gh0strat | 5f0ed99d77473c40906f6258a647e89a2b1ca80cb1afc6fe55c9ac12ae77157e

Analysis

max time kernel
462s
max time network
463s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware with taskmgr.zip
Size

2.9MB
MD5

1343a02090dfa6e1656ce2f1750e5bac
SHA1

ff14e086804b359d2d197443861ae624ab177134
SHA256

5f0ed99d77473c40906f6258a647e89a2b1ca80cb1afc6fe55c9ac12ae77157e
SHA512

0c273daf609c03740c11ec12d5eed257ed1e57e7771ed86b1017a28f0c40fdb890f8cf5d4355bf7f903a4bd2400db4700a47e90af8f7175e7c42beaab8946c3f
SSDEEP

49152:x7yeTYZ5z0vegABI2egr4OecHvD5m33UZRQDRfPapjj6axvkVxureuIiBAkpwESO:xnTYZ5z0WgH234RUI3UrQ1uHlvkxuhLd

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral3/memory/764-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral3/memory/764-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral3/memory/4628-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral3/memory/4628-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral3/memory/4660-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral3/memory/4660-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral3/memory/4660-47-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral3/memory/764-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral3/memory/764-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral3/memory/4628-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral3/memory/4628-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral3/files/0x001400000001e359-27.dat	family_gh0strat
behavioral3/memory/4660-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral3/memory/4660-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral3/memory/4660-47-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchos.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240969937.txt"	svchos.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_processhacker-2.39-setup.tmp

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	HD_processhacker-2.39-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\""	HD_processhacker-2.39-setup.tmp

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 19 IoCs

Processes:

svchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_processhacker-2.39-setup.exeHD_processhacker-2.39-setup.tmpÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeProcessHacker.exesvchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_ProcessHacker.exeSetup.exesvchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_Setup.exe

pid	Process
764	svchost.exe
4628	TXPlatforn.exe
4660	TXPlatforn.exe
5012	svchos.exe
2872	HD_processhacker-2.39-setup.exe
2148	HD_processhacker-2.39-setup.tmp
4452	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
4392	ProcessHacker.exe
3728	svchost.exe
2492	TXPlatforn.exe
3616	TXPlatforn.exe
2112	svchos.exe
2516	HD_ProcessHacker.exe
2828	Setup.exe
5012	svchost.exe
3912	TXPlatforn.exe
544	TXPlatforn.exe
2588	svchos.exe
3472	HD_Setup.exe

Loads dropped DLL 15 IoCs

Processes:

svchos.exesvchost.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeHD_ProcessHacker.exe

pid	Process
5012	svchos.exe
4296	svchost.exe
4452	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/764-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral3/memory/764-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral3/memory/764-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral3/memory/4628-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral3/memory/4628-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral3/memory/4628-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral3/memory/4660-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral3/memory/4660-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral3/memory/4660-47-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_processhacker-2.39-setup.tmp

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Process Hacker 2 = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\""	HD_processhacker-2.39-setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Process Hacker 2 = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\" -hide"	HD_processhacker-2.39-setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

Processes:

svchos.exesvchost.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\240969937.txt	svchos.exe

Drops file in Program Files directory 50 IoCs

Processes:

HD_processhacker-2.39-setup.tmpProcessHacker.exeprocesshacker-2.39-setup.exe

description	ioc	Process
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-R729I.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-OO0DP.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-1K02I.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-5607S.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\HD_ProcessHacker.exe	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\plugins\is-ON45U.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	processhacker-2.39-setup.exe
File created	C:\Program Files\Process Hacker 2\is-A2OMP.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-LIKEF.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-6U3UA.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-CR289.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-A6GII.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-KTHBH.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-SPA76.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-UK3SM.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-8RREN.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	processhacker-2.39-setup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-JJLOS.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-B7V7G.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-OSN5J.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-GFDRD.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	processhacker-2.39-setup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-F38N2.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-8EJ20.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	processhacker-2.39-setup.exe
File created	C:\Program Files\Process Hacker 2\unins000.dat	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-8R8SC.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-IUS3J.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	processhacker-2.39-setup.exe
File created	C:\Program Files\Process Hacker 2\is-56CNI.tmp	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-FGH8C.tmp	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	HD_processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	HD_processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\HD_ProcessHacker.exe	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	HD_processhacker-2.39-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628739281907261"	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

HD_ProcessHacker.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HD_ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HD_ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	HD_ProcessHacker.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid	Process
4248	PING.EXE
1044	PING.EXE
2752	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

processhacker-2.39-setup.exeHD_processhacker-2.39-setup.tmpProcessHacker.exeHD_ProcessHacker.exe

pid	Process
1340	processhacker-2.39-setup.exe
1340	processhacker-2.39-setup.exe
2148	HD_processhacker-2.39-setup.tmp
2148	HD_processhacker-2.39-setup.tmp
4392	ProcessHacker.exe
4392	ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HD_ProcessHacker.exe

pid	Process
2516	HD_ProcessHacker.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

TXPlatforn.exe

pid	Process
4660	TXPlatforn.exe
664

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid	Process
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

svchost.exeTXPlatforn.exesvchost.exeHD_ProcessHacker.exesvchost.exechrome.exeHD_Setup.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	764	svchost.exe
Token: SeLoadDriverPrivilege	4660	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	3728	svchost.exe
Token: SeDebugPrivilege	2516	HD_ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	2516	HD_ProcessHacker.exe
Token: 33	2516	HD_ProcessHacker.exe
Token: SeLoadDriverPrivilege	2516	HD_ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	2516	HD_ProcessHacker.exe
Token: SeRestorePrivilege	2516	HD_ProcessHacker.exe
Token: SeShutdownPrivilege	2516	HD_ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	2516	HD_ProcessHacker.exe
Token: 33	4660	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4660	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	5012	svchost.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeDebugPrivilege	3472	HD_Setup.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeCreatePagefilePrivilege	1568	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

HD_processhacker-2.39-setup.tmpHD_ProcessHacker.exechrome.exe

pid	Process
2148	HD_processhacker-2.39-setup.tmp
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

HD_ProcessHacker.exechrome.exe

pid	Process
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
2516	HD_ProcessHacker.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

processhacker-2.39-setup.exesvchos.exeHD_processhacker-2.39-setup.exeHD_processhacker-2.39-setup.tmpProcessHacker.exesvchos.exeHD_ProcessHacker.exeSetup.exesvchos.exe

pid	Process
1340	processhacker-2.39-setup.exe
1340	processhacker-2.39-setup.exe
1340	processhacker-2.39-setup.exe
5012	svchos.exe
2872	HD_processhacker-2.39-setup.exe
2148	HD_processhacker-2.39-setup.tmp
4392	ProcessHacker.exe
4392	ProcessHacker.exe
4392	ProcessHacker.exe
2112	svchos.exe
2516	HD_ProcessHacker.exe
2828	Setup.exe
2828	Setup.exe
2828	Setup.exe
2588	svchos.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

processhacker-2.39-setup.exesvchost.exeTXPlatforn.execmd.exeHD_processhacker-2.39-setup.exesvchost.exeHD_processhacker-2.39-setup.tmpProcessHacker.exesvchost.exeTXPlatforn.execmd.exeSetup.exesvchost.exeTXPlatforn.execmd.exechrome.exe

description	pid	Process	procid_target
PID 1340 wrote to memory of 764	1340	processhacker-2.39-setup.exe	102
PID 1340 wrote to memory of 764	1340	processhacker-2.39-setup.exe	102
PID 1340 wrote to memory of 764	1340	processhacker-2.39-setup.exe	102
PID 764 wrote to memory of 4112	764	svchost.exe	104
PID 764 wrote to memory of 4112	764	svchost.exe	104
PID 764 wrote to memory of 4112	764	svchost.exe	104
PID 4628 wrote to memory of 4660	4628	TXPlatforn.exe	107
PID 4628 wrote to memory of 4660	4628	TXPlatforn.exe	107
PID 4628 wrote to memory of 4660	4628	TXPlatforn.exe	107
PID 1340 wrote to memory of 5012	1340	processhacker-2.39-setup.exe	106
PID 1340 wrote to memory of 5012	1340	processhacker-2.39-setup.exe	106
PID 1340 wrote to memory of 5012	1340	processhacker-2.39-setup.exe	106
PID 1340 wrote to memory of 2872	1340	processhacker-2.39-setup.exe	110
PID 1340 wrote to memory of 2872	1340	processhacker-2.39-setup.exe	110
PID 1340 wrote to memory of 2872	1340	processhacker-2.39-setup.exe	110
PID 4112 wrote to memory of 4248	4112	cmd.exe	111
PID 4112 wrote to memory of 4248	4112	cmd.exe	111
PID 4112 wrote to memory of 4248	4112	cmd.exe	111
PID 2872 wrote to memory of 2148	2872	HD_processhacker-2.39-setup.exe	112
PID 2872 wrote to memory of 2148	2872	HD_processhacker-2.39-setup.exe	112
PID 2872 wrote to memory of 2148	2872	HD_processhacker-2.39-setup.exe	112
PID 4296 wrote to memory of 4452	4296	svchost.exe	113
PID 4296 wrote to memory of 4452	4296	svchost.exe	113
PID 4296 wrote to memory of 4452	4296	svchost.exe	113
PID 2148 wrote to memory of 4392	2148	HD_processhacker-2.39-setup.tmp	115
PID 2148 wrote to memory of 4392	2148	HD_processhacker-2.39-setup.tmp	115
PID 2148 wrote to memory of 4392	2148	HD_processhacker-2.39-setup.tmp	115
PID 4392 wrote to memory of 3728	4392	ProcessHacker.exe	116
PID 4392 wrote to memory of 3728	4392	ProcessHacker.exe	116
PID 4392 wrote to memory of 3728	4392	ProcessHacker.exe	116
PID 3728 wrote to memory of 1700	3728	svchost.exe	118
PID 3728 wrote to memory of 1700	3728	svchost.exe	118
PID 3728 wrote to memory of 1700	3728	svchost.exe	118
PID 2492 wrote to memory of 3616	2492	TXPlatforn.exe	121
PID 2492 wrote to memory of 3616	2492	TXPlatforn.exe	121
PID 2492 wrote to memory of 3616	2492	TXPlatforn.exe	121
PID 4392 wrote to memory of 2112	4392	ProcessHacker.exe	120
PID 4392 wrote to memory of 2112	4392	ProcessHacker.exe	120
PID 4392 wrote to memory of 2112	4392	ProcessHacker.exe	120
PID 4392 wrote to memory of 2516	4392	ProcessHacker.exe	122
PID 4392 wrote to memory of 2516	4392	ProcessHacker.exe	122
PID 1700 wrote to memory of 1044	1700	cmd.exe	123
PID 1700 wrote to memory of 1044	1700	cmd.exe	123
PID 1700 wrote to memory of 1044	1700	cmd.exe	123
PID 2828 wrote to memory of 5012	2828	Setup.exe	127
PID 2828 wrote to memory of 5012	2828	Setup.exe	127
PID 2828 wrote to memory of 5012	2828	Setup.exe	127
PID 5012 wrote to memory of 2392	5012	svchost.exe	129
PID 5012 wrote to memory of 2392	5012	svchost.exe	129
PID 5012 wrote to memory of 2392	5012	svchost.exe	129
PID 3912 wrote to memory of 544	3912	TXPlatforn.exe	130
PID 3912 wrote to memory of 544	3912	TXPlatforn.exe	130
PID 3912 wrote to memory of 544	3912	TXPlatforn.exe	130
PID 2828 wrote to memory of 2588	2828	Setup.exe	131
PID 2828 wrote to memory of 2588	2828	Setup.exe	131
PID 2828 wrote to memory of 2588	2828	Setup.exe	131
PID 2828 wrote to memory of 3472	2828	Setup.exe	132
PID 2828 wrote to memory of 3472	2828	Setup.exe	132
PID 2392 wrote to memory of 2752	2392	cmd.exe	134
PID 2392 wrote to memory of 2752	2392	cmd.exe	134
PID 2392 wrote to memory of 2752	2392	cmd.exe	134
PID 1568 wrote to memory of 2404	1568	chrome.exe	137
PID 1568 wrote to memory of 2404	1568	chrome.exe	137
PID 1568 wrote to memory of 3968	1568	chrome.exe	138

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Malware with taskmgr.zip"
1⤵
PID:3068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3720

C:\Users\Admin\Desktop\processhacker-2.39-setup.exe
"C:\Users\Admin\Desktop\processhacker-2.39-setup.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4248
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:5012
- C:\Users\Admin\Desktop\HD_processhacker-2.39-setup.exe
  C:\Users\Admin\Desktop\HD_processhacker-2.39-setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\is-S4JVU.tmp\HD_processhacker-2.39-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-S4JVU.tmp\HD_processhacker-2.39-setup.tmp" /SL5="$1028C,1874675,150016,C:\Users\Admin\Desktop\HD_processhacker-2.39-setup.exe"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
      "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        C:\Users\Admin\AppData\Local\Temp\\svchost.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        7⤵
        Runs ping.exe
        
        PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\svchos.exe
        
        C:\Users\Admin\AppData\Local\Temp\\svchos.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2112
    - - C:\Program Files\Process Hacker 2\HD_ProcessHacker.exe
        
        "C:\Program Files\Process Hacker 2\HD_ProcessHacker.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2516

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:4660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:4048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240969937.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4452

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:3616

C:\Users\Admin\Desktop\New folder\Setup.exe
"C:\Users\Admin\Desktop\New folder\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2752
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2588
- C:\Users\Admin\Desktop\New folder\HD_Setup.exe
  "C:\Users\Admin\Desktop\New folder\HD_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3472

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc7108ab58,0x7ffc7108ab68,0x7ffc7108ab78
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:2
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2052 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2816
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7f231ae48,0x7ff7f231ae58,0x7ff7f231ae68
    3⤵
    PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4836 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4904 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4548 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4680 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4404 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4160 --field-trial-handle=1964,i,10665766501422183720,5021639438110010255,131072 /prefetch:1
  2⤵
  PID:336

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
2.9MB

MD5
9c525794d373021d93312e2baee8f0b2

SHA1
10964a4bf18bbcfc1960c2c74c507fa72d26c6d5

SHA256
113d02c9c82c531e0f236c412adfd84952e2e008cc3439526cb433f986f21a8d

SHA512
14aac9ce2df2d2e3e558732a6e3a3f1d698431976dfe74a2abfeced68b7bd3292065abebc1e767fa9eebd928683e8e872202223307122391fec109801e371c6f

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
2.9MB

MD5
96765e3b2da16f185b6f0a7c08da76a6

SHA1
d9a104883f53dcd11fe9235330abafc6d8b295fc

SHA256
c40d25c5e3ac524db0f7b16ae8f6c8a43e1b6105a58e52f1d2ccaa635d7ba88d

SHA512
afa3da339bd38d5ebfc86f6ce9ed4b9f1a8d1e15ad717c360ccb51c49ecd797044246877b64c5f7baed1515c9b9f36a527b0c17603f462a02777eac6570e1010

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig

Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fc2bccee0be50a6b04ace0cd0a650eb1

SHA1
23fce6c75258548f614a533280bfb407b9d5bf23

SHA256
69d70c4e4094ebdcb8c69ef6e2f3b3e9fa891fe2457f93aa9f9df78592bcd7d4

SHA512
be3347f21f6e4a25c2cf1b07ee378141b56685087863dc52380d51ee5dc7c27d57a8f1c436378a3d6dc2a9ff153357bec151abec1ba605fae09d08917c544e68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
e67ceb2ea247df82c5fed54361ef73ec

SHA1
e95ccd48ec5600b07814e4eea06317af8b15d608

SHA256
50238886eb8f24cadcbe2a21515da9dffd0c73812be19ffd12e4947599062022

SHA512
2aa218fbabb0cefb97b3f0afdb81bda28ace7ec059309b93d313ee934f3d395e74720afd7b8406a26d9c703c76433d931878af3ac83b0d3e50b0e541f5e2c86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.3MB

MD5
6777445a3e040e3b52df89d72646369b

SHA1
727767ccb43d620a104e95326995b1294742efca

SHA256
00165c476a23ab9e613b1e680e6d12686e5652151b1dc8fea615b0f56ab85644

SHA512
3b9bcea4573c9efa4a0117193c85794cb8ae9879bd55abe71b3eead9770033036108adb24e54a2d4aa4594cbbb9712306018670a5b5935badad6c533c14881ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S4JVU.tmp\HD_processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Users\Admin\Desktop\HD_processhacker-2.39-setup.exe

Filesize
2.2MB

MD5
54daad58cce5003bee58b28a4f465f49

SHA1
162b08b0b11827cc024e6b2eed5887ec86339baa

SHA256
28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

SHA512
8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829

Download Submit
C:\Users\Admin\Desktop\New folder\Setup.exe

Filesize
1.3MB

MD5
f5d7a8bc63159fa1603d5089ede38711

SHA1
9cd56c7405b96ba0d0c7ba990efdc57eb4f8ec08

SHA256
040141ccda29ba2ffb4d058120c1a64a9ba8393c5b3385b5d2b8da8ff7c7c5c6

SHA512
293574ffc7ff93417f70acde0639d83d1de48bf42ddb2e138c6f683bec8f1eb0e48e4957eb9bb698d9d880cb5937f3e0c734710189fa1b2ad74e9609473b5d02

Download Submit
C:\Users\Admin\Desktop\New folder\WinRAR.lnk

Filesize
1KB

MD5
ec5e0ed210e7fc85b2ee239ecf6c6ef2

SHA1
8b730f8099fbdcd5272bc168685a0ef35bbe2e5d

SHA256
7d1b82310166108d5b5c6e58b4a144d6618e671f6b5dc7874c7ee3e7b15aacd5

SHA512
d5e87e1d1e824375c0783f36adc7e7589821a4ae84a4a598f3a374f62eeddb59d58aa3b2ff9609d7989219a3e7848d949de86c86b32250e0f89120a1cf5e7bec

Download Submit
C:\Users\Admin\Desktop\Process Hacker 2.lnk

Filesize
1KB

MD5
d206d9563e75c83451e133456ff5c491

SHA1
44a4d56aee8a92924df5f1643e68f6ead9d61205

SHA256
3c10628bff440273614ac79a57c148a8d144ec72dd01b12bb1c3bbb893e8b37a

SHA512
5b59197625f20564c9cc8d2a2b9e1226b1d65a6b11c437563cda32861a07fbcbb7416c3161d72f4a732aeaaec98733ce57e011446b35922f6418e2d89f42468c

Download Submit
C:\Windows\SysWOW64\240969937.txt

Filesize
50KB

MD5
07a3cb2ada081dcd6ceae116ac3c4558

SHA1
60baa925872d79fb8a3253b1a74679b78de54133

SHA256
a172b83de9fc7f2f7a803755b8ee67a8ef746e21f4658d42cf618e3ddc28fa8d

SHA512
f8bd90765dfb4be2bfec8406c34ab5050796b2aa0dd614fc1a75a17a20e3ed72de4349ea0df2f30537245f35f861b4035cd20e4c69cd9c4cdedfee89e7915ed3

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/764-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/764-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/764-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2148-106-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2148-191-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2148-251-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2872-105-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2872-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2872-45-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3472-294-0x0000028739D40000-0x0000028739D4A000-memory.dmp

Filesize
40KB

Download
memory/4628-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4628-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4628-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4660-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4660-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4660-47-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download