quasar | b9474630c33784f2756c64ba626e2c9ed67c6a3498a28c5977950fd7bc5a041a

Analysis

max time kernel
302s
max time network
306s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29/01/2025, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built1111.exe
Size

3.1MB
MD5

0adc6241197fc1fdcd36bd0f76f89b24
SHA1

e5eedce758351fe52c4bc3b230a319400dba6d8e
SHA256

b9474630c33784f2756c64ba626e2c9ed67c6a3498a28c5977950fd7bc5a041a
SHA512

c967faaef0efac7f6df8ca9abd6b9f661166b2a28bb271f39036f20f8dff7cfda361df9e080994535de6c05658c3d78c947b8e5ede7846316d73f5c3a02b06e3
SSDEEP

49152:jvClL26AaNeWgPhlmVqvMQ7XSKRsrhZmzVVoGdXNTHHB72eh2NT:jv6L26AaNeWgPhlmVqkQ7XSKGrhC

Score

10^/10

quasar oki defense_evasion discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

oki

sohit13140-34151.portmap.host:30470

Mutex

cec5225d-9f42-4988-9860-2cb3a2fa4d24

Attributes

encryption_key
7762A5ABDBC4550BFD7A396634A33ED6BBC88F49
install_name
name.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/884-1-0x0000000000570000-0x0000000000894000-memory.dmp	family_quasar
behavioral1/files/0x0008000000027df8-3.dat	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
815	3252	firefox.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	processhacker-2.39-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\""	processhacker-2.39-setup.tmp

Executes dropped EXE 6 IoCs

pid	Process
1700	name.exe
5068	processhacker-2.39-setup.exe
2440	processhacker-2.39-setup.tmp
7036	ProcessHacker.exe
6816	ProcessHacker.exe
4952	ProcessHacker.exe

Loads dropped DLL 24 IoCs

pid	Process
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
6816	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe
4952	ProcessHacker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ProcessHacker.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	ProcessHacker.exe

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-G89MN.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-9BQSG.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-N2GHB.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-EVFM2.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-4MLJR.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-FN366.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\symbols\exe\name.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\clr.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\ntdll.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\plugins\is-9EKT6.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\clr.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\ntdll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-C1D67.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-2TRV4.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-8ML4G.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-1NAKR.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-P0B33.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-645JR.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-UEN9H.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-J3D01.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-NIFQP.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-MEGDT.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\name.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-O0GGU.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-SG3JQ.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\dll\clr.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-34HMJ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-88OQL.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-B7PU8.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-8OL67.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-RFP9E.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\exe\name.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\dll\ntdll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processhacker-2.39-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processhacker-2.39-setup.tmp

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	ProcessHacker.exe

Checks processor information in registry 2 TTPs 29 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ProcessHacker.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	ProcessHacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	ProcessHacker.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	ProcessHacker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	ProcessHacker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ProcessHacker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	ProcessHacker.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2480	taskmgr.exe
6816	ProcessHacker.exe
4952	ProcessHacker.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	Client-built1111.exe
Token: SeDebugPrivilege	1700	name.exe
Token: SeDebugPrivilege	2480	taskmgr.exe
Token: SeSystemProfilePrivilege	2480	taskmgr.exe
Token: SeCreateGlobalPrivilege	2480	taskmgr.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	2440	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	6816	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	6816	ProcessHacker.exe
Token: 33	6816	ProcessHacker.exe
Token: SeLoadDriverPrivilege	6816	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	6816	ProcessHacker.exe
Token: SeRestorePrivilege	6816	ProcessHacker.exe
Token: SeShutdownPrivilege	6816	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	6816	ProcessHacker.exe
Token: SeDebugPrivilege	6816	ProcessHacker.exe
Token: SeDebugPrivilege	6816	ProcessHacker.exe
Token: 33	2480	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2480	taskmgr.exe
Token: SeDebugPrivilege	4952	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	4952	ProcessHacker.exe
Token: 33	4952	ProcessHacker.exe
Token: SeLoadDriverPrivilege	4952	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	4952	ProcessHacker.exe
Token: SeRestorePrivilege	4952	ProcessHacker.exe
Token: SeShutdownPrivilege	4952	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	4952	ProcessHacker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1700	name.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1700	name.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe
2480	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
4952	ProcessHacker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1700	884	Client-built1111.exe	86
PID 884 wrote to memory of 1700	884	Client-built1111.exe	86
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 2416 wrote to memory of 3252	2416	firefox.exe	96
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 2056	3252	firefox.exe	97
PID 3252 wrote to memory of 1048	3252	firefox.exe	98
PID 3252 wrote to memory of 1048	3252	firefox.exe	98
PID 3252 wrote to memory of 1048	3252	firefox.exe	98
PID 3252 wrote to memory of 1048	3252	firefox.exe	98
PID 3252 wrote to memory of 1048	3252	firefox.exe	98
PID 3252 wrote to memory of 1048	3252	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built1111.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built1111.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Roaming\SubDir\name.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\name.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1700

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1872 -prefsLen 27205 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b365c23-b6b3-4530-ac57-035aeb4682ce} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" gpu
    3⤵
    PID:2056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 27083 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e865cad-61b7-45f1-aea5-826374443d04} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" socket
    3⤵
    - Checks processor information in registry
    PID:1048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3048 -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {254d7a9b-6ca1-426f-bed5-148947360c10} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:4592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2760 -childID 2 -isForBrowser -prefsHandle 4024 -prefMapHandle 4020 -prefsLen 32457 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd450ff6-9cc4-46ad-abc2-06130bde8a25} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:2004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4560 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4012 -prefMapHandle 4128 -prefsLen 32457 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {365cba2b-78e6-4ae6-bd61-d480ff345338} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" utility
    3⤵
    - Checks processor information in registry
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 3 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f604819-7545-4f19-9f0f-ec421a6fd5de} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:6104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5800 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9998079-845b-4c25-a7f2-99dd648cc03e} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:6116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 5 -isForBrowser -prefsHandle 5976 -prefMapHandle 5788 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88d68120-da2b-42cf-af95-74374a21822b} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:6128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6344 -childID 6 -isForBrowser -prefsHandle 6372 -prefMapHandle 6368 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {645ed73c-88a5-4d20-94a0-2188516db36e} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 7 -isForBrowser -prefsHandle 5744 -prefMapHandle 5756 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90072ef7-9da7-4f7e-951f-01771523633e} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6736 -childID 8 -isForBrowser -prefsHandle 6112 -prefMapHandle 6108 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {970e8cc1-9a2b-44be-a5ec-37cf7c33be8e} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6756 -childID 9 -isForBrowser -prefsHandle 6108 -prefMapHandle 6476 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ed18ac7-676e-4ce4-bdd3-b3cb595b8356} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6848 -childID 10 -isForBrowser -prefsHandle 6800 -prefMapHandle 5896 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {041ea319-fc1c-41ac-9099-73f2760f15f4} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6108 -parentBuildID 20240401114208 -prefsHandle 6912 -prefMapHandle 6852 -prefsLen 32696 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d192d90d-2463-4498-b3aa-2f420b32aba6} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" rdd
    3⤵
    PID:2760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7156 -childID 11 -isForBrowser -prefsHandle 7148 -prefMapHandle 7144 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7affecfa-50ea-44cd-a93d-4b4efcbf2a54} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7348 -childID 12 -isForBrowser -prefsHandle 7368 -prefMapHandle 7356 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4d99cf4-ac6e-4f8a-af41-f3cab3041116} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7472 -childID 13 -isForBrowser -prefsHandle 7480 -prefMapHandle 7488 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13b9b406-0724-4555-ba02-1dcaccdb4b13} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:1912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6536 -childID 14 -isForBrowser -prefsHandle 7948 -prefMapHandle 7944 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cb61ff0-e112-4c9e-8abf-5d624ff965a0} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8068 -childID 15 -isForBrowser -prefsHandle 8076 -prefMapHandle 8080 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb62e51c-94c1-46cb-a601-54d589837c32} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7436 -childID 16 -isForBrowser -prefsHandle 7316 -prefMapHandle 7268 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4800d2da-48a8-4fc3-b8da-9d7ff6dad639} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:3692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8368 -childID 17 -isForBrowser -prefsHandle 8448 -prefMapHandle 8444 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae511857-5fe0-41e4-8aea-8d08949c9870} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:2956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8144 -childID 18 -isForBrowser -prefsHandle 8384 -prefMapHandle 8376 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {829887f1-20b1-4604-be26-09cdde92530f} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7380 -childID 19 -isForBrowser -prefsHandle 7212 -prefMapHandle 7436 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b634173f-69f3-4f20-b44d-fea0669b4be8} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9044 -childID 20 -isForBrowser -prefsHandle 9036 -prefMapHandle 9032 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46009e34-a1bd-4944-afd6-7926ac54ccee} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9072 -childID 21 -isForBrowser -prefsHandle 9064 -prefMapHandle 9060 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb1e8d0a-9d91-4fab-9555-512792b93dfb} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8284 -childID 22 -isForBrowser -prefsHandle 9420 -prefMapHandle 2672 -prefsLen 27447 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df9e7dd0-6bb5-42b1-bbea-055c07920c05} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 23 -isForBrowser -prefsHandle 4608 -prefMapHandle 4580 -prefsLen 27774 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e75a5922-d30f-4e03-bd7d-7260f7635f6d} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:6932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9560 -childID 24 -isForBrowser -prefsHandle 2672 -prefMapHandle 7436 -prefsLen 27774 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45f02723-0b49-46fa-89a3-d462f1392e4a} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:6944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9660 -childID 25 -isForBrowser -prefsHandle 9668 -prefMapHandle 9672 -prefsLen 27774 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95c334ec-1fb2-48cb-8b1b-7eb22763f1eb} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:6956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6416 -childID 26 -isForBrowser -prefsHandle 6428 -prefMapHandle 6444 -prefsLen 27995 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3113641b-cffd-4d5a-a56d-8916e7ea48b0} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:6812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8432 -childID 27 -isForBrowser -prefsHandle 6072 -prefMapHandle 6060 -prefsLen 27995 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {051385bd-1025-46e0-8c72-7f4dd50eee4f} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:6828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9296 -childID 28 -isForBrowser -prefsHandle 6480 -prefMapHandle 6408 -prefsLen 27995 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30655e85-b65e-4080-b350-361650555acf} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7068 -childID 29 -isForBrowser -prefsHandle 9596 -prefMapHandle 9592 -prefsLen 27995 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09059ab4-f114-446b-b48b-232870d87860} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6100 -childID 30 -isForBrowser -prefsHandle 9460 -prefMapHandle 9212 -prefsLen 27995 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f60f814-eabf-4f4b-966d-56f47d19b5dc} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:5676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8032 -childID 31 -isForBrowser -prefsHandle 9060 -prefMapHandle 9200 -prefsLen 27995 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {741a9856-f958-41db-8ac2-9d1a7a9ce627} 3252 "\\.\pipe\gecko-crash-server-pipe.3252" tab
    3⤵
    PID:4996
- - C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
    "C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\is-NKR8C.tmp\processhacker-2.39-setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NKR8C.tmp\processhacker-2.39-setup.tmp" /SL5="$C0092,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2440
    - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
        
        "C:\Program Files\Process Hacker 2\ProcessHacker.exe" -installkph -s
        5⤵
        Executes dropped EXE
        
        PID:7036
    - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
        
        "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Checks system information in the registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:6816

C:\Program Files\Process Hacker 2\ProcessHacker.exe
"C:\Program Files\Process Hacker 2\ProcessHacker.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig

Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ys8siqnt.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
ae56849839a30e3b7ba315560af1979e

SHA1
954f0058e8bb3d57f29ef7cadcaf82dc8f504a00

SHA256
ed1426a0c64c2c3223917335dfe2f0df08f5db62846b53e7e790bebd63f9279e

SHA512
b55b55e4539bbb1546d3b95af2c3392cb1db76ed87ba573325a5b52652f22c38658fadfc3511cbec35b65dc64cba944d4399dbbeb79c0558fba9792a1d4a58e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NKR8C.tmp\processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\AlternateServices.bin

Filesize
7KB

MD5
77eeccc394825cdf892a40c05206e74c

SHA1
0c7e87446b02a5f6ba7956270284f188b1172731

SHA256
102d60618dcc2adc09a4f19bd936a7e1b3cd8d347ae0a73be9c63c320047ce89

SHA512
8c5c711750e2cc2aa96e0a902d83e16e3bfc25fe307f55050bbb1f183825ba26e6e946dfadcbd076f0dddaabcd29caedaba9fb5e0da90e792221fdbae23bcbb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
30770b59ebec0a54c91b7de8ea3136c9

SHA1
b43a31c04ec43dcf8b949310ef1c52cf5924c03d

SHA256
55820886e001f446af7831a2af17ad6bd0f675bb089a754ef15bf3e064278d6b

SHA512
a6eee7188de1577e8f06de9627bf770f5e924add74c9cd22716ce551baf46cf7dc4a2cba41c56213ebef573c20883005701851961fd4f7f41d44d42d18f4cc76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e72fb70e2e9fe4b0117631d0def4a0ad

SHA1
63827783c7f457982c3cabb691f41c39a8380e86

SHA256
7d7318b2455a9c9a2e224c7d8af1a8b70f68ec7e03b863232cc70ffcb297f46e

SHA512
d054391a099bc889c6e82f7f262f603782be838c0a5a637d183512d83cae2e0b3c4a98d184d59e1ec171e0594cbf883705d5b4f88ab3895080c6ed64e4f0fe4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
20661c037c8de3b7de77bd53583c8797

SHA1
d8208e751d15b5b8fbf247f4e3b8f6819d5560ac

SHA256
c3f3a4b495b664e44df4a1c6aa7f0aa9aa3e2fe9539d8688a4f185e27c95fb02

SHA512
fce1033d00cb6a0b23362478ea9ac35078c248b52d06e5afde87ef85f645cdd914492be09d7e9ba8cc29f3608e814eacfb07d0b06025c934616ae5cb5173ec7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
605f65508d7e94cd3785edb0a868a027

SHA1
2d749f65d41f82353a581003cc6dfb5884b1b76e

SHA256
66da5d615d89c46d4e72320a68e32022229ed27d39e42d790511669c030af544

SHA512
f4c1544f61a4c8714e95c88598d11d7cc09ea4dc01a8b63af76f55655aa59a53a36230ad517f6fc96151c97f445236f2634be1878c4ff08c6b741619d641b897

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\datareporting\glean\pending_pings\4f28ec07-7abd-4486-993b-e16c9a79eed1

Filesize
27KB

MD5
c3fa2fce1f8b356194bfb91c25ad606d

SHA1
e28208098fbdc06c3220f8e5b7eba9453d572a7d

SHA256
47b611a3f1bbee16a236b22ed1d377611ceea3190ae86330c90dd2c1911c4e16

SHA512
1cb3279936ca6433eb6bfb625ae4960451dddb8b6808a72df8e3b6cb4995a98982777d8db0012216515f2622d9f2af9b3574c821249bf0549d48243d57222bcb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\datareporting\glean\pending_pings\64aeb4f1-d718-4fdc-abd6-7ca06941ea6e

Filesize
24KB

MD5
bbcb88779fb88eec2c425e69e114b822

SHA1
a5b8d37a852a9c91886b457908ce32455c99d4a2

SHA256
50b8cc1cfb7f97e45cab405b5bad4c3f03ed17c9fb93c3c05037292da21d5606

SHA512
f8d3b4c21b254ad423a822f846993107f4135c5b33d80878f055f39d1603389dc51e29a779e3744d150183575dc4a4f5dbe136e7edb5e2ae31b8fe6cc43a5855

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\datareporting\glean\pending_pings\7e4ec1b6-5d2a-40e7-a4a2-9a5a3aaad3a0

Filesize
671B

MD5
1d147c321e6d2a6bdb428b81f4068972

SHA1
230adbf8ac106e2a96bb25c02a2fed85f705878b

SHA256
2a53a8371c3922c9463258c337ffb60b53309ed7361746c8e1e5b296b6e1473b

SHA512
11c2ee398a650e4db7043bb9465dbeb8ffb9ff5395b24efa573d380e157b71a6213d14787a21b59efe27a501f4d13e0d35651083a6e09f6c61f598d36b28ed9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\datareporting\glean\pending_pings\85a84998-4dfa-4283-b483-f880aeba64e4

Filesize
982B

MD5
4f3d74fbe0178e32390be8ec491a24a7

SHA1
2c117507a8b62c1415848ef3a84174682ad0db19

SHA256
cc6c08b13445b1abd8a66f75aacbc45c555b1c8c6b3830c73eeaf70abeab3649

SHA512
3965f1f4630911d096c5409892f9b517915b03a7830dd564373d93b98c5017fff215690f13efb93254a0223d1815597dd03d522ede52ff1208d8e1d1d6e9769d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\prefs-1.js

Filesize
10KB

MD5
a9fe0ab520c1b9ad4d8b57e9e3b16dbc

SHA1
baa3ac234e46525058522bb6f77a5884057af365

SHA256
1f40621508b65ad3478b2c5a7db0b5cb40a53bf771b45fb49149e6e28fe842c0

SHA512
8f1f3538a808dbce9c4d6f8a1f15bece3167120d39c1634d417088eeed3e8315d12570a6c65fb65edab64798f78a357fa442710547c78a9b4b9d988e099dbee2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\prefs-1.js

Filesize
11KB

MD5
0dc8d73809ae5747819d33dd2a1999bd

SHA1
7c550a995e9f4f66a140dfe77286fe58f711ec12

SHA256
1c4d4351c13f2d0bfac0b49aaa0d00d40a58d249ea4abd40d8d59ece27202dff

SHA512
d99278fb667dcc137c19b2fa5be897b18a82d6ce448404c1dd1781e5250e64f349626ec85e5d9ae22ae050c26aca22fa547152043f411fe9d59cb0ad89c0eb2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\prefs.js

Filesize
9KB

MD5
73f42f2a7b66b6f2cd880b1f5e163151

SHA1
478eb85eaa2e2c69ffb93484d88e14ddb2b02ed7

SHA256
3c96c2ce627714a0ef1fc2276a698b6866278219349014f0eb3d8edecfb2abfe

SHA512
f5e2525f99b8fa09b1cd98e7ecc2dfde2153dd55a913a6fa2259b267f45f5a0f6ba5c23d488e7381b027185d19acbc5500ef4ab84139a2dbcea4a2a95a94c9ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
026bcfe4071150a3b76f0a6862608a5d

SHA1
85e76740aae56d3694d5cc42105a2c4591af6dc8

SHA256
3e87c548c170ebbceef6cd6acc9b4da6669a3d23f0f6e2909fd8420d9db60de5

SHA512
cbb70bdbdd9d901f7ef3cd297b967e54dfe5d2e4d89d4b28a2a83bc01898396c2d68c0f765d7d0f09da5ce4da9a35aeba3c8f963a59f17131200622771705d08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ys8siqnt.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f0f09ffdac98bf1bcaaeba8e6ef4cef5

SHA1
192da59cb5a6a9f222e0fad7545f6443923fd438

SHA256
015f93c51a77485966b16b552e0fcfc1319670675a71de29de95471cc732ff07

SHA512
bdfa18337bcf19a985292c5a762989b6b5a8e80ce6867037a7d022ae474f3ac8094ed4ef6e3fe2a2cd5057de3cf036c3245155f95db9ca50e471d2d46120084a

Download Submit
C:\Users\Admin\AppData\Roaming\Process Hacker 2\settings.xml

Filesize
10KB

MD5
3dc3f628d48a8bd7074a0cb30f3bc005

SHA1
291ecd342b253ac1307e99def243076817bc50fa

SHA256
600248ce7d798505d970bcef7e2c12d28741755e6a7f14c6dfc1d90c0daed5c4

SHA512
6868a06d2559f168de510dc756045484b324bf211e3e51ba810adc2c8a094d428da7a355784e3834747746516a9b9b473cf3233d5337d9b32c286190867808d1

Download Submit
C:\Users\Admin\AppData\Roaming\Process Hacker 2\usernotesdb.xml

Filesize
13B

MD5
b4f3f626702d390956221a950ca9a224

SHA1
21ffdacdf5d6fa922c88a029e3187967723e0029

SHA256
7a6d204eb0e51a9b3bdb6fceb3ca0e397b443170886695f1d981621b45a13739

SHA512
0f7e61d674cd2949f9eaad367927abbf17621b0fab6da25273a5eb6ecbe9640618744a2919f11b7a352facabc2773848416f9d04bea2de02449e6d028c553dfa

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\name.exe

Filesize
3.1MB

MD5
0adc6241197fc1fdcd36bd0f76f89b24

SHA1
e5eedce758351fe52c4bc3b230a319400dba6d8e

SHA256
b9474630c33784f2756c64ba626e2c9ed67c6a3498a28c5977950fd7bc5a041a

SHA512
c967faaef0efac7f6df8ca9abd6b9f661166b2a28bb271f39036f20f8dff7cfda361df9e080994535de6c05658c3d78c947b8e5ede7846316d73f5c3a02b06e3

Download Submit
C:\Users\Admin\Downloads\processhacker-2.39-setup.exe

Filesize
2.2MB

MD5
54daad58cce5003bee58b28a4f465f49

SHA1
162b08b0b11827cc024e6b2eed5887ec86339baa

SHA256
28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

SHA512
8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829

Download Submit
memory/884-0-0x00007FFF57593000-0x00007FFF57595000-memory.dmp

Filesize
8KB

Download
memory/884-2-0x00007FFF57590000-0x00007FFF58052000-memory.dmp

Filesize
10.8MB

Download
memory/884-5-0x00007FFF57590000-0x00007FFF58052000-memory.dmp

Filesize
10.8MB

Download
memory/884-1-0x0000000000570000-0x0000000000894000-memory.dmp

Filesize
3.1MB

Download
memory/1700-6-0x00007FFF57590000-0x00007FFF58052000-memory.dmp

Filesize
10.8MB

Download
memory/1700-10-0x00007FFF57590000-0x00007FFF58052000-memory.dmp

Filesize
10.8MB

Download
memory/1700-7-0x00007FFF57590000-0x00007FFF58052000-memory.dmp

Filesize
10.8MB

Download
memory/1700-8-0x000000001E610000-0x000000001E660000-memory.dmp

Filesize
320KB

Download
memory/1700-9-0x000000001E720000-0x000000001E7D2000-memory.dmp

Filesize
712KB

Download
memory/2440-2020-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2440-1924-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2480-12-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/2480-11-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/2480-13-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/2480-20-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/2480-22-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/2480-21-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/2480-19-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/2480-23-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/2480-18-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/2480-17-0x00000203F5150000-0x00000203F5151000-memory.dmp

Filesize
4KB

Download
memory/5068-1923-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-1812-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-2021-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download