2afb5303e191dde688c5626c3ee545e32e52f09da3b35b20f5e0d29a418432f5

Analysis

max time kernel
89s
max time network
55s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
20-06-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64/ProcessHacker.exe
Size

1.6MB
MD5

b365af317ae730a67c936f21432b9c71
SHA1

a0bdfac3ce1880b32ff9b696458327ce352e3b1d
SHA256

bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
SHA512

cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b
SSDEEP

24576:V7eokafnkAwgcU+29fR4PQviXq1pj3EDT5m+m8I:V6efnkdlUF92PGBOT3m8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	ProcessHacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 56003100000000009358264f100057696e646f777300400009000400efbec5522d609358514f2e000000a605000000000100000000000000000000000000000009bce900570069006e0064006f0077007300000016000000	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000d458690010006472697665727300400009000400efbec5524861d4587a002e000000ca36000000000100000000000000000000000000000010251f016400720069007600650072007300000016000000	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a00310000000000d4586900100053797374656d33320000420009000400efbec5522d60d45869002e0000008f360000000001000000000000000000000000000000247b0501530079007300740065006d0033003200000018000000	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	ProcessHacker.exe
Key created	\Registry\User\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\NotificationData	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	ProcessHacker.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3572	ProcessHacker.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
684	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	3572	ProcessHacker.exe
Token: 33	3572	ProcessHacker.exe
Token: SeLoadDriverPrivilege	3572	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	3572	ProcessHacker.exe
Token: SeRestorePrivilege	3572	ProcessHacker.exe
Token: SeShutdownPrivilege	3572	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	3572	ProcessHacker.exe
Token: SeSecurityPrivilege	3572	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	3572	ProcessHacker.exe
Token: SeBackupPrivilege	408	svchost.exe
Token: SeRestorePrivilege	408	svchost.exe
Token: SeSecurityPrivilege	408	svchost.exe
Token: SeTakeOwnershipPrivilege	408	svchost.exe
Token: 35	408	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe
3572	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3572	ProcessHacker.exe

C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe
"C:\Users\Admin\AppData\Local\Temp\x64\ProcessHacker.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3572-0-0x000001CA2C380000-0x000001CA2C390000-memory.dmp

Filesize
64KB

Download
memory/3572-8-0x000001CA2C400000-0x000001CA2C410000-memory.dmp

Filesize
64KB

Download