28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

Analysis

max time kernel
177s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11/06/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

processhacker-2.39-setup3.exe
Size

2.2MB
MD5

54daad58cce5003bee58b28a4f465f49
SHA1

162b08b0b11827cc024e6b2eed5887ec86339baa
SHA256

28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063
SHA512

8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829
SSDEEP

49152:l9hfV/U5NkLXXzGZjt6kFTCVP6hWE0wvmk/eE+FrAl+NGsOSE6IX8pq:Dh9/ULkjKxtTGP6VZd2rAcvOSE6Nq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3816	processhacker-2.39-setup3.tmp
1444	ProcessHacker.exe
1232	unins000.exe
832	_iu14D2N.tmp

Loads dropped DLL 12 IoCs

pid	Process
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ProcessHacker.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ProcessHacker.exe

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\is-BU4PU.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\is-K2R1O.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-HLGB9.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-L0GPI.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-2CRDA.tmp	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\is-9OLJS.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-326HL.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-RSGAJ.tmp	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\is-1TERV.tmp	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\is-F533I.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\is-UUEJ2.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\is-HHIIO.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-G6C06.tmp	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	_iu14D2N.tmp
File created	C:\Program Files\Process Hacker 2\is-C0DUV.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-E5OTO.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-J1ARB.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-OH2E9.tmp	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\is-Q303Q.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-RD7A9.tmp	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-V63U3.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-VPE9U.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-HVHK9.tmp	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-1HOHC.tmp	processhacker-2.39-setup3.tmp
File created	C:\Program Files\Process Hacker 2\is-2LHDK.tmp	processhacker-2.39-setup3.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup3.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	ProcessHacker.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessHacker.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ProcessHacker.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	ProcessHacker.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_iu14D2N.tmp

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3816	processhacker-2.39-setup3.tmp
3816	processhacker-2.39-setup3.tmp
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
684	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	1444	ProcessHacker.exe
Token: 33	1444	ProcessHacker.exe
Token: SeLoadDriverPrivilege	1444	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	1444	ProcessHacker.exe
Token: SeRestorePrivilege	1444	ProcessHacker.exe
Token: SeShutdownPrivilege	1444	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	1444	ProcessHacker.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3816	processhacker-2.39-setup3.tmp
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
832	_iu14D2N.tmp

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe
1444	ProcessHacker.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 3816	4528	processhacker-2.39-setup3.exe	78
PID 4528 wrote to memory of 3816	4528	processhacker-2.39-setup3.exe	78
PID 4528 wrote to memory of 3816	4528	processhacker-2.39-setup3.exe	78
PID 3816 wrote to memory of 1444	3816	processhacker-2.39-setup3.tmp	80
PID 3816 wrote to memory of 1444	3816	processhacker-2.39-setup3.tmp	80
PID 1232 wrote to memory of 832	1232	unins000.exe	86
PID 1232 wrote to memory of 832	1232	unins000.exe	86
PID 1232 wrote to memory of 832	1232	unins000.exe	86

C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup3.exe
"C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\is-NKJGO.tmp\processhacker-2.39-setup3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NKJGO.tmp\processhacker-2.39-setup3.tmp" /SL5="$40220,1874675,150016,C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup3.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Program Files\Process Hacker 2\ProcessHacker.exe
    "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Checks system information in the registry
    - Checks SCSI registry key(s)
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3204

C:\Program Files\Process Hacker 2\unins000.exe
"C:\Program Files\Process Hacker 2\unins000.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
  "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Process Hacker 2\unins000.exe" /FIRSTPHASEWND=$6021E
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\CHANGELOG.txt

Filesize
25KB

MD5
b13de4e8531af294f87ffddccb08d7ce

SHA1
ad2ab669f274cacced734962292d87aeb374f51f

SHA256
69e38f590a9a25f656e7507af76229a3a6678a8c57b4e879ff8ce7e52fd704ff

SHA512
56f7ff43e7b658311017d37238949e36b7ad9c763f73faf57a97a6f9cfb70282de3fa7f931ff58dc8cc034f40eb804b4ed4b44518faa9d2cf61be34f375bb763

Download Submit
C:\Program Files\Process Hacker 2\COPYRIGHT.txt

Filesize
6KB

MD5
39b07060a5c6199730219e29c747c061

SHA1
038a6a661f5415762ff82f908aaa77e8bb72ff76

SHA256
319cd301cf40be03c00cd086560d4e810e0f6d0dbfdc2d28d6af3522c027cf49

SHA512
3cf326af2c99fbbb4d5570754ff493beb0933af40f124fd39e54d8d61012787f943bc263b71a5bfa5f4b0260720b061eeb814add9443cb9b4a9ad01511894442

Download Submit
C:\Program Files\Process Hacker 2\LICENSE.txt

Filesize
35KB

MD5
eb59e0a5d01d0a5b02da0c9e7786969f

SHA1
96eed0bf00ae770347861a02f8fd6b3603e12013

SHA256
c38e811f6f83428921d0cecd998a44b717149b577b4c1a63b66064f03c34e4e7

SHA512
83040f795eeb57355f86ff862e72579d28cc8ee23191eb121f5b1666803ce285a9ea88a699f28f4763d8779be2651503bab02a88db58eba1ab59f67edbedb943

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig

Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\README.txt

Filesize
2KB

MD5
72ac5a8dd6491e525b9783c9bc439fe6

SHA1
5044e673dcf85b27b846bf7216f332f429b52067

SHA256
0c4f051675a690ea4db6ab2eb81fdced6990e2538ad21dc4610aa5925253a090

SHA512
7a25d2d42d5860acc5752aff618492e9a66275903795e75b9843687fca6f1640f698e0f60c2e7e08dbccd3a2cfb73de07e3d6162d0067028886bc43b4efab143

Download Submit
C:\Program Files\Process Hacker 2\kprocesshacker.sys

Filesize
44KB

MD5
1b5c3c458e31bede55145d0644e88d75

SHA1
a21c84c6bf2e21d69fa06daaf19b4cc34b589347

SHA256
70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4

SHA512
0d7abcc792127c37d6af58ec5b900c1754d02913794fcf37d92c400d3a9eb8981f6aa5515e48fa8fc11ac0eb51c1da260d7defc0e60b21de70a4e58413c296fb

Download Submit
C:\Program Files\Process Hacker 2\peview.exe

Filesize
229KB

MD5
dde1f44789cd50c1f034042d337deae3

SHA1
e7e494bfadb3d6cd221f19498c030c3898d0ef73

SHA256
4259e53d48a3fed947f561ff04c7f94446bedd64c87f52400b2cb47a77666aaa

SHA512
33060b907c4bc2335328498aac832790f7bc43281788fa51f9226a254f2e4dbd0a73b230d54c2cde499b2f2e252b785a27c9159fc5067018425a9b9dbcdbedbc

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\Program Files\Process Hacker 2\unins000.dat

Filesize
16KB

MD5
1cfc16d1d5e617a39e3bd6204e96c6ab

SHA1
e44ef663decc3f284ed973ed20efb6a1acb2fedc

SHA256
e692324d3d231af7238c96734ddf67f5423d62455ee8144f3d4770f315acdee5

SHA512
2e15a43fd12d530c74f5336302ec98e11cc4b29868e1002d0ec5a94a39da150ab3e19359f108bc8bc92a0e91b286c5ce7acccd4391285c5edf832758585216eb

Download Submit
C:\Program Files\Process Hacker 2\unins000.exe

Filesize
796KB

MD5
43ea49877a2a1508ba733e41c874e16e

SHA1
c15c80a9c3799b654fdca92b44af2521fa41ef06

SHA256
e7c1d4c07728671c3b28295c863bbe681f962196c8a974eb4b3003540338aa04

SHA512
99577f1ef0e7dfd621829186643e750d7b5eedc2a0f766f5e8684f70cc4034eaef059c6991098100627c89cb40fe6fec04ef543f637aebb5fb4979b06d872127

Download Submit
C:\Program Files\Process Hacker 2\uninstall.ico

Filesize
2KB

MD5
d9bafdd7e880b6b7d5c5944e0beafb4e

SHA1
1996efedafa68b831c20cee246a67d2378e18a9f

SHA256
b22118c3159d96c061e3e6f668cb26f0c679bb96fccd2c788584d3e2a64c4c35

SHA512
42db25b94414e8118f2746f0ee35f6537572a39825237ed39bf2b3f10a62e3b2c49de10275928c878b53397bd628500fe3986a12dbc83eccb50a8adff18edc0d

Download Submit
C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe

Filesize
1.4MB

MD5
68f9b52895f4d34e74112f3129b3b00d

SHA1
c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e

SHA256
d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f

SHA512
1cd875f9d0301b14645ea608fe61560a229ee395fa061f32675c3d84e41916998f887278d8497a5e875be22ba8fcbcfcbd878a5e2ed1746dc75430b7aed5fede

Download Submit
C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll

Filesize
111KB

MD5
15ab3740703138ed5c091ea7736620f4

SHA1
545a9e061fd25d5c42a7a105ae17008543e20406

SHA256
0d7240d074ba544c90df72d5e339978aa2edc19f4a02c0a302718d851b11c384

SHA512
6107c70fe223e43ec3f14f8a4430f6947fd972d3878b3a270c03eff2b51f18fdd9d22307b1b3a71a52e696545339ba5c1695a34f58295fdb23a9eb2aed0b8f1f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Help and Support\Changelog.lnk

Filesize
995B

MD5
9ad5a56b7c7857b39886c59b7d7e81ff

SHA1
0d5d808e55b5bd06383a9c17ea61840f430edcc9

SHA256
7cabdf2845df7e954a9cbb0eda68bdef1f2157328c9f49443b5f06de7efe50a9

SHA512
ff46933049264b571350f57f69198a302bce8374eb5f3a5733f5b76475b1ecb78826e82ca0817c5d07b2078c1606887fad6c6f7348eec64a6c2120a85a2e406f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Help and Support\Process Hacker 2 on the Web.url

Filesize
63B

MD5
645c95183495f00e4175ea7a25d3ee80

SHA1
2598d44ed2d6f3cf758b9983ea2c39bda4690315

SHA256
60a172e81a2c07e2006465f8625306e385b4fe57fca02ad5da8af91527ed6de9

SHA512
5c8a83e774b0264e032ea2fca66bbd65606648b39f57447669ae7c8f6f141677173f650a58027a46d180f7bd2df9eb301eac10665a5d2521f547be272c13ed33

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\PE Viewer.lnk

Filesize
1KB

MD5
6e172e4cff1344a8e9d0e1d785833371

SHA1
631881598de5f4c90c9f54d99bf2398f2caf3989

SHA256
14228945f577979945106e3efa6bfe0b78cc0ea201119bb2bdd09d31cceb2f41

SHA512
544922c22e4008d6fe75b7e718685429912e1557f01dde29dfb23864c9586c90c97eb89eb9f173f29fb7ba0b7e80934d3588273e0044ab4ef9bb7bc824b81305

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Process Hacker 2.lnk

Filesize
1KB

MD5
897f17ebd5c483f4dcaf9856b27a5e2e

SHA1
126973b9b9ba169ee81c2abf7471c382e3f03cd4

SHA256
c760acd70cbf685a8780a466d08d3647f64b980ce2e5dc77ca5cb2c807a9c16d

SHA512
0e9b27b2b16a502fb8f8c62cb2d16374cdcbd4104a7f0a939c8fa24f3117734283879c1d651680e6531976a8b2667c9d6c91e0c010d750f117338ad631422ebc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2\Uninstall Process Hacker 2.lnk

Filesize
1KB

MD5
1cf8784f574e8e5eaa0ed815e4db84cc

SHA1
60ec00c56bad6d9bc74318db8add3e7f5c233c72

SHA256
6279d03aab80c6dde163637ef54a49e178b75443a02b41a8179a2a628f53f0f9

SHA512
72104f45688ee03344baee0180616c22d80786664b3a38c9faa6662e72c5fd5c8c5a03cfacca6dfe06c2def44829626186cc7463c13a31b30a423e98f7cf8451

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-92TIK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NKJGO.tmp\processhacker-2.39-setup3.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\AppData\Roaming\Process Hacker 2\settings.xml

Filesize
10KB

MD5
e5ce818fa383adee96bbd638e90d910d

SHA1
4bdb251c7758c9a0ab9af45c952ddbeb06a7149e

SHA256
bd353767db2ea0ca6124af1e2d4fcf5bbe569c069746749897af7b436a97a94e

SHA512
7bcf351b0ed514f4da51c71fa9bb7e28f87271b10a8da36474b9858f1b3519d147e5eb5bccd75c88953de8220d1d945e9b6a217be9baf61ad23e00e377efc746

Download Submit
C:\Users\Public\Desktop\Process Hacker 2.lnk

Filesize
1KB

MD5
2f2d8948a8074e32df3195165c2d58ce

SHA1
6d046c4ba2f0efb7f21661b862eda81c91532ec2

SHA256
f21b0da3caacd2131908ea6f79deeba1841d6cfce87f8f3c79e80f1628605fc2

SHA512
9920a829433326f9edaaca53a7c3321aedcdcb1a793502ba8ed9e86a157edeaa75d7751d389557528ecd9213b1d4ced789ed6402353e419167a9822cd293a9d5

Download Submit
memory/832-170-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/832-167-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1232-166-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3816-99-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3816-6-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3816-12-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3816-32-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3816-131-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4528-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4528-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4528-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4528-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download