gh0strat | 39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc

Resubmissions

06-08-2024 22:37

240806-2kbpmssgrn 10

14-06-2024 18:31

240614-w6arkswcll 10

Analysis

max time kernel
433s
max time network
442s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14-06-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware with taskmgr.zip
Size

2.9MB
MD5

a964aeb3e8cf59d3b8708af99731abf4
SHA1

77a9caa0eb747c0d5bba1d2b86dd13537516f849
SHA256

39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc
SHA512

9109666afd9cb90a9ba44ef14a9914afcd7749169b2e4a04f6066f470a7a89503ddf90a21adeadd4dfd2056aa66854f99db532824be64c95bc0d94ad7439c79a
SSDEEP

49152:x7yeTYZ5z0vegABI2egr4OecHvD5m33UZRQDRfPapjj6axvkVxureuIiBAkpwESc:xnTYZ5z0WgH234RUI3UrQ1uHlvkxuhLd

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/3772-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3772-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3772-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1460-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1460-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3320-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3320-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/3320-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3772-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3772-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3772-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1460-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
C:\Windows\SysWOW64\240690453.txt	family_gh0strat
behavioral1/memory/1460-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3320-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3320-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/3320-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240690453.txt"	svchos.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_processhacker-2.39-setup.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	HD_processhacker-2.39-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\""	HD_processhacker-2.39-setup.tmp

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 15 IoCs

Processes:

svchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_processhacker-2.39-setup.exeHD_processhacker-2.39-setup.tmpÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeProcessHacker.exeProcessHacker.exeSetup.exesvchost.exeTXPlatforn.exesvchos.exeTXPlatforn.exeHD_Setup.exe

pid	process
3772	svchost.exe
1460	TXPlatforn.exe
3888	svchos.exe
3320	TXPlatforn.exe
2316	HD_processhacker-2.39-setup.exe
4564	HD_processhacker-2.39-setup.tmp
4632	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
3748	ProcessHacker.exe
3860	ProcessHacker.exe
4136	Setup.exe
1428	svchost.exe
1944	TXPlatforn.exe
1628	svchos.exe
2528	TXPlatforn.exe
1672	HD_Setup.exe

Loads dropped DLL 15 IoCs

Processes:

svchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeProcessHacker.exe

pid	process
3888	svchos.exe
4128	svchost.exe
4632	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3772-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3772-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3772-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3772-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1460-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1460-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1460-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3320-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3320-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/3320-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_processhacker-2.39-setup.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\Process Hacker 2 = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\""	HD_processhacker-2.39-setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\Process Hacker 2 = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\" -hide"	HD_processhacker-2.39-setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

Processes:

svchos.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\240690453.txt	svchos.exe

Drops file in Program Files directory 48 IoCs

Processes:

processhacker-2.39-setup.exeHD_processhacker-2.39-setup.tmp

description	ioc	process
File created	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.exe
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-J9U94.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-3DN1L.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-FR4QJ.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-H8NBH.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-JKEGL.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-MFCQU.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	processhacker-2.39-setup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	processhacker-2.39-setup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-JVCTB.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-63L85.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-K33SV.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-D2TG8.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-K6KO8.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-105QM.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-8MIH3.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-EGJQO.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-4H7IU.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-JBLI2.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-2DUGT.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-J9FE4.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-LR5AB.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-U22HH.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	processhacker-2.39-setup.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	processhacker-2.39-setup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-TFB0H.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	processhacker-2.39-setup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-5OBDS.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-CM86Q.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-7L2GR.tmp	HD_processhacker-2.39-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ProcessHacker.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628637312296502"	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ProcessHacker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2852 PING.EXE
4080 PING.EXE

pid	process
2852	PING.EXE
4080	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

processhacker-2.39-setup.exeHD_processhacker-2.39-setup.tmpProcessHacker.exe

pid	process
2976	processhacker-2.39-setup.exe
2976	processhacker-2.39-setup.exe
4564	HD_processhacker-2.39-setup.tmp
4564	HD_processhacker-2.39-setup.tmp
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

TXPlatforn.exe

pid process

3320 TXPlatforn.exe
656
656

pid	process
3320	TXPlatforn.exe
656
656

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exe

pid	process
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTXPlatforn.exeProcessHacker.exesvchost.exechrome.exeHD_Setup.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3772	svchost.exe
Token: SeLoadDriverPrivilege	3320	TXPlatforn.exe
Token: SeDebugPrivilege	3860	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	3860	ProcessHacker.exe
Token: 33	3860	ProcessHacker.exe
Token: SeLoadDriverPrivilege	3860	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	3860	ProcessHacker.exe
Token: SeRestorePrivilege	3860	ProcessHacker.exe
Token: SeShutdownPrivilege	3860	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	3860	ProcessHacker.exe
Token: 33	3320	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3320	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1428	svchost.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeDebugPrivilege	1672	HD_Setup.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: 33	3320	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3320	TXPlatforn.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe
Token: SeShutdownPrivilege	2688	chrome.exe
Token: SeCreatePagefilePrivilege	2688	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

HD_processhacker-2.39-setup.tmpProcessHacker.exe

pid	process
4564	HD_processhacker-2.39-setup.tmp
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ProcessHacker.exe

pid	process
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe
3860	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

processhacker-2.39-setup.exesvchos.exeHD_processhacker-2.39-setup.exeHD_processhacker-2.39-setup.tmpProcessHacker.exeProcessHacker.exeSetup.exesvchos.exe

pid	process
2976	processhacker-2.39-setup.exe
2976	processhacker-2.39-setup.exe
2976	processhacker-2.39-setup.exe
3888	svchos.exe
2316	HD_processhacker-2.39-setup.exe
4564	HD_processhacker-2.39-setup.tmp
3748	ProcessHacker.exe
3860	ProcessHacker.exe
4136	Setup.exe
4136	Setup.exe
4136	Setup.exe
1628	svchos.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

processhacker-2.39-setup.exesvchost.exeTXPlatforn.execmd.exeHD_processhacker-2.39-setup.exesvchost.exeHD_processhacker-2.39-setup.tmpSetup.exesvchost.exeTXPlatforn.execmd.exechrome.exe

description	pid	process	target process
PID 2976 wrote to memory of 3772	2976	processhacker-2.39-setup.exe	svchost.exe
PID 2976 wrote to memory of 3772	2976	processhacker-2.39-setup.exe	svchost.exe
PID 2976 wrote to memory of 3772	2976	processhacker-2.39-setup.exe	svchost.exe
PID 3772 wrote to memory of 4772	3772	svchost.exe	cmd.exe
PID 3772 wrote to memory of 4772	3772	svchost.exe	cmd.exe
PID 3772 wrote to memory of 4772	3772	svchost.exe	cmd.exe
PID 2976 wrote to memory of 3888	2976	processhacker-2.39-setup.exe	svchos.exe
PID 2976 wrote to memory of 3888	2976	processhacker-2.39-setup.exe	svchos.exe
PID 2976 wrote to memory of 3888	2976	processhacker-2.39-setup.exe	svchos.exe
PID 1460 wrote to memory of 3320	1460	TXPlatforn.exe	TXPlatforn.exe
PID 1460 wrote to memory of 3320	1460	TXPlatforn.exe	TXPlatforn.exe
PID 1460 wrote to memory of 3320	1460	TXPlatforn.exe	TXPlatforn.exe
PID 4772 wrote to memory of 2852	4772	cmd.exe	PING.EXE
PID 4772 wrote to memory of 2852	4772	cmd.exe	PING.EXE
PID 4772 wrote to memory of 2852	4772	cmd.exe	PING.EXE
PID 2976 wrote to memory of 2316	2976	processhacker-2.39-setup.exe	HD_processhacker-2.39-setup.exe
PID 2976 wrote to memory of 2316	2976	processhacker-2.39-setup.exe	HD_processhacker-2.39-setup.exe
PID 2976 wrote to memory of 2316	2976	processhacker-2.39-setup.exe	HD_processhacker-2.39-setup.exe
PID 2316 wrote to memory of 4564	2316	HD_processhacker-2.39-setup.exe	HD_processhacker-2.39-setup.tmp
PID 2316 wrote to memory of 4564	2316	HD_processhacker-2.39-setup.exe	HD_processhacker-2.39-setup.tmp
PID 2316 wrote to memory of 4564	2316	HD_processhacker-2.39-setup.exe	HD_processhacker-2.39-setup.tmp
PID 4128 wrote to memory of 4632	4128	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 4128 wrote to memory of 4632	4128	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 4128 wrote to memory of 4632	4128	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 4564 wrote to memory of 3748	4564	HD_processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 4564 wrote to memory of 3748	4564	HD_processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 4564 wrote to memory of 3860	4564	HD_processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 4564 wrote to memory of 3860	4564	HD_processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 4136 wrote to memory of 1428	4136	Setup.exe	svchost.exe
PID 4136 wrote to memory of 1428	4136	Setup.exe	svchost.exe
PID 4136 wrote to memory of 1428	4136	Setup.exe	svchost.exe
PID 1428 wrote to memory of 1916	1428	svchost.exe	cmd.exe
PID 1428 wrote to memory of 1916	1428	svchost.exe	cmd.exe
PID 1428 wrote to memory of 1916	1428	svchost.exe	cmd.exe
PID 4136 wrote to memory of 1628	4136	Setup.exe	svchos.exe
PID 4136 wrote to memory of 1628	4136	Setup.exe	svchos.exe
PID 4136 wrote to memory of 1628	4136	Setup.exe	svchos.exe
PID 1944 wrote to memory of 2528	1944	TXPlatforn.exe	TXPlatforn.exe
PID 1944 wrote to memory of 2528	1944	TXPlatforn.exe	TXPlatforn.exe
PID 1944 wrote to memory of 2528	1944	TXPlatforn.exe	TXPlatforn.exe
PID 4136 wrote to memory of 1672	4136	Setup.exe	HD_Setup.exe
PID 4136 wrote to memory of 1672	4136	Setup.exe	HD_Setup.exe
PID 1916 wrote to memory of 4080	1916	cmd.exe	PING.EXE
PID 1916 wrote to memory of 4080	1916	cmd.exe	PING.EXE
PID 1916 wrote to memory of 4080	1916	cmd.exe	PING.EXE
PID 2688 wrote to memory of 5032	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 5032	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe
PID 2688 wrote to memory of 3856	2688	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Malware with taskmgr.zip"
1⤵
PID:1496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4156

C:\Users\Admin\Desktop\processhacker-2.39-setup.exe
"C:\Users\Admin\Desktop\processhacker-2.39-setup.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2852
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:3888
- C:\Users\Admin\Desktop\HD_processhacker-2.39-setup.exe
  C:\Users\Admin\Desktop\HD_processhacker-2.39-setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\is-E56O2.tmp\HD_processhacker-2.39-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-E56O2.tmp\HD_processhacker-2.39-setup.tmp" /SL5="$13005E,1874675,150016,C:\Users\Admin\Desktop\HD_processhacker-2.39-setup.exe"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
      "C:\Program Files\Process Hacker 2\ProcessHacker.exe" -installkph -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3748
  - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
      "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:3860

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:4548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240690453.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4632

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4080
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1628
- C:\Users\Admin\Desktop\HD_Setup.exe
  C:\Users\Admin\Desktop\HD_Setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1672

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe2003ab58,0x7ffe2003ab68,0x7ffe2003ab78
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:2
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4148 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1160
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff689f2ae48,0x7ff689f2ae58,0x7ff689f2ae68
    3⤵
    PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4604 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4780 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4180 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4932 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3332 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5088 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2800 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:2
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5048 --field-trial-handle=1820,i,15676725328965071989,7202303322402537866,131072 /prefetch:1
  2⤵
  PID:2860

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig

Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5a454d5d00765c125cfe7c9a50b8519f

SHA1
ec450b3c669719e5397952e644a30daa9ff1324a

SHA256
247ce835b8e7502499082ed565acb326bb786e6c86cdf28a00dc4657ed09bd56

SHA512
32a64feb97498570f3d3237934533565f954739752c1c07777a0a0be061d12198ab07e4b2c562d85012dac6805400b54887dad15b0e4c849faab07ad2b16e077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
c2cb474386fa870f7d5618400a810fad

SHA1
2c291239bd09e38bcb6ccb68a29a3029c22f4c8f

SHA256
a4d804d5a7a467885a580b964889c53f396a1f6bd0dd324e52456616211ebf23

SHA512
2593f1fecfab5f1c6c25810e328286ad4c6a26275c3db07e9eec4d812089631b8314065b55306da07c4db160e43f27e18fe13a0e22b4c6bb069cae32408e45c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.3MB

MD5
6777445a3e040e3b52df89d72646369b

SHA1
727767ccb43d620a104e95326995b1294742efca

SHA256
00165c476a23ab9e613b1e680e6d12686e5652151b1dc8fea615b0f56ab85644

SHA512
3b9bcea4573c9efa4a0117193c85794cb8ae9879bd55abe71b3eead9770033036108adb24e54a2d4aa4594cbbb9712306018670a5b5935badad6c533c14881ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\X.ico

Filesize
95KB

MD5
db552c9798e710337d0b8d8b08afe157

SHA1
02cf5a3b94e1710431516a1a3597e3064c778934

SHA256
0d884e89e12f663ac81f1a5404300274b1b652c22808c80ea9856491af7d6a5c

SHA512
e4f6b89ea6b6327d143bdaca06d40c953c6573a9850ec2b2cfe0372b9bd04ff4ea6a6239ca5e6fa7f677b28e54d875812fa4e05638f54bcb08f86e30a4fc7fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E56O2.tmp\HD_processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Users\Admin\Desktop\HD_Setup.exe

Filesize
12KB

MD5
a14e63d27e1ac1df185fa062103aa9aa

SHA1
2b64c35e4eff4a43ab6928979b6093b95f9fd714

SHA256
dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453

SHA512
10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082

Download Submit
C:\Users\Admin\Desktop\HD_processhacker-2.39-setup.exe

Filesize
2.2MB

MD5
54daad58cce5003bee58b28a4f465f49

SHA1
162b08b0b11827cc024e6b2eed5887ec86339baa

SHA256
28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

SHA512
8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829

Download Submit
C:\Users\Admin\Desktop\Process Hacker 2.lnk

Filesize
1KB

MD5
97c2631f08b1f0ec07892a914d5fd5da

SHA1
9083404d68795f9f462fbe42a765fef004474a0f

SHA256
1e8acf5d7ad2a4aedd43e97f67628b8dae11ea220f43e605931ba1bd1500a0ca

SHA512
918b96c0afe0d0ec8aae6a701df13e07fc451791f4098353a7acc9261fe73461b81e6ed839ae5bfadc03baf7db8dd7b846c51562f691334b0bd96e2df3bedc6c

Download Submit
C:\Users\Admin\Desktop\Setup.exe

Filesize
1.3MB

MD5
f5d7a8bc63159fa1603d5089ede38711

SHA1
9cd56c7405b96ba0d0c7ba990efdc57eb4f8ec08

SHA256
040141ccda29ba2ffb4d058120c1a64a9ba8393c5b3385b5d2b8da8ff7c7c5c6

SHA512
293574ffc7ff93417f70acde0639d83d1de48bf42ddb2e138c6f683bec8f1eb0e48e4957eb9bb698d9d880cb5937f3e0c734710189fa1b2ad74e9609473b5d02

Download Submit
C:\Windows\SysWOW64\240690453.txt

Filesize
50KB

MD5
6a5ffd2bc0dbbab099138771339f3d68

SHA1
184f3e384f97c5344a79b9e2bf8726e008926ef8

SHA256
037599810e624d2e460422f9d42711e2533d816954e4310b1df15509488e8478

SHA512
0de0cb9312b150cad70c14d1331ace0b5b6ca150b9d81e237e9c485e67f7ddb21e63d8fbb96b3471e8e73905e60b15bb483a0c2753a73515a00a2ad24a37687a

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
40KB

MD5
22bb5bd901d8b25ac5b41edbb7d5053e

SHA1
8a935dd8d7e104fc553ff7e8b54a404f7b079334

SHA256
8dcaeeebef9b9f3d41d295db145ffb3850f309d089c08125c7fa7034db5fd80e

SHA512
cc3fb68fd6791a08e4a7d1a8db8d07cfcc8c9b9dceec10b53f0cb7ee86473303a19be4f23e379f84c59e02d0568e7c066e21cd1300f6032dac4ba52f609f62e7

Download Submit
\??\pipe\crashpad_2688_NAVSDWTMZDXVCURF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1460-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1460-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1460-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1672-291-0x0000026F25900000-0x0000026F2590A000-memory.dmp

Filesize
40KB

Download
memory/2316-105-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2316-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2316-46-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3320-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3320-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3320-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3772-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3772-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3772-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3772-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4564-106-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4564-211-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4564-115-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download