Analysis
-
max time kernel
177s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/06/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
processhacker-2.39-setup3.exe
Resource
win11-20240508-en
General
-
Target
processhacker-2.39-setup3.exe
-
Size
2.2MB
-
MD5
54daad58cce5003bee58b28a4f465f49
-
SHA1
162b08b0b11827cc024e6b2eed5887ec86339baa
-
SHA256
28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063
-
SHA512
8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829
-
SSDEEP
49152:l9hfV/U5NkLXXzGZjt6kFTCVP6hWE0wvmk/eE+FrAl+NGsOSE6IX8pq:Dh9/ULkjKxtTGP6VZd2rAcvOSE6Nq
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3816 processhacker-2.39-setup3.tmp 1444 ProcessHacker.exe 1232 unins000.exe 832 _iu14D2N.tmp -
Loads dropped DLL 12 IoCs
pid Process 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: ProcessHacker.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName ProcessHacker.exe -
Drops file in Program Files directory 43 IoCs
description ioc Process File opened for modification C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\is-BU4PU.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\is-K2R1O.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-HLGB9.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-L0GPI.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-2CRDA.tmp processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\is-9OLJS.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-326HL.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-RSGAJ.tmp processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\is-1TERV.tmp processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\peview.exe processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\Updater.dll processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\UserNotes.dll processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\is-F533I.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\is-UUEJ2.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\is-HHIIO.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-G6C06.tmp processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\unins000.dat _iu14D2N.tmp File created C:\Program Files\Process Hacker 2\is-C0DUV.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\x86\is-E5OTO.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-J1ARB.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-OH2E9.tmp processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\unins000.dat processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\is-Q303Q.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-RD7A9.tmp processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\unins000.dat processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\x86\plugins\is-V63U3.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-VPE9U.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-HVHK9.tmp processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\ProcessHacker.exe processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\plugins\is-1HOHC.tmp processhacker-2.39-setup3.tmp File created C:\Program Files\Process Hacker 2\is-2LHDK.tmp processhacker-2.39-setup3.tmp File opened for modification C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll processhacker-2.39-setup3.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags ProcessHacker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters ProcessHacker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control ProcessHacker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters ProcessHacker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 ProcessHacker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags ProcessHacker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control ProcessHacker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf ProcessHacker.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ProcessHacker.exe Key opened \Registry\Machine\Hardware\Description\System\CentralProcessor ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier ProcessHacker.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ProcessHacker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 ProcessHacker.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier ProcessHacker.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ _iu14D2N.tmp -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ProcessHacker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ProcessHacker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 ProcessHacker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3816 processhacker-2.39-setup3.tmp 3816 processhacker-2.39-setup3.tmp 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 684 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1444 ProcessHacker.exe Token: SeIncBasePriorityPrivilege 1444 ProcessHacker.exe Token: 33 1444 ProcessHacker.exe Token: SeLoadDriverPrivilege 1444 ProcessHacker.exe Token: SeProfSingleProcessPrivilege 1444 ProcessHacker.exe Token: SeRestorePrivilege 1444 ProcessHacker.exe Token: SeShutdownPrivilege 1444 ProcessHacker.exe Token: SeTakeOwnershipPrivilege 1444 ProcessHacker.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3816 processhacker-2.39-setup3.tmp 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 832 _iu14D2N.tmp -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe 1444 ProcessHacker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4528 wrote to memory of 3816 4528 processhacker-2.39-setup3.exe 78 PID 4528 wrote to memory of 3816 4528 processhacker-2.39-setup3.exe 78 PID 4528 wrote to memory of 3816 4528 processhacker-2.39-setup3.exe 78 PID 3816 wrote to memory of 1444 3816 processhacker-2.39-setup3.tmp 80 PID 3816 wrote to memory of 1444 3816 processhacker-2.39-setup3.tmp 80 PID 1232 wrote to memory of 832 1232 unins000.exe 86 PID 1232 wrote to memory of 832 1232 unins000.exe 86 PID 1232 wrote to memory of 832 1232 unins000.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup3.exe"C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\is-NKJGO.tmp\processhacker-2.39-setup3.tmp"C:\Users\Admin\AppData\Local\Temp\is-NKJGO.tmp\processhacker-2.39-setup3.tmp" /SL5="$40220,1874675,150016,C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup3.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Program Files\Process Hacker 2\ProcessHacker.exe"C:\Program Files\Process Hacker 2\ProcessHacker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks system information in the registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1444
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3204
-
C:\Program Files\Process Hacker 2\unins000.exe"C:\Program Files\Process Hacker 2\unins000.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Process Hacker 2\unins000.exe" /FIRSTPHASEWND=$6021E2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5b13de4e8531af294f87ffddccb08d7ce
SHA1ad2ab669f274cacced734962292d87aeb374f51f
SHA25669e38f590a9a25f656e7507af76229a3a6678a8c57b4e879ff8ce7e52fd704ff
SHA51256f7ff43e7b658311017d37238949e36b7ad9c763f73faf57a97a6f9cfb70282de3fa7f931ff58dc8cc034f40eb804b4ed4b44518faa9d2cf61be34f375bb763
-
Filesize
6KB
MD539b07060a5c6199730219e29c747c061
SHA1038a6a661f5415762ff82f908aaa77e8bb72ff76
SHA256319cd301cf40be03c00cd086560d4e810e0f6d0dbfdc2d28d6af3522c027cf49
SHA5123cf326af2c99fbbb4d5570754ff493beb0933af40f124fd39e54d8d61012787f943bc263b71a5bfa5f4b0260720b061eeb814add9443cb9b4a9ad01511894442
-
Filesize
35KB
MD5eb59e0a5d01d0a5b02da0c9e7786969f
SHA196eed0bf00ae770347861a02f8fd6b3603e12013
SHA256c38e811f6f83428921d0cecd998a44b717149b577b4c1a63b66064f03c34e4e7
SHA51283040f795eeb57355f86ff862e72579d28cc8ee23191eb121f5b1666803ce285a9ea88a699f28f4763d8779be2651503bab02a88db58eba1ab59f67edbedb943
-
Filesize
1.6MB
MD5b365af317ae730a67c936f21432b9c71
SHA1a0bdfac3ce1880b32ff9b696458327ce352e3b1d
SHA256bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
SHA512cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b
-
Filesize
64B
MD52ccb4420d40893846e1f88a2e82834da
SHA1ef29efec7e3e0616948f9fe1fd016e43b6c971de
SHA256519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4
SHA512b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6
-
Filesize
2KB
MD572ac5a8dd6491e525b9783c9bc439fe6
SHA15044e673dcf85b27b846bf7216f332f429b52067
SHA2560c4f051675a690ea4db6ab2eb81fdced6990e2538ad21dc4610aa5925253a090
SHA5127a25d2d42d5860acc5752aff618492e9a66275903795e75b9843687fca6f1640f698e0f60c2e7e08dbccd3a2cfb73de07e3d6162d0067028886bc43b4efab143
-
Filesize
44KB
MD51b5c3c458e31bede55145d0644e88d75
SHA1a21c84c6bf2e21d69fa06daaf19b4cc34b589347
SHA25670211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4
SHA5120d7abcc792127c37d6af58ec5b900c1754d02913794fcf37d92c400d3a9eb8981f6aa5515e48fa8fc11ac0eb51c1da260d7defc0e60b21de70a4e58413c296fb
-
Filesize
229KB
MD5dde1f44789cd50c1f034042d337deae3
SHA1e7e494bfadb3d6cd221f19498c030c3898d0ef73
SHA2564259e53d48a3fed947f561ff04c7f94446bedd64c87f52400b2cb47a77666aaa
SHA51233060b907c4bc2335328498aac832790f7bc43281788fa51f9226a254f2e4dbd0a73b230d54c2cde499b2f2e252b785a27c9159fc5067018425a9b9dbcdbedbc
-
Filesize
132KB
MD5b16ce8ba8e7f0ee83ec1d49f2d0af0a7
SHA1cdf17a7beb537853fae6214d028754ce98e2e860
SHA256b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9
SHA51232de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb
-
Filesize
140KB
MD5be4dc4d2d1d05001ab0bb2bb8659bfad
SHA1c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e
SHA25661e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795
SHA51231389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf
-
Filesize
136KB
MD54858bdb7731bf0b46b247a1f01f4a282
SHA1de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60
SHA2565ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60
SHA51241b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a
-
Filesize
196KB
MD5bc61e6fb02fbbfe16fb43cc9f4e949f1
SHA1307543fcef62c6f8c037e197703446fcb543424a
SHA256f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87
SHA5120bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6
-
Filesize
180KB
MD5a46c8bb886e0b9290e5dbc6ca524d61f
SHA1cfc1b93dc894b27477fc760dfcfb944cb849cb48
SHA256acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00
SHA5125a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73
-
Filesize
134KB
MD5d6bed1d6fdbed480e32fdd2dd4c13352
SHA1544567d030a19e779629eed65d2334827dcda141
SHA256476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e
SHA51289362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c
-
Filesize
222KB
MD512c25fb356e51c3fd81d2d422a66be89
SHA17cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c
SHA2567336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de
SHA512927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0
-
Filesize
95KB
MD537cbfa73883e7e361d3fa67c16d0f003
SHA1ffa24756cdc37dfd24dc97ba7a42d0399e59960a
SHA25657c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b
SHA5126e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed
-
Filesize
243KB
MD53788efff135f8b17a179d02334d505e6
SHA1d6c965ba09b626d7d157372756ea1ec52a43f6b7
SHA2565713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab
SHA512215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e
-
Filesize
110KB
MD56976b57c6391f54dbd2828a45ca81100
SHA1a8c312a56ede6f4852c34c316c01080762aa5498
SHA2560c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e
SHA51254d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc
-
Filesize
114KB
MD5e48c789c425f966f5e5ee3187934174f
SHA196f85a86a56cbf55ebd547039eb1f8b0db9d9d8d
SHA256fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52
SHA512efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c
-
Filesize
133KB
MD50e8d04159c075f0048b89270d22d2dbb
SHA1d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22
SHA256282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a
SHA51256440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197
-
Filesize
16KB
MD51cfc16d1d5e617a39e3bd6204e96c6ab
SHA1e44ef663decc3f284ed973ed20efb6a1acb2fedc
SHA256e692324d3d231af7238c96734ddf67f5423d62455ee8144f3d4770f315acdee5
SHA5122e15a43fd12d530c74f5336302ec98e11cc4b29868e1002d0ec5a94a39da150ab3e19359f108bc8bc92a0e91b286c5ce7acccd4391285c5edf832758585216eb
-
Filesize
796KB
MD543ea49877a2a1508ba733e41c874e16e
SHA1c15c80a9c3799b654fdca92b44af2521fa41ef06
SHA256e7c1d4c07728671c3b28295c863bbe681f962196c8a974eb4b3003540338aa04
SHA51299577f1ef0e7dfd621829186643e750d7b5eedc2a0f766f5e8684f70cc4034eaef059c6991098100627c89cb40fe6fec04ef543f637aebb5fb4979b06d872127
-
Filesize
2KB
MD5d9bafdd7e880b6b7d5c5944e0beafb4e
SHA11996efedafa68b831c20cee246a67d2378e18a9f
SHA256b22118c3159d96c061e3e6f668cb26f0c679bb96fccd2c788584d3e2a64c4c35
SHA51242db25b94414e8118f2746f0ee35f6537572a39825237ed39bf2b3f10a62e3b2c49de10275928c878b53397bd628500fe3986a12dbc83eccb50a8adff18edc0d
-
Filesize
1.4MB
MD568f9b52895f4d34e74112f3129b3b00d
SHA1c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e
SHA256d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
SHA5121cd875f9d0301b14645ea608fe61560a229ee395fa061f32675c3d84e41916998f887278d8497a5e875be22ba8fcbcfcbd878a5e2ed1746dc75430b7aed5fede
-
Filesize
111KB
MD515ab3740703138ed5c091ea7736620f4
SHA1545a9e061fd25d5c42a7a105ae17008543e20406
SHA2560d7240d074ba544c90df72d5e339978aa2edc19f4a02c0a302718d851b11c384
SHA5126107c70fe223e43ec3f14f8a4430f6947fd972d3878b3a270c03eff2b51f18fdd9d22307b1b3a71a52e696545339ba5c1695a34f58295fdb23a9eb2aed0b8f1f
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Help and Support\Changelog.lnk
Filesize995B
MD59ad5a56b7c7857b39886c59b7d7e81ff
SHA10d5d808e55b5bd06383a9c17ea61840f430edcc9
SHA2567cabdf2845df7e954a9cbb0eda68bdef1f2157328c9f49443b5f06de7efe50a9
SHA512ff46933049264b571350f57f69198a302bce8374eb5f3a5733f5b76475b1ecb78826e82ca0817c5d07b2078c1606887fad6c6f7348eec64a6c2120a85a2e406f
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Help and Support\Process Hacker 2 on the Web.url
Filesize63B
MD5645c95183495f00e4175ea7a25d3ee80
SHA12598d44ed2d6f3cf758b9983ea2c39bda4690315
SHA25660a172e81a2c07e2006465f8625306e385b4fe57fca02ad5da8af91527ed6de9
SHA5125c8a83e774b0264e032ea2fca66bbd65606648b39f57447669ae7c8f6f141677173f650a58027a46d180f7bd2df9eb301eac10665a5d2521f547be272c13ed33
-
Filesize
1KB
MD56e172e4cff1344a8e9d0e1d785833371
SHA1631881598de5f4c90c9f54d99bf2398f2caf3989
SHA25614228945f577979945106e3efa6bfe0b78cc0ea201119bb2bdd09d31cceb2f41
SHA512544922c22e4008d6fe75b7e718685429912e1557f01dde29dfb23864c9586c90c97eb89eb9f173f29fb7ba0b7e80934d3588273e0044ab4ef9bb7bc824b81305
-
Filesize
1KB
MD5897f17ebd5c483f4dcaf9856b27a5e2e
SHA1126973b9b9ba169ee81c2abf7471c382e3f03cd4
SHA256c760acd70cbf685a8780a466d08d3647f64b980ce2e5dc77ca5cb2c807a9c16d
SHA5120e9b27b2b16a502fb8f8c62cb2d16374cdcbd4104a7f0a939c8fa24f3117734283879c1d651680e6531976a8b2667c9d6c91e0c010d750f117338ad631422ebc
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Uninstall Process Hacker 2.lnk
Filesize1KB
MD51cf8784f574e8e5eaa0ed815e4db84cc
SHA160ec00c56bad6d9bc74318db8add3e7f5c233c72
SHA2566279d03aab80c6dde163637ef54a49e178b75443a02b41a8179a2a628f53f0f9
SHA51272104f45688ee03344baee0180616c22d80786664b3a38c9faa6662e72c5fd5c8c5a03cfacca6dfe06c2def44829626186cc7463c13a31b30a423e98f7cf8451
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
785KB
MD51c96ed29e0136825e06f037bf10b2419
SHA1b74a55279474253639bebf9c92f10f947145ff30
SHA256b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021
SHA5120e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177
-
Filesize
10KB
MD5e5ce818fa383adee96bbd638e90d910d
SHA14bdb251c7758c9a0ab9af45c952ddbeb06a7149e
SHA256bd353767db2ea0ca6124af1e2d4fcf5bbe569c069746749897af7b436a97a94e
SHA5127bcf351b0ed514f4da51c71fa9bb7e28f87271b10a8da36474b9858f1b3519d147e5eb5bccd75c88953de8220d1d945e9b6a217be9baf61ad23e00e377efc746
-
Filesize
1KB
MD52f2d8948a8074e32df3195165c2d58ce
SHA16d046c4ba2f0efb7f21661b862eda81c91532ec2
SHA256f21b0da3caacd2131908ea6f79deeba1841d6cfce87f8f3c79e80f1628605fc2
SHA5129920a829433326f9edaaca53a7c3321aedcdcb1a793502ba8ed9e86a157edeaa75d7751d389557528ecd9213b1d4ced789ed6402353e419167a9822cd293a9d5