hijackloader | 74fafcc357a95cf19078b2489e9b8e8713cccf2b83398ae4c331a30bb9d87934

Analysis

max time kernel
291s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app.html
Size

542B
MD5

ecb096de4aa7a595b66aad7838cc5115
SHA1

64f67c3b8d9cd794d473726e57497b8e8d0c52f1
SHA256

74fafcc357a95cf19078b2489e9b8e8713cccf2b83398ae4c331a30bb9d87934
SHA512

2f91f1842606c7e70db93c21cdf66ad7f88564a76887f51456dd845d022a88d746136b7074492cbfbde296c900b5358d273af33c5c47b6c5c718afbc9e85efb6

Score

10^/10

hijackloader rhadamanthys stealc discovery loader spyware stealer tag:discovery AND tag:spyware AND tag:stealer

Malware Config

Extracted

Family

stealc

http://89.105.198.116

Attributes

url_path
/192e1934359966f8.php

Signatures

Detects HijackLoader (aka IDAT Loader) 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3736-994-0x0000000000400000-0x0000000001636000-memory.dmp	family_hijackloader
behavioral1/memory/3736-1004-0x0000000000400000-0x0000000001636000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

snss2.exe

description pid process target process

PID 1612 created 2528 1612 snss2.exe sihost.exe
Downloads MZ/PE file

description	pid	process	target process
PID 1612 created 2528	1612	snss2.exe	sihost.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Program Files (x86)\Wion\Wion.dll	net_reactor

Executes dropped EXE 6 IoCs

Processes:

Wion Setup.exeWion.exesnss1.exeatkexCom.exeatkexCom.exesnss2.exe

pid process

4624 Wion Setup.exe
3124 Wion.exe
3736 snss1.exe
3580 atkexCom.exe
4012 atkexCom.exe
1612 snss2.exe

Loads dropped DLL 64 IoCs

Processes:

Wion Setup.exeWion.exeatkexCom.exeatkexCom.exeexplorer.exe

pid	process
4624	Wion Setup.exe
4624	Wion Setup.exe
4624	Wion Setup.exe
4624	Wion Setup.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3124	Wion.exe
3580	atkexCom.exe
3580	atkexCom.exe
3124	Wion.exe
3580	atkexCom.exe
4012	atkexCom.exe
4012	atkexCom.exe
4012	atkexCom.exe
4016	explorer.exe
4016	explorer.exe

NSIS Integrity Check function 1 IoCs

Stealc Info Stealer.

tag:discovery AND tag:spyware AND tag:stealer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Wion Setup.exe	NSIS

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

atkexCom.exe

description pid process target process

PID 4012 set thread context of 3684 4012 atkexCom.exe cmd.exe

description	pid	process	target process
PID 4012 set thread context of 3684	4012	atkexCom.exe	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

Wion Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Wion\ko\WindowsFormsIntegration.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\pl\WindowsBase.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\zh-Hant\WindowsBase.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\ja\UIAutomationClientSideProviders.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Net.HttpListener.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Runtime.InteropServices.JavaScript.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Transactions.Local.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Xml.ReaderWriter.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Windows.Presentation.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\UIAutomationProvider.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\tr\WindowsFormsIntegration.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\zh-Hant\System.Windows.Controls.Ribbon.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\Wion.exe	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\de\System.Windows.Forms.Design.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\de\System.Windows.Forms.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\ru\System.Windows.Forms.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\Microsoft.VisualBasic.Core.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\PresentationNative_cor3.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Text.RegularExpressions.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Xml.XPath.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\tr\WindowsBase.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.IO.Pipes.AccessControl.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\cs\Microsoft.VisualBasic.Forms.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\Microsoft.Win32.Registry.AccessControl.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Diagnostics.PerformanceCounter.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Net.Quic.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\es\Microsoft.VisualBasic.Forms.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\PresentationFramework.Luna.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Drawing.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Linq.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Diagnostics.StackTrace.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\pt-BR\UIAutomationProvider.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\PresentationFramework.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Diagnostics.FileVersionInfo.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\it\System.Windows.Input.Manipulations.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\ko\UIAutomationClientSideProviders.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Threading.Timer.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.AppContext.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Net.WebHeaderCollection.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Security.Cryptography.Encoding.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Text.Encoding.Extensions.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\ru\UIAutomationClientSideProviders.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Net.Sockets.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Security.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\hostpolicy.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\ja\WindowsFormsIntegration.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\Microsoft.Win32.SystemEvents.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Text.Encoding.CodePages.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\Wion.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\cs\PresentationCore.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\de\UIAutomationProvider.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\de\WindowsFormsIntegration.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\fr\WindowsFormsIntegration.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\pt-BR\WindowsBase.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\zh-Hans\System.Windows.Forms.Primitives.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\zh-Hant\UIAutomationClient.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.Runtime.Serialization.Json.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\ko\PresentationCore.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\pl\Microsoft.VisualBasic.Forms.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\ru\PresentationUI.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\es\UIAutomationClientSideProviders.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\it\ReachFramework.resources.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\System.IO.MemoryMappedFiles.dll	Wion Setup.exe
File created	C:\Program Files (x86)\Wion\UIAutomationClientSideProviders.dll	Wion Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1128 1612 WerFault.exe snss2.exe

pid	pid_target	process	target process
1128	1612	WerFault.exe	snss2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590188968143369"	chrome.exe

Modifies registry class 42 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000b3a38ce0bd68da011e8ec7a7cd68da0112b5b950929bda0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exesnss1.exeatkexCom.exeatkexCom.execmd.exeexplorer.exesnss2.exe

pid	process
4888	chrome.exe
4888	chrome.exe
2440	chrome.exe
2440	chrome.exe
2148	powershell.exe
2148	powershell.exe
2148	powershell.exe
2496	powershell.exe
2496	powershell.exe
2496	powershell.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe
3736	snss1.exe
3736	snss1.exe
3736	snss1.exe
3580	atkexCom.exe
4012	atkexCom.exe
4012	atkexCom.exe
4012	atkexCom.exe
3684	cmd.exe
3684	cmd.exe
3684	cmd.exe
3684	cmd.exe
4016	explorer.exe
4016	explorer.exe
4016	explorer.exe
4016	explorer.exe
4016	explorer.exe
4016	explorer.exe
4016	explorer.exe
4016	explorer.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe
1612	snss2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid process

2432 chrome.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

atkexCom.execmd.exe

pid process

4012 atkexCom.exe
3684 cmd.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

4888 chrome.exe
4888 chrome.exe
4888 chrome.exe
4888 chrome.exe
4888 chrome.exe
4888 chrome.exe
4888 chrome.exe
4888 chrome.exe

pid	process
2432	chrome.exe

pid	process
4012	atkexCom.exe
3684	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

chrome.exe

pid	process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Wion Setup.exeWion.exesnss1.exeatkexCom.exeatkexCom.exesnss2.exechrome.exe

pid process

4624 Wion Setup.exe
3124 Wion.exe
3736 snss1.exe
3736 snss1.exe
3580 atkexCom.exe
4012 atkexCom.exe
1612 snss2.exe
2432 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4888 wrote to memory of 4656	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4656	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4484	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1052	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1052	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1048	4888	chrome.exe	chrome.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2528

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\app.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae9d69758,0x7ffae9d69768,0x7ffae9d69778
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:2
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:1
2⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:1
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4624 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:1
2⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1760 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:1
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5352 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5656 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5420 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:3632

C:\Users\Admin\Downloads\Wion Setup.exe
"C:\Users\Admin\Downloads\Wion Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Program Files (x86)\Wion\Wion.exe
"C:\Program Files (x86)\Wion\Wion.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\AppData\Local\Temp\5e66737e-4b13-4e4d-8ef5-e4c6d09c0ed6\snss1.exe
"C:\Users\Admin\AppData\Local\Temp\5e66737e-4b13-4e4d-8ef5-e4c6d09c0ed6\snss1.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Users\Admin\AppData\Local\Temp\ufpAuth_alpha\atkexCom.exe
C:\Users\Admin\AppData\Local\Temp\ufpAuth_alpha\atkexCom.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Users\Admin\AppData\Roaming\ufpAuth_alpha\atkexCom.exe
C:\Users\Admin\AppData\Roaming\ufpAuth_alpha\atkexCom.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3684

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
8⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\AppData\Local\Temp\5e66737e-4b13-4e4d-8ef5-e4c6d09c0ed6\snss2.exe
"C:\Users\Admin\AppData\Local\Temp\5e66737e-4b13-4e4d-8ef5-e4c6d09c0ed6\snss2.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 668
5⤵
- Program crash
PID:1128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4364 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4524 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:1
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2448 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:1
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5540 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5500 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5400 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:1
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3392 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:1
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 --field-trial-handle=1880,i,2150172482706286284,7847141099244024075,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4352 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3508 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:3
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1612 -ip 1612
1⤵
PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wion\System.Collections.Concurrent.dll
Filesize
270KB

MD5
38d21e067d7673194a84cced59066ac8

SHA1
e64362176f714b23603f3a67f1e741f12e35a832

SHA256
483130bfd1e57a0cbfd8a4f3c6e2353ac3f246276f9476c83cca1cadbc47ef47

SHA512
3fa6f78ff0cb527a8e82261549f24a8609d005821ac5c5e7257670dffd55472a134af3ef78d73779758303ae5a90728181cd4caebc871c5cfa4c309141201baf

Download Submit
C:\Program Files (x86)\Wion\System.Collections.dll
Filesize
254KB

MD5
92063926c04f2e4bf5b5fde16542831d

SHA1
e7be34eaff2d3d8796911d21f1fdbb93bf231dec

SHA256
9193aaef3ea8f19408f88c25fcaf5880e7836d1c35028d7e4077f6090b083541

SHA512
e855ee37980d1da2d143ee39133b05fff81937e529cffe74433e73088549daabd3abadbf05f3765bf3ffffd50313f0ed966efec0eb244d7363241affd73cc29f

Download Submit
C:\Program Files (x86)\Wion\System.ComponentModel.Primitives.dll
Filesize
78KB

MD5
1c59c00ab0850af4b4d2bafd6be47db3

SHA1
4c6185b2f42987e25a5fdf2aa30cf4150de25d5b

SHA256
133ec34432ab8fa4f63ade636193864b6a62a089a0c98d746f5532c8a52f437b

SHA512
8425c02c4afb274e862e4ed5dd1c766ebfa1bcf5bf59018d86238014a52603331a8b7c1e233f5a1f22171e90132ddd585db0d2561ff2cd287d703397afdff4b1

Download Submit
C:\Program Files (x86)\Wion\System.IO.FileSystem.dll
Filesize
15KB

MD5
35e27f4c681085a4b096826ee8ea4f53

SHA1
cf3ea4304e5558c8fdd4422e4d72509cd91ea719

SHA256
7bd41c6b12b73e6e90476f2d56db8581664abe07e7ab9bf2917bb254ed1d75ad

SHA512
1f9e6519ff29524e57cb0b3576ab118014293aade8f30027ef44b1f29a8e9a54e7bcb3b288a92dba996053b16016807d93fa9f44f2c43666ddc6425ddd7ae4b9

Download Submit
C:\Program Files (x86)\Wion\System.Memory.dll
Filesize
154KB

MD5
7e999da530c21a292cec8a642127b8c8

SHA1
6585d0260ae98bab2ad1eaba0f9cfe8ebb8a0b3f

SHA256
3af25e0c81c1462d0db86f55c4e5fd8c048c70685f9a566d29d499bc46935fb4

SHA512
a18b6649b5c2f9f96bf639863df9faad436759200a64f91fb2d955f33c71ce4b2d5798be982f692a247ac864d8acb63fb731b31c06333e5c7d9a9c895ecd6451

Download Submit
C:\Program Files (x86)\Wion\System.Private.CoreLib.dll
Filesize
12.6MB

MD5
805cf170e27dd31219a6b873c17dce88

SHA1
ac90fa4690a8b54b6248dcb4c41a2c9a74547667

SHA256
ba7e61a00e7a4634b5c5a79b83126f75580ceec235c613000c3efbc01826cad0

SHA512
fa946aae906b66cb5570155a1c77340f2b6d4efb9be16068da03a8f1c5b5f37ad847d65cd1416017db19375dc6a72670300da4c766e6d9bb1a00374f492bd866

Download Submit
C:\Program Files (x86)\Wion\System.Private.Xml.Linq.dll
Filesize
394KB

MD5
60ed8b2bffc748d6a2a1fed8fa923368

SHA1
be411429b9a649a495124558c5e5d95a83525d58

SHA256
0b63cebb991d1911a607993ea5b4639f34a2b0b381a73973542db2d3591e9f90

SHA512
b0a4ac2aa96d827258bb30f098512741ad3f93585e05ceae0255e15cd8dc9ab8048788902c1eb32a813e9c69c8a923200a716b4e00f579c22a0b425665e575f8

Download Submit
C:\Program Files (x86)\Wion\System.Private.Xml.dll
Filesize
7.6MB

MD5
46aebfbd6d7e74d4d558da62d7600d25

SHA1
9c1cd44ab8b5e283967427e91cbddddfc0c2bf5a

SHA256
834e304221e742a831be5c5178892258e689eae35b730172e74161af2785aab9

SHA512
9c4499d174a988cc3830aafcc42f79defff37b16198f49cf5d2dc86f88809fcb44e0c300351f813d46addf9998f64448c50213f1721c6a307aad21c205db1524

Download Submit
C:\Program Files (x86)\Wion\System.Runtime.InteropServices.dll
Filesize
94KB

MD5
49c86e36b713e2b7daeb7547cede45fb

SHA1
75fe38864362226d2cce32b2c25432b1fd18ba37

SHA256
756de3f5f2e07b478ac046a0ac976b992ef6bc653a1be2bb1e28524a4ff8d67d

SHA512
a9bd42b626158c540be04f8d392620daba544a55b7438d6caefe93b9df10ec2219f28959c4e0d706a86b92008275de94dfdf19de730787cdacf46d99fc45e3a9

Download Submit
C:\Program Files (x86)\Wion\System.Runtime.dll
Filesize
42KB

MD5
53501b2f33c210123a1a08a977d16b25

SHA1
354e358d7cf2a655e80c4e4a645733c3db0e7e4d

SHA256
1fc86ada2ec543a85b8a06a9470a7b5aaa91eb03cfe497a32cd52a1e043ea100

SHA512
9ef3b47ddd275de9dfb5ded34a69a74af2689ebcb34911f0e4ffef9e2faf409e2395c7730bce364b5668b2b3b3e05a7b5998586563fb15e22c223859b2e77796

Download Submit
C:\Program Files (x86)\Wion\System.Security.Cryptography.Algorithms.dll
Filesize
17KB

MD5
8f3b379221c31a9c5a39e31e136d0fda

SHA1
e57e8efe5609b27e8c180a04a16fbe1a82f5557d

SHA256
c99c6b384655e1af4ae5161fe9d54d95828ae17b18b884b0a99258f1c45aa388

SHA512
377f4e611a7cf2d5035f4622c590572031a476dd111598168acea1844aaa425c0fe012c763fbc16290c7b32c6c7df7b2563c88227e3dbc5d2bd02250c9d368d9

Download Submit
C:\Program Files (x86)\Wion\System.Security.Cryptography.Csp.dll
Filesize
15KB

MD5
c7f55dbc6f5090194c5907054779e982

SHA1
efa17e697b8cfd607c728608a3926eda7cd88238

SHA256
16bc1f72938d96deca5ce031a29a43552385674c83f07e4f91d387f5f01b8d0a

SHA512
ae0164273b04afdec2257ae30126a8b44d80ee52725009cc917d28d09fcfb19dfbbb3a817423e98af36f773015768fed9964331d992ad1830f6797b854c0c355

Download Submit
C:\Program Files (x86)\Wion\System.Security.Cryptography.Primitives.dll
Filesize
15KB

MD5
777ac34f9d89c6e4753b7a7b3be4ca29

SHA1
27e4bd1bfd7c9d9b0b19f3d6008582b44c156443

SHA256
6703e8d35df4b6389f43df88cc35fc3b3823fb3a7f04e5eb540b0af39f5fa622

SHA512
a791fa27b37c67ace72956680c662eb68f053fa8c8f4205f6ed78ecb2748d27d9010a8de94669d0ee33a8fca885380f8e6cfad9f475b07f60d34cdcb02d57439

Download Submit
C:\Program Files (x86)\Wion\System.Security.Cryptography.dll
Filesize
2.0MB

MD5
75f18d3666eb009dd86fab998bb98710

SHA1
b273f135e289d528c0cfffad5613a272437b1f77

SHA256
4582f67764410785714a30fa05ffaaad78fe1bc8d4689889a43c2af825b2002e

SHA512
9e110e87e00f42c228729e649903ad649b962ae28900d486ee8f96c47acca094dbace608f9504745abf7e69597cdef3c6b544b5194703882a0a7f27b011fa8d5

Download Submit
C:\Program Files (x86)\Wion\System.Threading.Thread.dll
Filesize
15KB

MD5
72d839e793c4f3200d4c5a6d4aa28d20

SHA1
fbc25dd97b031a6faddd7e33bc500719e8eead19

SHA256
84c9a95609878542f00fe7da658f62d1a6943a43e6346af80d26bcff069a4dbd

SHA512
a414cd9d7cf6a04709f3bdbef0295349b845a8301171ed6394e97b9993f35816383b958736c814f91c359a783cca86ee04802856486d4b4e0ab90a45da39db1d

Download Submit
C:\Program Files (x86)\Wion\System.Threading.dll
Filesize
82KB

MD5
32aa6e809d0ddb57806c6c23b584440e

SHA1
6bd651b9456f88a28f7054af475031afe52b7b64

SHA256
e8d1f5c422ee0ba3b235b22028ab92dc77c1ff9774edc0b940cad7224a30ba7d

SHA512
fe43b3d6ed5c37d59a44636d3c7522a88d83e6ec074bf69d3cbb6e5454fdd8f0523ea10fdf6fd452cbd0e2fc159cf9d03dfad6b30e80e400e7f1773b5a2e8632

Download Submit
C:\Program Files (x86)\Wion\System.Windows.Forms.dll
Filesize
12.9MB

MD5
a51632facb386d55cc3bc1f0822e4222

SHA1
59144c26183277304933fd8bb5da7d363fcc11fa

SHA256
efc52dbbef5202d9ff424d7adc6e2249b66450a5fd5414891776fc617b00123e

SHA512
2a8d8e2ee8168e6f79476616385320f463ebc161c7393db2b18a7d35ca0111c5100b83954c5eabfe32b12cac3dbfdc514271dde4cc4468dd26235eb7020d9c14

Download Submit
C:\Program Files (x86)\Wion\Wion.dll
Filesize
481KB

MD5
759516c5f6c5147ef3f08dd7360aeebb

SHA1
938c2059d3ad99169194a923df1ffc06dfea48ee

SHA256
8ed30da08296d1cb06158cea44ca66a68fe6a9a638e0b8ed091c2e5c90144053

SHA512
b8100c3524057b25c3a130071756db923e4660162eb3bbf1a8b91c51924a945180e1f8fa13b9f5a3410c5f554d19803ffb5af299ccc45e623450f852bb0711e2

Download Submit
C:\Program Files (x86)\Wion\Wion.exe
Filesize
325KB

MD5
a3b0d43a8ff20e26c1f6bb108dbde66f

SHA1
68f8a7e0f2eb77684cf83306cdf45ebfe302a305

SHA256
321b998ab7d8de02d0c59b2f1321ce18f7575aadac6fd74c3119f51cfcded46e

SHA512
bff9049430ab087f99cbcd25cf6454cd0b8720e811f8565ac62476ceb0a311dbb6849b25113d0f868696b3a6f6eebea37a19def23c5a43d26b81d3509cebc63f

Download Submit
C:\Program Files (x86)\Wion\clrjit.dll
Filesize
1.7MB

MD5
8b81a3f0521b10e9de59507fe8efd685

SHA1
0516ff331e09fbd88817d265ff9dd0b647f31acb

SHA256
0759c8129bc761fe039e1cacb92c643606591cb8149a2ed33ee16babc9768dcb

SHA512
ea11c04b92a76957dcebe9667bef1881fc9afa0f8c1547e23ada8125aa9e40d36e0efaf5749da346ba40c66da439cbd15bf98453e1f8dab4fe1efd5618fdc176

Download Submit
C:\Program Files (x86)\Wion\coreclr.dll
Filesize
4.8MB

MD5
9369162a572d150dca56c7ebcbb19285

SHA1
81ce4faeecbd9ba219411a6e61d3510aa90d971d

SHA256
871949a2ec19c183ccdacdea54c7b3e43c590eaf445e1b58817ee1cb3ce366d5

SHA512
1eb5eb2d90e3dd38023a3ae461f717837ce50c2f9fc5e882b0593ab81dae1748bdbb7b9b0c832451dfe3c1529f5e1894a451365b8c872a8c0a185b521dbcd16b

Download Submit
C:\Program Files (x86)\Wion\hostfxr.dll
Filesize
342KB

MD5
16532d13721ba4eac3ca60c29eefb16d

SHA1
f058d96f8e93b5291c07afdc1d891a8cc3edc9a0

SHA256
5aa15c6119b971742a7f824609739198a3c7c499370ed8b8df5a5942f69d9303

SHA512
9da30d469b4faed86a4bc62617b309f34e6bda66a3021b4a27d197d4bcb361f859c1a7c0aa2d16f0867ad93524b62a5f4e5ae5cf082da47fece87fc3d32ab100

Download Submit
C:\Program Files (x86)\Wion\hostpolicy.dll
Filesize
388KB

MD5
a7e9ed205cf16318d90734d184f220d0

SHA1
10de2d33e05728e409e254441e864590b77e9637

SHA256
02c8dbe7bf1999352fc561cb35b51c6a88c881a4223c478c91768fdaf8e47b62

SHA512
3ecbaf20946e27d924a38c5a2bf11bac7b678b8c4ebf6f436c923ea935982500e97f91d0e934b7fd6b1fc2a2fd34e7d7b31dbbe91314a218724b3b2fd64c4052

Download Submit
C:\Program Files (x86)\Wion\mscorrc.dll
Filesize
133KB

MD5
53e03d5e3bffa02fbc7fb1420ac8e858

SHA1
36c44c9ff39815aa167f341c286c5cd1514f771f

SHA256
23a433398be5135222ee14bb1de6334e7b22bad1a38664a83f1cf19dfbddd960

SHA512
f6aca16b90f6b4efa413dc9a8f1d05e83c1e3791b2cb988f9bce69d5272a0077c1edcae4111a494d166b5e3ab4e25956dead4e93ee1e43417c2b7bb082292170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
Filesize
200KB

MD5
a484f2f3418f65b8214cbcd3e4a31057

SHA1
5c002c51b67db40f88b6895a5d5caa67608a65ce

SHA256
79cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6

SHA512
0be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
3c7159f79e4f0e57dda9ad73a0b01891

SHA1
83d1a2b82d1764920f8be0bc47f76983cf68c1d7

SHA256
3dbc26db20a33546c2d175c773c3e0d3f32a1de1baeed00dd42d0079c8a4d811

SHA512
02fe842e5329903f92d4d15539e669c3d0a91c98ab462275b2b524332f4cd5646551166de95b22812373e13f34a881a9891e7838c9db804caf734533a094a85c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
41ad0111acaed3a7f955bbcba7c2eece

SHA1
caaa11bff198bcc79ad43e0335ce824e4495d16c

SHA256
440c32a953f74fc68962d98d4f49ecad3f4748d8b0601bdb9ffed66d1a7c2425

SHA512
2111c8af2ecbbd553b7795e50f1f840ad277b033dbd7cd750bdf6e5d239b698c2fcca59cdbd9f32b307214d04e46119d8b72a7593d151b6e873dd494a28cd5b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
8a9348bcb9bf90972c3bd58b4a25d4fc

SHA1
8d602f55f12668ca0c4d8882a75ca3862124b127

SHA256
1c826607cdc92c45a0c0ec02c4ca7e75fd27ea168c557e94a14cc6d5fef8007e

SHA512
eae6ca886813678da2eaacde70d2c3f540e46dd3ee802e1a04ac1e098d870e8cd4d608317373ee33e3290798ff4862c9b6c5d1390fc1a5ea63a0ab7e91df823f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
535B

MD5
fa153db73b05646ef7f4c32d44ca76f0

SHA1
16168e993132f0e5adbc6cd8695de94c6eab2cb0

SHA256
b80b4ffa190286fa87ee1ead502cd5419b52551ffebce604dbf6398d7321f92e

SHA512
4f1bdee1b169ebb0806880f4d9c9fd1f887962010bfd740d3da3a48ad6668a6b09fb62b8acda71b74b693bbfa20351594c398d2c0a910cae21e686023399b708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
869B

MD5
2165455f30b77d4a8f3950fc036864f8

SHA1
61149445a6a59b3616b127a38b20441ffec1b159

SHA256
f90c139bf6cef45540a6a957c69ca3f149cb61c973c460ff9b4de4d56802f597

SHA512
f41975c8cde3e11faee344c29bc934a4a1b6c3c7304f06ecf71a17b7b41f17a535c77f9fea8369d1e0b0c396c53aafe6a7b8ea125698410349a77c40c3b81271

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b2b77978bd2611b51ffb315091412778

SHA1
c11bf86ad8b3d34f91b97ebe789d37763a9d651a

SHA256
aaa1bafc83b0d212d6d5ffdcd02a8e4214d0b05735fa295ebd713d99e0bf2f9c

SHA512
c4c5234e9fca54acf0ac35266c9421423506cecf208b82b225ff0dcd7d805a69a60624bcc25899030d14ba6999f4ddda2808d0ba9814d3373178cee723e39312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0b5108d11307e14ff4e3cdf40ed9ef44

SHA1
697dd975db24c9763c1d7738b903aa084d51c223

SHA256
6d0706aab5713bfb26a66d32dd64f9ebba2c9dc1f607fd8f4b17de84a7a3a5b9

SHA512
675dfabc77ec9d93839298ec4d2bdb537e201a6dea65d5732a00a4ea12a697547112a813cd51d1541ebb6ce901b44021201a44d4ada1c157af389e04e0a4800a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0cb023698bd33eb1039ad8775ca75d0b

SHA1
349e2e6a58ef82f0d4a95e3091c74f24add637e5

SHA256
58b7f8f655e9eadb1e037eae2bfcad4847f893881ac3f7c8478edeca52fb0286

SHA512
cc35e8ce7c9f6a2348314ab4503bf6afa147acb3d7564304ec563f59cf221956c6295e2bb2533800e259d3eb82392106f54cb068d78f6bbead1acfde4ff10c8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
11514b402fc63f900e037412de0127e8

SHA1
49938912f19829f0eade571183cc8b23b4e194cb

SHA256
96e78c214de45bbb49eab1b40a58b9e14894401d09b814ff355367f95b7f6cae

SHA512
d54fcdd163078a3fdd41984e82f8f6c22496160f2509915a3f0228d8c15122a69fb9cbb1e40aad49766ed8ed7aedebca2b9e3607d0c02084f22d503b810d1312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
200699988b0325fded78b1168331e09f

SHA1
8ccc6acd19a53adc41278a84176880abf22bbbc9

SHA256
8f20258f754941ad8ced7f5f329f77f4f63c7a893c16eedd8a8be4e125204da8

SHA512
9b53c89c854d01ed57196b27846acd8ffe2069e24422dfd7b32c8a48de4aac15ba7a3977281cd263f115deae16a0ba8cb2f18f27eed0d43c29976e9b59bc298e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
565f95820ad982560d7aab6176557da2

SHA1
f86391b8ce8d60de5c6952304f2506ff6ee5cd8b

SHA256
a4eca5927aaad8f98843b52d2475113b4304dc17f41a74681e247399e0654163

SHA512
d387ea8a24e24ba1a1ebaca79fa5c4e273ae9df12874f865744dbb17e815a3c192c6c1d00490d86f2bbe03e64f082b4914ba8a2fcc860309c10c9f9c0b75cd28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0ce12f8013906b7defbe72640bafdf61

SHA1
44a809604415d70cb76c24cd51456112d4f8c2c4

SHA256
8f28d3277d6953e275f5ce2aa8df0b4ac7dad0e47eb52452aee1b4040ca7b760

SHA512
44555a524d4de738f1bc051d89e2985823c635329139f5ebb71e3bb5840f738393d68d698d2e4d549728bb92b5a4adf78f8a3102a7ef33cc3f86a4afb0cad979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
5360b8cf83db65a334052b018c769269

SHA1
49641cb4a0cec9033c0fd2ab883e18186313181e

SHA256
b2c2ac86371379bb3b523bb2f77609b0beefcc91017c919fe0e36c7ce81489ec

SHA512
ed8a645623d0a37deed8d4d39633d58d57117a44af6ecb29c6ffc3c37aeb105f2b1a77898a5097276464ea4cc96dc96bcad29a55d6251a85e23c2e69bad3bffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
b7c600e214482b016eb750db3b5d668f

SHA1
72bb8845728004876067cf3fa9456166853d0ec8

SHA256
514cc325b59fa4a14969cd529496228f4a6112b0dccc00f2c937b468e342ff08

SHA512
3279e6b432ec8d4d021abdece5e57d86af3055e1182b961e75a939cb3c9d8b9a180f91d11b1073e2493bbf37156b180910545d27114713887a3e3200abc7e51a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
7311f814d2552a8d9f09e16735904ecc

SHA1
c789d5cf78b4da2992c343d6ce4405183644dfe7

SHA256
20d8444bf68e396cf1a3f210bb58feb1dd8b1aa0d7616851abce91e6b6bcc5da

SHA512
97930c396f7bc88a358ef8c95c07ae43aaf4ab8719680f685c1fd99cce0817350b54f44d5845b8ecadc4fc19db3b7a516b5de331356f9514b9867b9e35443bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
ff7d3f620d59f90cf2064f64c0ad4e0a

SHA1
54eb5aeec7f179bc68f9798c4e395f976a0a0875

SHA256
f8c03da6aaa7326747b356906fbc3f357bb39ae2f55bc146b0313c51b4fb4d45

SHA512
9a72349087efc19fa009a87974934c2dbce56195e283c8af68fb9585a0ae5ae69117c3b90a1ab089394839ddf1c406744bb5a96026127aabd1f43138c8713d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
085e907dcbbd7ba2750f80e0c7e1479d

SHA1
1e812c5d6e9a23f52c2339849308b36e5992f159

SHA256
67f119aad16c7319f0476905314909fc6511f0b8a39f0b3bae27389f2aa66992

SHA512
2ef7e1897a858dacf759e5794badd4e502a01237c581324d7b43d3061e2384d26495d66ac72af85d0da126cf7dcc3bc8601a36e9a36158e58242e655f7d4cca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
96KB

MD5
4c3cadcc8d4cfe1a77d45354a893a9e1

SHA1
3ab5fbbd70528c3a99322318d0721d63323d0e30

SHA256
05013dd896fbd79cb5d20aaa95dddf7372fb5f76684c297b81b5dc8f1a891b37

SHA512
29df2901a2de152b791351a55b9194e867a2135cbf1924c26a4e608e265f25858f74b81df4c325c79d20789bfe1d0ef6c05dee60b26fdede29badf656d5d228a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
4a423b5a8e4c3b9685e61e43e16c87c7

SHA1
2912e74ac120766d43208fe9a5d2ae8449e63e13

SHA256
e2dbaf34424a478dc04cc57acc0aea5a3d197753a416d3695544ab867f1b9fe1

SHA512
cf285e3ddd58813e2e23656c23d6621f4a9ce1434dffed2d5d7e02ceed69ea9e26bdfee551889ab9c9bb41fd38f6f604dec4a51d985aa9cd243b0eb8fb78571c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
110KB

MD5
bd87213699ccd579c704f580196fba30

SHA1
9386b775ca30d49ba7b0e18d5b90c671416803aa

SHA256
17fefd4bf289aca712571114f468afb97839b05c578f7642ea074dd0e55fe008

SHA512
3a9ac20da548322ac6c603bfe7074eacef3bd934ce21a769969e58460933b0fd499ef985fbd3aeaab3e148b4b7f42c4395b53abb25968367daff37d5ca25c132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58f43e.TMP
Filesize
94KB

MD5
8dd3fa1b1c6284dd2a03f5dfaba6bb96

SHA1
3168672a40312bde4ac455cc8f1f5c5beae31eba

SHA256
09baa5d48b36347602a9e010779a5e62240bc63e49434615202ecbdabc5f1efb

SHA512
7ff66adc9f81d9421af54078d5a9781a521e1fba1af9d04bc1fb081fbf76f1d66455292e9d75388fd847ac9c5757a0b48d10b8f5d46541dc8f1caeac8b84b3a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uesj3tty.zae.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseCCCE.tmp\InstallOptions.dll
Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseCCCE.tmp\LangDLL.dll
Filesize
5KB

MD5
50016010fb0d8db2bc4cd258ceb43be5

SHA1
44ba95ee12e69da72478cf358c93533a9c7a01dc

SHA256
32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

SHA512
ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseCCCE.tmp\System.dll
Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseCCCE.tmp\ioSpecial.ini
Filesize
1KB

MD5
d94334f9b3f149bd3b93af78e5025dd7

SHA1
1006e6ddc5072c4665ceaaa9f5a2546fb4c2bbb3

SHA256
1b7b64ade61584963d108abd887fcb0d9631ea99f95e179d437b78e946f01f4f

SHA512
093b7534d3a29a187e1298b2111dbb21aba35f7709f0ff8335e8bf7811ee06f39691fce129b825e4cd2ce67ea2184e83a86b2f7d9aa2038fd57794acf64bf68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseCCCE.tmp\ioSpecial.ini
Filesize
1KB

MD5
67597ab8ddb06bc9411a7bb1158ab03b

SHA1
0c0357ea799d9d7081c989d4209fe7c2507c6fc3

SHA256
878773d1ec605c638a08e8482bb6f4d02ee42f81b62ecbd4ed274680fd13f020

SHA512
355dcf26cde474dc22b9433f6ebe4f45f4fba3617e7faae3cbb32a0232ac8dd23b776d30ac9dc9c31f944263184e205ff6e0a55cf8b16daa9df43ebdf4a8e87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseCCCE.tmp\ioSpecial.ini
Filesize
1KB

MD5
0266e350bf4f18f9c9de2cd67f166b8c

SHA1
82fddf1c9568e20698b436ba266e8b832aeb4132

SHA256
1b8c0e806023ae76d5564f47eeb26e8e64d0b0d019e765911ba0dce27a47a929

SHA512
2fb301b85363a028dc4351ff0ba978718b8276899f2041958ced0a1379075e7c26d33068c4a5c6ec3df37e8ce24043e47149ae1c8c30d0aa1bc534b17c88d479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Wion Setup.exe
Filesize
47.5MB

MD5
13e83a0ea9806d43c60db4a09ff31bee

SHA1
b6a06d7af03707545ea528654094d1d2843f06b5

SHA256
67900fd8ba19d8be310f7db1a55073da24a4ba8b719c50520840fc77e571216b

SHA512
f341f5ff3cb565e9ce6c1c7ce4b2c3c305f40fe98781748ad74a6cf9d621e258eae6ff02be097255055cf5f366867830cf0ab850e78be9102f5c1516bf850ec5

Download Submit
\??\pipe\crashpad_4888_IWQXACMMIKEDPXHO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1612-1136-0x0000000000E30000-0x0000000000FCF000-memory.dmp

Filesize
1.6MB

Download
memory/1612-1124-0x00000000774A0000-0x00000000776B5000-memory.dmp

Filesize
2.1MB

Download
memory/1612-1122-0x00007FFB09050000-0x00007FFB09245000-memory.dmp

Filesize
2.0MB

Download
memory/1612-1121-0x00000000042F0000-0x00000000046F0000-memory.dmp

Filesize
4.0MB

Download
memory/1612-1120-0x00000000042F0000-0x00000000046F0000-memory.dmp

Filesize
4.0MB

Download
memory/2148-949-0x0000028673440000-0x0000028673462000-memory.dmp

Filesize
136KB

Download
memory/3556-1135-0x00000000774A0000-0x00000000776B5000-memory.dmp

Filesize
2.1MB

Download
memory/3556-1133-0x00007FFB09050000-0x00007FFB09245000-memory.dmp

Filesize
2.0MB

Download
memory/3556-1132-0x00000000026A0000-0x0000000002AA0000-memory.dmp

Filesize
4.0MB

Download
memory/3556-1125-0x00000000007A0000-0x00000000007A9000-memory.dmp

Filesize
36KB

Download
memory/3580-1021-0x00007FFB09050000-0x00007FFB09245000-memory.dmp

Filesize
2.0MB

Download
memory/3580-1020-0x0000000073C60000-0x0000000073DDB000-memory.dmp

Filesize
1.5MB

Download
memory/3684-1045-0x0000000073C60000-0x0000000073DDB000-memory.dmp

Filesize
1.5MB

Download
memory/3684-1035-0x00007FFB09050000-0x00007FFB09245000-memory.dmp

Filesize
2.0MB

Download
memory/3736-1031-0x0000000073C60000-0x0000000073DDB000-memory.dmp

Filesize
1.5MB

Download
memory/3736-994-0x0000000000400000-0x0000000001636000-memory.dmp

Filesize
18.2MB

Download
memory/3736-1004-0x0000000000400000-0x0000000001636000-memory.dmp

Filesize
18.2MB

Download
memory/3736-1005-0x0000000073C60000-0x0000000073DDB000-memory.dmp

Filesize
1.5MB

Download
memory/3736-1008-0x0000000073C60000-0x0000000073DDB000-memory.dmp

Filesize
1.5MB

Download
memory/3736-1006-0x00007FFB09050000-0x00007FFB09245000-memory.dmp

Filesize
2.0MB

Download
memory/4012-1029-0x0000000073C60000-0x0000000073DDB000-memory.dmp

Filesize
1.5MB

Download
memory/4012-1033-0x0000000073C60000-0x0000000073DDB000-memory.dmp

Filesize
1.5MB

Download
memory/4012-1030-0x00007FFB09050000-0x00007FFB09245000-memory.dmp

Filesize
2.0MB

Download
memory/4016-1053-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4016-1047-0x0000000001000000-0x000000000123D000-memory.dmp

Filesize
2.2MB

Download
memory/4016-1048-0x00007FFB09050000-0x00007FFB09245000-memory.dmp

Filesize
2.0MB

Download
memory/4016-1049-0x0000000001000000-0x000000000123D000-memory.dmp

Filesize
2.2MB

Download
memory/4016-1052-0x0000000001000000-0x000000000123D000-memory.dmp

Filesize
2.2MB

Download
memory/4016-1118-0x0000000001000000-0x000000000123D000-memory.dmp

Filesize
2.2MB

Download
memory/4016-1117-0x0000000001000000-0x000000000123D000-memory.dmp

Filesize
2.2MB

Download