0.1518151881\1064061226" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f98c2fa-026c-4c51-a075-4e4417d2a568} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 1984 1d091dd7058 gpu
    3⤵
    PID:2732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.1.1662503630\1602227972" -parentBuildID 20221007134813 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {440050c4-4540-42f5-a3df-a7d1d644a763} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 2408 1d091530e58 socket
    3⤵
    - Checks processor information in registry
    PID:2780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.2.1846072491\1992656845" -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 3092 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76957c43-56c9-4271-be43-34967c6759f7} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 2916 1d091d64c58 tab
    3⤵
    PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.3.1198226407\578861399" -childID 2 -isForBrowser -prefsHandle 3380 -prefMapHandle 3336 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {038ee9d8-8145-4ebf-805b-c02bce2ec21a} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 3528 1d085162858 tab
    3⤵
    PID:4684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.4.517477571\630841067" -childID 3 -isForBrowser -prefsHandle 4724 -prefMapHandle 4720 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd863aeb-5a10-44ea-b0c5-3b5719a1f6d7} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 4736 1d097a85758 tab
    3⤵
    PID:1004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.5.1672652079\544229285" -childID 4 -isForBrowser -prefsHandle 5208 -prefMapHandle 5204 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0daf38c5-46e4-474d-9fda-dacdb02d622d} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 5216 1d097a87b58 tab
    3⤵
    PID:3828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.6.632706801\746846115" -childID 5 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47ca7329-87c7-43c4-a2bc-41e2a751071b} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 5344 1d097dcb258 tab
    3⤵
    PID:720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1460.7.88091687\280791057" -childID 6 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f78c6e18-2f88-4c15-a8fd-9cdaace28edd} 1460 "\\.\pipe\gecko-crash-server-pipe.1460" 5532 1d097e9f058 tab
    3⤵
    PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x80,0x128,0x7ffa69af46f8,0x7ffa69af4708,0x7ffa69af4718
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6952 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,13779021962243972912,8896632890497034252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1812
- C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
  "C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
  2⤵
  - Executes dropped EXE
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\is-RIKLE.tmp\processhacker-2.39-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RIKLE.tmp\processhacker-2.39-setup.tmp" /SL5="$8038E,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:6060
  - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
      "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Checks system information in the registry
      Checks SCSI registry key(s)
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      PID:2988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

C:\Users\Admin\Desktop\Pathfinder_2.19.3\Pathfinder_2.19.3.exe
"C:\Users\Admin\Desktop\Pathfinder_2.19.3\Pathfinder_2.19.3.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
844KB

MD5
c7b4204b3aa8819c5457a403e77f33e0

SHA1
f40a7ee2c70eff316374aedacd3770889beb2e22

SHA256
ca211b35591090051912897d79c50b88322fab5a38bcebf2e971f3227656d3f5

SHA512
4c82c519e5450ef235390422a637dbcf15845daf4f008ac0161c3c816bc212a6d7266f35c9d2bfb4602cb22762dd2ebc50936a0d3702fd7e11f2538ef3ec6d34

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
887KB

MD5
7c831d584d11393fb35047e140d480f0

SHA1
4f31f308f3ef59c2f90874a1537f902f93b65748

SHA256
e539b5ac4c04af506838ae0a39f5ecf4709ca2522482ecd9e31d8c683f8ccc1c

SHA512
81c41e215862dd335adaa43dfa2bbde5c6c8bf471bfbdfa8e2e700338f38c959344c56f6cab47f3efa172ef359a5739fc470ae9458cc7d29acd362cfd71471bb

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig

Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
96KB

MD5
2ddf9c1bfa6728da1adac893d063da4d

SHA1
f42c9bab11c04cb277531fa2036e8705c1cbd81a

SHA256
761c88d913b38bb3d93eb758353090bad3f0b5044f48340f967f20cb23b9a7ae

SHA512
e67f4e10739396e7e0d86efdf0c71d8afbbceb2e0cdeeff1ab40284d3ec6d148423db8d2444e2b4df137e4c2de376fc2cef340f1d59ed03a8375c69563a3643e

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
102KB

MD5
21285a98c58d049786e353fa0e8a4267

SHA1
eb68d1356fcc64217bd3b4cfde724eccee197933

SHA256
f760ccb6217c233f17c722696320d73e414407cb0519cc3628087acd3d2be08a

SHA512
be6273addf07586f1a89aca3745fa2151d8a9715e41dbeb8b6307764c8cb7fe18028a22d3f294838359e024eb5d16ad909297dd98ccd2a93cc3533732e444b8d

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
109KB

MD5
bfd9907de8cf9acc0178ad83da44542d

SHA1
9aaeb5850b8740a6adaf0ab817a74e2185706ef4

SHA256
e9056e88fb66c3278a996b1a113a30461c5ee8b204711767b22cdb10259dc48e

SHA512
1a75fa2c658e93c73d490db6d950f46cf7d322e43d4e113df4b9722a2f5f2795c036be5818a64acceef272737f7e1029dd40506201880c013d060876f3241e23

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
64KB

MD5
41151dfd32318dd42b1876223d888cb1

SHA1
b2a87c040b7d43d8b5d122a7a991bcc959b267ca

SHA256
426e68aa3f385d5c5445caf33bcea2518b23775f86761df0ef1e1437076e1b23

SHA512
ec2908235d4fb7fcb1439a97998016b02f3cad5dbf744e6dc7c0fd0c4d2e42c5805c43febf99ba77871cb0f0be712d52bdf1041b64e2e03842fb8d3237fee4b2

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
128KB

MD5
adf8e9b982f7f04b63990473ab84fa41

SHA1
593fa87f41c4378bf687f2b2c4baaca41d07a893

SHA256
6b3daadd4eb5e081fdf4a075815a6ce143afd91a73b929115f70ee111311fd21

SHA512
4cec2063dada68eefe0c9f86eef086aad21ac3ff955fb165a4e25467aee13484a01a8265168a60717af7bb32a33e471bec0f0bb45128e6df669786fcd54e2ede

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
184KB

MD5
f26b4939414c5eaed8583f394b15f435

SHA1
74608239326ddb36160a0b3e1222e3666efb469c

SHA256
dacc102eb0d25ae0f351cad2d180f844bc65ae172a0e82b8966cf34a38c8e5b7

SHA512
452d8e5a84e4005f6716d226392e41b57edca0d8618f6ef17066b64361dadae745c6ea56d3465acb79bb886aec2ffb593d947ae76dd3a2e2b1546d59fe1c35c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
138KB

MD5
a9faafd10c1d7f2f4fe191a5286b95f4

SHA1
905c2a892da00bd589a379403aacfc516f22f281

SHA256
1d97dac9fbd74636744dc4064fb0de7822c0a8da58fffd044a9cf316edbe53ea

SHA512
2c2b43aa96e7933b1228aac428d992b5ab161d6883a59d4aa8bba6656b49d313e17ef60ead18d418cdefecb85c8ed3284ac598e8e0b6512c9e393c4b5c73cc4a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
91KB

MD5
51232c88f4b5c36ed1d8a29f19cb479b

SHA1
fd4971582300e267e8f138ee68001c81e28e6d4c

SHA256
2be73994dddbc47bfdaa426ef735db9567e2278f63a6fa48e5816a319ca1e383

SHA512
d5b24aeee5cfe065ecd3f2e5d35340553b08bac0715ff70cc0b159c5c3d14fbc27e12c7d6484e03e9969d476264a8cc9482e65ce1ebecc5f24bd5f46d07c876b

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
103KB

MD5
6855ab0e0d8a060fc8c025f1738f2427

SHA1
1c9c4fda3370c4ef9f82e2e2cca3f7fe2d336138

SHA256
904d164903966457cb43b96e94df5375ef0adf6df6caeb5f46935a0c2de8bf48

SHA512
b03e334593eb9bca0dc2a2c8b2406d64929bd928a9c821b413a339b09722f0b094f66e8078903244a3fa350c91da1730119915ab2d89c8d627a74a929d4a2964

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
57KB

MD5
a7923e335c7634f1e78babfa82e5ea5e

SHA1
769bd2e461e57ad0f07568c4747ef12e8cba3bfe

SHA256
6c47738e1ed3b14fbf4179ea40618308bb7994db9fd738881ff8f7d9bf556aee

SHA512
e497d2bb0980de5bcc24b6dc6c65e129751d52a452b28e88fa537536a168cbb0e29813f540e7bf14483aab7441dd79801e7cd7aceebf55ff2e405729dde8688a

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
82KB

MD5
106abfe2250436d1136330e977c1bcfe

SHA1
cf02a4ab5f954889f4c60f888591a82fe45509a9

SHA256
e156f0f81779365f9431918cabb953ebae4ca20a4b16ee908410a55a77371b05

SHA512
42daec60400036b5d67c39eca00487bdcfef2fcfe96170b91192ca8b4793ef9bb1199ae8a2f036bd1dfdabb763d21c51b1513fd3ad0caf6e3094f47c674b76db

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3781B4A3713292956206932165FA4132_29912A7EA9EDB60BB42BD5D9643E27BB

Filesize
471B

MD5
fb608b0566c57d35df53d2cfbaa68da4

SHA1
2d5235341864a3759cf352be9f8a6b5af0ed94f0

SHA256
3676aa2fe9de8dc0f7fba9f5e7e00beb3097958a87ad3ad54635690fa172ff30

SHA512
36ced06d615cd663a3b11daacae8f829d3f6436aa2aebedc91ade940abf9d3066e4ac42b6f513cde28781f2d73aae2c5e9c9b1a7bf80e5a943705c7de1d55a5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E

Filesize
471B

MD5
2b26eb0694466695d1c048bf65fa5d72

SHA1
60b0f48836337d92295a15730fb71ee75a399b1e

SHA256
134856c78a646d82d323a116713f6cd2d927b1f96fc6b8c7a8802dd625ea8793

SHA512
28ef06f724a24f08bcc0eceabe39f05ca473ea1faf218b44c8ecc8cdf0c75ef57cd2c4d5d022507613a147a57bbb239cca68aacc366767710d3a858108c91f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3781B4A3713292956206932165FA4132_29912A7EA9EDB60BB42BD5D9643E27BB

Filesize
404B

MD5
e1c2bad2b4f667b83d8d7e6acc9f0deb

SHA1
a3fd75206c0c4da63a19094394ee1253ad434489

SHA256
4b5547488a1a4d96e3c8429273ec8e2f25b4c48936ad923c55be1fbb74fcb1b7

SHA512
247696a1e61025588dbabb1ad18670b3f9bcb85cf52d0b0c01b60ba1ed76931d693488dd3d82feaf57ca621d06a7c954e602108d620e478041c0331df750f86f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E

Filesize
400B

MD5
5d99ac78b6b48d1bd171165e0635221b

SHA1
7403855736fb9381bb8b31916bcae68f9d5b7fce

SHA256
8c0749dc857875111a3fcc902598cd33e9bb9ab634c1368466ab5beea389c440

SHA512
96fa1e7be99c45854395d6fd6c35b6f673c3c2f2bbf24bcd094c464fd739bcbffdc5e00ebc3dddc1e64d70c17658a7d492f943930d60ae2ff56cc51e2dc30ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
1KB

MD5
07e0ad04497435358f3a13877128b101

SHA1
e15f1e4322027b597e521c870ae79ea9f6856e00

SHA256
174b3a52968113d2bdcb3b377e90b1972a65754a45863b71574ce3e6fdcfe794

SHA512
189bb15eb12ad41b4688e38fac4dbdf5b9c2e0bfd9d2fc635a9f89ae961148200898a2cd4a58abc94bc17668f57583742317dffafa869c6590329680683db7a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2ccb74d3-0438-4ebf-a895-b10bac1bd715.tmp

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
38d229a09ccd6d2847efa8e96a99ff84

SHA1
bf60fd3f90790b5e995f9d4cf587865cdda0d2ce

SHA256
106dd9cb54b1a23419c3509d63c072f0163539beca3326b48b9d75604d33e277

SHA512
99c8c0ce4ade1795681dd1c6f8e2937c82519969d105476268b1ee8aba3586ddd15cc44016c1672f3137031ae8066c9fce4f73b56511725e007da452ca40ba5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d1b6d9e92c1317ee2be80a054b18e228

SHA1
381f018c0682322ff2519756cd1cc96ab4214b58

SHA256
9f479ea9cd2d5cbf17b138aabe12e3bbce5fa62a6e1746acd1c5d549e9ffbefa

SHA512
e96792e3318e913353f2dca53dbeb595d958ce6c87a8bc741b9aef6dd8128120cc4ea3f9d425884f2f6e03bf064d4914edb831127ee24420e1c5b6e451a6247f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
1f03b0cf59bb6d0b2c2d5f62923ae1bd

SHA1
ec64be91db04274778a6d0d1869a07c7e104f8bb

SHA256
4158609ac6a0bc77b79f0ab936bbd69b9d549b01d2d9a5883d31b18c110e8c80

SHA512
111614429e616c4481c1fb9a8c42aef19b6c88146c6a0ba98de7953a7cbe43c2d42db9ff80fe0b587fa189e21648db025ce654baf063a113df5eefb8ad01999a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d06be7e75dbfcfd0ab6314fb74b0f06a

SHA1
6f00c13b75b3b573277f12cb82748bb93cb4e805

SHA256
36cf522cbc558d66dcf0b7bc69491455222e6564500bbd744e7b21b0abefa518

SHA512
023fcd7530596c0f790124d2f931113b1dd69721c3a4ef025831f6a53da7850d4e57d87a13f9216d8a14bc93ea14e4a785b038ed23fe697e80ad5a4896bb3094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76b8613e27f8d47679fdc59ba332465c

SHA1
566e22aeb47ad0f3207fa005eb30075acdf34ab3

SHA256
866a9d3c5d48e2f01f9af0ad5cfb66a432a2950363799c22fcfc67ad48dfe797

SHA512
c2c7a6dada8cbe2e3102ebae0ff75798107706da16e46461edcbc81499f5fe0830dcea36512d7461f8f760c6bfc0aded3445d34d2b5e5fc5eb1fcb9af7b35d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
65b50a6e1be2708436a1cfbb775d14be

SHA1
6e1d5aeef9b2e629a2a60895c80503933b8f5f7b

SHA256
ee433efac13075dd8875e18f07526cebc76df4db4e3185956a5db553e790cacf

SHA512
6eb6a7b9de417a9543d812419143032cdd4fc6ffe2c9a5c41c9cd64e0f65c36125ef7322927077ee00d84224dfd5f40c15a127ae017eac8054a1f5cfa11c3c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
70c0181c490d26299434fd163144d77e

SHA1
a9bab62f9c41e46ad3bfad16bfbf6a4e9079adf5

SHA256
7d77c7dde3d6474ed4e53a0f7fc714028252de79b82cfd15fc9a52e1af84d15e

SHA512
a87bdcc0425867eb36dc006a7a3f9ecd501f2de02da72ce77329594e88c3a542d72f66afb5f207764f269aee1e56108a8778865197f2c6c2ab1f4c54945c478e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3242956e8164e27c13d8e45c6184deaa

SHA1
9923b86c6e81c5974ed32cc944db777b26e96559

SHA256
4167b01f20e2e5c5b1488caf3caa59c992c3172f11762bebf85d8b78d97be904

SHA512
6537f5ff2b4ad79294c348cef8b921158ace79eb19a2e8b1703fb6bf411b408967c6eb4e4afa1365f85e210e2976649b1cee9414c993337e02c7eae6ba3bc58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
adfe4037b46f0e35edf890cff71e58e3

SHA1
43a3555e3c86815dd512a593b7c4d9ec60d00c7c

SHA256
b4cf14cd770915ee5b410750334ea31c49fc706c71acd78fd2cdcb94db587348

SHA512
a2cce4173067aa929b10c5808bab1bf7145a53934b71e93bb940701eeeae1cbdc17b52a8d87909b48b85ad3667f6315c27d2e55d6b6000e7f2f8e29781839b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
43ed33c3875d7c7d25ae583e5cbe17af

SHA1
9c2fced7e54e715e765b145a1d485bd43e27e64f

SHA256
0cc4c1bad6fc3165faa70fd9069a7b7bde9305a59044035582a1cd179864886d

SHA512
f420c4ba012b96f6850d5e7a3cac9205819b4f11162f10ad40992de220f2adcaf6e23d3da5f854f17388ef7c473da05f8da5bebbc03201cee9d0e59b1b375da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2704688012d41871579f4c09f8becc0b

SHA1
986850a3bfad0b3e27fe8660724f7ddf61ce609a

SHA256
4cde2b708e7e61262d248b89ebd64f2b2ab682f49e6a3afa1e5c1a670e806b41

SHA512
67daedc09c116ea9d316e6cf67bbc011b13b3041475a66e82b27360e1ad2b0a9a0ab4fb41670e832b0bdc67a24ea316cf73346ef677f5c03f75b299141795d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ef3d.TMP

Filesize
1KB

MD5
3667997561b7a9ff528dd076c7a9801e

SHA1
25f93fd8561c040938092a8cff55e5477ffabc59

SHA256
558fef732c3788c3d63b0ba6ecb43be29cb1e086c806575c51406c65b5c2cd2d

SHA512
b70da02557f828e4123093198ba54c24d333bd1c655e981c9adff0e9545226edceecc45504f766c4ff3db7a4a5909329902b2918cb944dc8a6142ce379c67cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
372b160979961af83989f68f9887ace5

SHA1
873e543e50a4d29296dc117a362bbb5275ff09d1

SHA256
be45a942c67ddd6700988c448b24862d912f54d04aa2744ccae3458fa38a7a2f

SHA512
d63392b66733c513ce94c16064ff4123f5255789b9bcd35ab145d164d7467d38df4c325ab0d52d475a8557a3443446a8b661c3c1e9a8e157af8481654c0af128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
772ea110c7a85d5134a634a815abf749

SHA1
f5089c84a7e40222dae67bffe1419fabda4347b5

SHA256
4ff0371a3dd63569c9ec777460192f2d2a2a92578165f9c65c9b9205d2facc8d

SHA512
55374b405e86a59bddac7b1d0ea30bf1666ae836f6d0ef8a90ad79d16c95ff6f341aafc7d205bd3fc886ea5ac454483edaf205e520514fa8c12d892204ff2abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d9411206a508565708f910443f2e41b6

SHA1
6956fbd25cb96198ac73a3da8e4499fac543c54f

SHA256
b7c866ac8895b25adf7efc96da861eaaf7c0992997bac486ec4a2c51ac97b760

SHA512
b88eccd8ecb1c8db16ba886b58330801b4d69e00253458201a7817979a2c342de612a29bb8577e9497e7408d88847cd304c8f7c34f20ee4839b123a36b189355

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RIKLE.tmp\processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b3850bd14cbc33019aaa91134c2f289e

SHA1
bff08f47fec1ef0fac817382b02e0b52a61991c1

SHA256
597c0ebcf2561a121255b8722a2b78c8355133c4b81976842ee243122c64fb41

SHA512
abc7966dac90fc28a6ce356398e588b1e86f7d309b30a3dbc840a040e7a54625382670e708e24dada09c2322ab6611ed1d5e1097d36778928521c5457bc30844

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\pending_pings\7d64948c-6c99-4877-b9a6-041ca4653612

Filesize
746B

MD5
8d5f4ff4cfa7207dbb8af40d362efea1

SHA1
e6cd2e18df9fc2ca2b0403aa1cd2a5159b4cde0f

SHA256
54666978826ad6535bbe9ad8228572d6eaffefabc70260e935a7156d22861723

SHA512
7444fd4a6b6cd8700cf8b28b163ea7fbecb654eba109437efbc3def8d7af390a6242ff5008f8684750e3343c69148eecdb97825acd002e380fc449d4cbf12086

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\datareporting\glean\pending_pings\cfb8701e-ee32-47eb-9516-e25a3e798911

Filesize
11KB

MD5
e357f3dc8e9475a61f045e8de4de1a36

SHA1
6131b122f3d20dbd80f0a44e038804d3f1f2b4be

SHA256
f6eb196427681ed326e254af253e80cfecae0b7d3f42f9d7a3fc6a636b64f14e

SHA512
b43a6621f2baac3444bdf893be16bbbedd50520ade25279446caebae6603cefcf72f65148345cccf99afef9e4f6aeb1a018d9c5b21f5215549c33432a63f726e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

Filesize
6KB

MD5
69edd94fa110e56084a0f9ef9d215d1d

SHA1
8960c0a8a76fdbe2ab07263f73a2923f7f14e312

SHA256
68c91551f005cfc0cf87b442fb8efe3e57cc81af77bf8e9c059b84358968d940

SHA512
171c4f019d0e685af98a2ccb5ae4e4be13b3e001f6d8d8f431088bb3817eacfcb424b63c8c809ed99ecc3bfa59320b93af6300f50add835886aa9d6ddebf3395

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

Filesize
6KB

MD5
1c1403db94958591682b39eff7d580af

SHA1
01fbc62597a4f9144d124951dd82cff34db3da76

SHA256
e9c431ac5f18d2d6522ebd7da763769c84761df36fd05fa9d96001cbc67c9932

SHA512
2493f6216bf1f1352b3136c369e4baf602b7c898e18d4fdb4be3c65c79d9afb1450c82cfcf545f53bb7a7ac27ddc5fbfab24bc16986d7508876dcb933f0adb63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\sessionstore.jsonlz4

Filesize
882B

MD5
6d19ae37300372fae28e29865a599ff5

SHA1
e1de434b7cf2c2a080dd43bca34e05c1bf5f65ec

SHA256
a4f0211e84635e9cc3489ad75f6d0e7008de0bf16ed6a97707ef1d22db3d9185

SHA512
eb1e09cc4a51d96751fd36b15e359dc2b2c5d42a7680b9aefbea3129755c512e1eba8255a28c33cf20b488ba1b9f905732ab5a5680ca5e85d0bb572cad4815b1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 943086.crdownload

Filesize
2.2MB

MD5
54daad58cce5003bee58b28a4f465f49

SHA1
162b08b0b11827cc024e6b2eed5887ec86339baa

SHA256
28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

SHA512
8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829

Download Submit
memory/404-13-0x00000000069C0000-0x0000000006A10000-memory.dmp

Filesize
320KB

Download
memory/404-10-0x0000000003290000-0x00000000032F6000-memory.dmp

Filesize
408KB

Download
memory/404-9-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/404-11-0x0000000005C30000-0x0000000005C40000-memory.dmp

Filesize
64KB

Download
memory/404-8-0x0000000073FE0000-0x0000000074790000-memory.dmp

Filesize
7.7MB

Download
memory/404-16-0x0000000073FE0000-0x0000000074790000-memory.dmp

Filesize
7.7MB

Download
memory/404-12-0x00000000066F0000-0x0000000006782000-memory.dmp

Filesize
584KB

Download
memory/404-14-0x0000000006AB0000-0x0000000006B4C000-memory.dmp

Filesize
624KB

Download
memory/404-6-0x0000000001200000-0x000000000125A000-memory.dmp

Filesize
360KB

Download
memory/2032-382-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2032-92-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2032-93-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2032-380-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2032-372-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2032-373-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2816-23-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2816-17-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2816-20-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2816-21-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2816-18-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/3368-918-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/3368-926-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/3368-924-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/3368-922-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/3368-920-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/3368-919-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/3460-22-0x0000000000570000-0x00000000005CA000-memory.dmp

Filesize
360KB

Download
memory/3460-25-0x0000000073FE0000-0x0000000074790000-memory.dmp

Filesize
7.7MB

Download
memory/3808-673-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3808-782-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3808-671-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-7-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/5020-3-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/5020-4-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/5020-0-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/5020-1-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/5020-5-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/5276-381-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/5276-515-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/5276-376-0x0000000000840000-0x000000000089A000-memory.dmp

Filesize
360KB

Download
memory/5568-923-0x0000000001140000-0x000000000119A000-memory.dmp

Filesize
360KB

Download
memory/5568-927-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/5568-928-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/6060-777-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/6060-678-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download