55ced8dbb6f6bfd32b67b6fff510d3e52f09c5b73f10ff68da4d72fc8705f0f0

Resubmissions

24-06-2024 00:58

240624-bbzf8svfpq 10

18-06-2024 23:03

240618-21zreasgrl 10

Analysis

max time kernel
1799s
max time network
1603s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-06-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

processhacker-2.39-setup.exe
Size

2.2MB
MD5

54daad58cce5003bee58b28a4f465f49
SHA1

162b08b0b11827cc024e6b2eed5887ec86339baa
SHA256

28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063
SHA512

8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829
SSDEEP

49152:l9hfV/U5NkLXXzGZjt6kFTCVP6hWE0wvmk/eE+FrAl+NGsOSE6IX8pq:Dh9/ULkjKxtTGP6VZd2rAcvOSE6Nq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exe

pid process

312 processhacker-2.39-setup.tmp
3364 ProcessHacker.exe

Loads dropped DLL 12 IoCs

Processes:

ProcessHacker.exe

pid	process
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 42 IoCs

Processes:

processhacker-2.39-setup.tmp

description	ioc	process
File created	C:\Program Files\Process Hacker 2\is-RPD6S.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-6SS8R.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-00CM4.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-E3JII.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-BJFCO.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-6NE2P.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-JHGK2.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-1ETTP.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-3PQ32.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-U51O6.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-96UQK.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-KUFNM.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-HUI04.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-SJU5A.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-7BRAJ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-H2Q99.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-8BET4.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-NS4KT.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-FJ03I.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-NA3L7.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-7LRLU.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-F87SG.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-Q0QLN.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-2U2OK.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeProcessHacker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ProcessHacker.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exe

pid	process
312	processhacker-2.39-setup.tmp
312	processhacker-2.39-setup.tmp
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ProcessHacker.exe

pid process

3364 ProcessHacker.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

632

pid	process
632

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

ProcessHacker.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	3364	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	3364	ProcessHacker.exe
Token: 33	3364	ProcessHacker.exe
Token: SeLoadDriverPrivilege	3364	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	3364	ProcessHacker.exe
Token: SeRestorePrivilege	3364	ProcessHacker.exe
Token: SeShutdownPrivilege	3364	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	3364	ProcessHacker.exe
Token: SeDebugPrivilege	2104	firefox.exe
Token: SeDebugPrivilege	2104	firefox.exe
Token: SeDebugPrivilege	2104	firefox.exe
Token: SeDebugPrivilege	2104	firefox.exe
Token: SeDebugPrivilege	2104	firefox.exe
Token: SeDebugPrivilege	2104	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

processhacker-2.39-setup.tmpProcessHacker.exefirefox.exe

pid	process
312	processhacker-2.39-setup.tmp
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ProcessHacker.exefirefox.exe

pid	process
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe
3364	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2104 firefox.exe

pid	process
2104	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

processhacker-2.39-setup.exeprocesshacker-2.39-setup.tmpfirefox.exefirefox.exe

description	pid	process	target process
PID 3660 wrote to memory of 312	3660	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 3660 wrote to memory of 312	3660	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 3660 wrote to memory of 312	3660	processhacker-2.39-setup.exe	processhacker-2.39-setup.tmp
PID 312 wrote to memory of 3364	312	processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 312 wrote to memory of 3364	312	processhacker-2.39-setup.tmp	ProcessHacker.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 2104	2908	firefox.exe	firefox.exe
PID 2104 wrote to memory of 440	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 440	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe
PID 2104 wrote to memory of 4084	2104	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup.exe
"C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Users\Admin\AppData\Local\Temp\is-SB4PK.tmp\processhacker-2.39-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SB4PK.tmp\processhacker-2.39-setup.tmp" /SL5="$700DA,1874675,150016,C:\Users\Admin\AppData\Local\Temp\processhacker-2.39-setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:312

C:\Program Files\Process Hacker 2\ProcessHacker.exe
"C:\Program Files\Process Hacker 2\ProcessHacker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.0.871724223\1873722121" -parentBuildID 20221007134813 -prefsHandle 1692 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eec6fbd-9d74-47ef-8452-8a98b6b033fd} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 1780 1417b2d6458 gpu
3⤵
PID:440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.1.1393757323\764850238" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fba5718-f244-4e83-918a-cb29ee2b8e2b} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 2136 1417ad31a58 socket
3⤵
PID:4084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.2.400296655\1474159251" -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2764 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ca09ac5-c7f6-44fc-8034-9159a8436e1d} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 2756 1417b25b258 tab
3⤵
PID:4652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.3.1567202544\1630397691" -childID 2 -isForBrowser -prefsHandle 3400 -prefMapHandle 3384 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f85c53d2-2189-486d-8b29-c27850713350} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 3432 14170162558 tab
3⤵
PID:3012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.4.1280481519\1294584282" -childID 3 -isForBrowser -prefsHandle 4012 -prefMapHandle 3792 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a3d8d33-5e6c-48f0-9e7c-5ad00a5ba5c4} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 3384 141806a6358 tab
3⤵
PID:2368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.5.69339160\668471546" -childID 4 -isForBrowser -prefsHandle 4940 -prefMapHandle 4936 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac56d5f0-e6e6-492d-a889-19c466548fbe} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4952 1418194c358 tab
3⤵
PID:3660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.6.442762872\274488873" -childID 5 -isForBrowser -prefsHandle 5088 -prefMapHandle 5092 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45a7b38a-c18b-41bf-be71-39739527b5ed} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 4972 14181af8358 tab
3⤵
PID:1512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.7.786626465\350327750" -childID 6 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {407d5cac-8f92-4bdd-ad26-3db09f1c04ce} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 5280 14181af6b58 tab
3⤵
PID:2496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2104.8.1068749084\1839117771" -childID 7 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cbe98d0-e60d-4e9e-967e-11b90ca386e4} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" 5716 1418373c158 tab
3⤵
PID:4648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe
Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig
Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll
Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll
Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll
Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll
Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll
Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\13726
Filesize
11KB

MD5
6e7dec96e113cf0ca0fa4f69e181b384

SHA1
b6ef1db5772acc3c4f47e8fd5aacba38cc364582

SHA256
6781ccb007d1ae57ff1890b5366f0f804e2170b2a2cd1287ca14794c65aa895d

SHA512
cf1f71453e409d7b5417bc3a5a1b38f4beff57cdef0e7643afe361c1c4b11d65a69aabe161ffce3dfc6107af58e9b91b99fe6c6d2fb94924009773948e905094

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SB4PK.tmp\processhacker-2.39-setup.tmp
Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
7KB

MD5
ba151bf85bfb4b62db872c9a9ea8dd06

SHA1
2308df1e321b181fc15781be073ad345776c63ce

SHA256
58da01531db4ea06bc10d7c9af686b8b21af3c7b36b009afc0bbfb50d0ee3504

SHA512
9d8e759e34d6aa4b25b06be716c80d8633f5898186ad65ee731b151d7b5a2ebe7470d84c5b62e1bad739539a24dc28f26d73eebe41b43601030ead43d9fd82ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\bookmarkbackups\bookmarks-2024-06-24_11_MaaMR8mhAQTbCgvsLumwIQ==.jsonlz4
Filesize
945B

MD5
838d93fe7f64f4f752cc6aa88379ef54

SHA1
55f0a2bd40fd96e3a319f886a58891fd9d416c0b

SHA256
1b13e0ebb1dab164edd26588e55ea99c9909f18c56c9a3478937d96719d9a54d

SHA512
8a4fddabc8792bc2fdc4868e1873f415614c3dc08bbb50272b64fbab124b4516ab0e3be04f31cfb8e02e7b653bff231053208d1638dcf0372439dcec71d33f00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\broadcast-listeners.json
Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
Filesize
8KB

MD5
3840fec469786331cb3dcad41157f7ac

SHA1
5188961450e334f667421e32d46b21e49be37b32

SHA256
e943a3bdf94c95fe9e1eba56326f724513424459181dc73b178a2f0f2ceb53f9

SHA512
1189fdce395e85d67815ee562d0b580d8325cd96f4c5e650636e069af041cb189cc1410c81541187ced24ed33831951e570a8eaeb1d340ea7cac71493b851667

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\55301347-e825-483a-b1e7-a88c763d0941
Filesize
734B

MD5
ad237ba03be61073199559c91c173246

SHA1
a8dcf5e4d1498054f6073a3372ed5704c02224fb

SHA256
f721ac6c6130c7e6b83b9c3179dc9cc69ca0d06184f2473578c2dc25f50b0a85

SHA512
bd9bc28733cb64e0d4919ef8d46f6c137c5feec06b1eac0f6ca3b201540923d5081138a0c79da4bf0e1481ac7e46c6bdead4ab02bf96454a0822b6a6b4034e32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
Filesize
7KB

MD5
36d223e88eb545bb7638aaa252d23c8d

SHA1
1901660d73cf940993f781f7c51b563db7b73633

SHA256
e820609a21bedccf2bb347951e32fc895ac688b3efe09412913d199de84fb927

SHA512
c78ab187c182f5cc35a20d82e0f128de8569aab7925e73bba0a565a76c4e231c67d57d023a67450c95efbb759415f9bef60dae1ac568ada2296aa215d0e8472f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
Filesize
6KB

MD5
c52158a3b49753b8b84034355626233f

SHA1
9ec749317c6d317bf4bdc9c19b752c3814296890

SHA256
4451d34584d355c555b41cdc1aeb0ec57ee20c8580a5a5e5e0d224d80ae294d2

SHA512
75c09ab7b44aec3d31a4e789c22e8966cbc56234c8c45c0edcd79ea85d6601a41e05d101ea805678da46adde0ff9fdb237578a24039ab964002c74b6d435daeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
Filesize
7KB

MD5
72656178fb2d2cd31339201b478b06c7

SHA1
c630a608b527d7bd2a56a7aae835bb484e5c9d38

SHA256
9b394f6e842db4332399416905b2658581da2683f0ece146104b20dfcf61758e

SHA512
cac43e00d0e2afb7d6ba36ced31374ba9dfb1f24aa8441296de3f8851beb5c2478d10b3473401180167610e9289cdf6f5b9ba1b06c7b9f4ee3a6cf02b1f77790

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
Filesize
6KB

MD5
e6473b0598bc8749c5fc5fc816e8d3ea

SHA1
46ecda73917f201d9c6822c586c7abcddf7ef90b

SHA256
0f14bbb85d48b03ab111d8334cd79cc7b7c957cd3d92c9bdddbec4c478c2080a

SHA512
d62661aefdf1f00e22b766df38f7476149766a88af1716992ac9d5bb75e36e11defdc04cd7d9d0ff1500730c82960621d60d37b773b2b184ab7413e4f0a5496e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
Filesize
6KB

MD5
af81de880d4d1b1e1ab4860face2c6d4

SHA1
dfafeb972c81ec5ec92e1f6684aa876b91df57f4

SHA256
debb6f5d407367a5b7473a9116af45754e846a58b60748482dc2884298f4db2d

SHA512
cb83228329adb5e55e8e93918c1f262841007da63f810ac354c29b6e064d73fea4b1bce6446dec5b3490ffd7a171faeceda96c08de65fb28d76d6401e18b1728

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
bb9c798b934d868f8138e56c44a76d6b

SHA1
79b1fddc3b81315e0e5657e5df4b85d0aad18a87

SHA256
0d4ce507672191db1f840a2cb6db197855ef10b3d0eee79ff58aaa003b2e767c

SHA512
cde22b2247f77a7b7fbe3c6590fac33154c72e08af1ade43edfbb6d97fa0d404dfff0ec5b5ec94b5f9aca97ae5b9ee4b27203b89dab784286cb082ab5005c6bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
03aebd3070048c8353f6440ea31d176b

SHA1
960916390a52fa1bda03e32ce62df4b9be2c508d

SHA256
a009ed7d29d2ebf80dd334c1413aff3b430a297a6efd1cf2feaac0b61026f65e

SHA512
7e5a06755b0a335ff0f1fc8e677f45301f0ce3d6d7ed1f9e55ed4abd0aa3960a8475989010f3fa6e9ecda34134409fc8aab718912b10247f1a849a770f123f45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
f69e4a378765ca210a1dbdc751da19c0

SHA1
341197f2b53f4b0793532ebedb0c4bbef130d277

SHA256
18137dd5cf5c91996cb8d67e29cb57245bf232b980286888fda97eb62117c555

SHA512
913834d02d4763cb84e1b1fa2da4db9972133c05f12159e4421c4c942f2e5527e31177b3d695e96cef9bad69a30e5b80ee819fd408c576e09908b4bfc97f037e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
731c0e733fe1e3123d366af7c8e578ae

SHA1
9756304ea773dd9cd96e5996dc79de2ed6a9ae9c

SHA256
8f426b4be5e3440fa14d37480f018b7dc3d1a547b0e91c2fbfc6e31d9054a359

SHA512
d29e0f2356a3226f64692b390c122d4d70f09f677d9f5d086f2babaeba6574d670171edb24ff52f928871ec489680f57910e21fac1ca8ec08783a07d21b1f427

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
192KB

MD5
56b31097da89d8fec1ed3f26ce414e18

SHA1
176886e26bb0af3619c74f9c4309385586c7689b

SHA256
2fc31f9b67e1bb7ee8ff725cdb0bce056f85aaddb511ca950e76c33118a39eb3

SHA512
91d0052d2a9fb8de7041330c19318f52506b7b3f36e606d6334814c0c458271dec7430d10f125eafa232387c1fd6e105f5d268e92a31404e1673f89637c2a3f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\targeting.snapshot.json
Filesize
3KB

MD5
0e520d3c91cbb7d079f2e0226d2c7ff0

SHA1
cbcfd27c933f309903997e835b3a9d8fafc6b0d1

SHA256
950fbbf50ab73091f98de77d0b0cb6566fc1e3f571e809196d36202c192fabc1

SHA512
ceb6c34ce6b0d570ac43d21c509afcce081f324393ca8e194f2fbd283792fd54d5d70085ff7a7f9f1f71cc580d0be74f830c68d889214c2a5548793dd06270cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\xulstore.json
Filesize
138B

MD5
78c80def0173e588c323dab4cba515de

SHA1
c8223b02f993aee7109d95c4500936e58ae99335

SHA256
afa0cf6ecff1f4658bbfeb8d9e8297f0d95179a3d6ed7f859f93789bf5c05e20

SHA512
811c387dce8cffe7db151105debe0f1fe8dd2664e2d39afcc1506ed2da896221298e30d25065d88db9a3594de427a2cd6aae20add5c28a10ff82c19ed6957467

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Process Hacker 2\plugins\DotNetTools.dll
Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
\Program Files\Process Hacker 2\plugins\ExtendedServices.dll
Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
\Program Files\Process Hacker 2\plugins\HardwareDevices.dll
Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
\Program Files\Process Hacker 2\plugins\OnlineChecks.dll
Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
\Program Files\Process Hacker 2\plugins\ToolStatus.dll
Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
\Program Files\Process Hacker 2\plugins\Updater.dll
Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
\Program Files\Process Hacker 2\plugins\UserNotes.dll
Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
memory/312-77-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/312-108-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/312-8-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3660-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3660-76-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3660-109-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3660-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download