b6bd2afa22c41c1cad9e6cd0c8afff369f471be8a9ce3c0756f2938a79fe8ef7

Analysis

max time kernel
67s
max time network
63s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08-05-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

netmarble_sololv_A_installer_80946.exe
Size

241KB
MD5

98c2e745ade2d1c1960cb2ae96d0246d
SHA1

ccd4e48f86ae18ab8bd4b7d8283b83c93874c32f
SHA256

b6bd2afa22c41c1cad9e6cd0c8afff369f471be8a9ce3c0756f2938a79fe8ef7
SHA512

43dc99620cf191cd2e6eb947db5330885cdc5481765259ada4509aedea8f041f1289df31215fe7774f1d576f389a73f42238004ac3a78ef47929921ca3ca98d4
SSDEEP

3072:abG7N2kDTHUpouAw9aXCvLIaSQmjWAKpQfRE9PdWlr2tvhOEA1RJCir86SrSrvgQ:abE/HU4aaXCTp8Iei9Fe2t0EyL+G

Score

7^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	Netmarble Launcher.exe

Executes dropped EXE 5 IoCs

pid	Process
4112	Netmarble_Launcher_Setup_sololv_A.exe
5104	Netmarble Launcher.exe
3744	Netmarble Launcher.exe
1112	Netmarble Launcher.exe
2420	Netmarble Launcher.exe

Loads dropped DLL 23 IoCs

pid	Process
1468	netmarble_sololv_A_installer_80946.exe
1468	netmarble_sololv_A_installer_80946.exe
1468	netmarble_sololv_A_installer_80946.exe
1468	netmarble_sololv_A_installer_80946.exe
1468	netmarble_sololv_A_installer_80946.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
5104	Netmarble Launcher.exe
3744	Netmarble Launcher.exe
1112	Netmarble Launcher.exe
1112	Netmarble Launcher.exe
1112	Netmarble Launcher.exe
1112	Netmarble Launcher.exe
1112	Netmarble Launcher.exe
2420	Netmarble Launcher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\es.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\fr.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\index.js	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\LICENSE.txt	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\win\arm64\7za.exe	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\bn.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\chrome_100_percent.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\ko.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\ro.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\x64	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\ml.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\pl.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\snapshot_blob.bin	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\chrome_100_percent.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\x64\7za	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\x64\do-build.sh	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\lv.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\x64\do-build.sh	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\d3dcompiler_47.dll	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\ffmpeg.dll	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\ms.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\da.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\en-US.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\ja.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\mac	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\hi.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\kn.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\mac\arm64\7za	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\v8_context_snapshot.bin	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\bg.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\ja.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\ar.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\ro.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\am.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\arm64\7za	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\vi.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\lv.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\LICENSES.chromium.html	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\pt-PT.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\win	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\af.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\el.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\win\ia32\7za.exe	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\icudtl.dat	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\libEGL.dll	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\sk.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\resources.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\vk_swiftshader_icd.json	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\win\ia32\7za.exe	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\es-419.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\sr.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\win\x64\7za.exe	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\linux\arm64	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\fil.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\en-GB.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\ta.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\ffmpeg.dll	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\es.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\it.pak	Netmarble_Launcher_Setup_sololv_A.exe
File created	C:\Program Files\Netmarble\Netmarble Launcher\locales\lt.pak	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales	Netmarble_Launcher_Setup_sololv_A.exe
File opened for modification	C:\Program Files\Netmarble\Netmarble Launcher\locales\nl.pak	Netmarble_Launcher_Setup_sololv_A.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\netmarblelauncher\shell\open\command\ = "\"C:\\Program Files\\Netmarble\\Netmarble Launcher\\Netmarble Launcher.exe\" \"%1\""	Netmarble Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\netmarblelauncher	Netmarble Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\netmarblelauncher\URL Protocol	Netmarble Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\netmarblelauncher\ = "URL:netmarblelauncher"	Netmarble Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\netmarblelauncher\shell\open\command	Netmarble Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\netmarblelauncher\shell	Netmarble Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\netmarblelauncher\shell\open	Netmarble Launcher.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
4112	Netmarble_Launcher_Setup_sololv_A.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4112	Netmarble_Launcher_Setup_sololv_A.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeShutdownPrivilege	5104	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	5104	Netmarble Launcher.exe
Token: SeShutdownPrivilege	5104	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	5104	Netmarble Launcher.exe
Token: SeShutdownPrivilege	5104	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	5104	Netmarble Launcher.exe
Token: SeShutdownPrivilege	5104	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	5104	Netmarble Launcher.exe
Token: SeShutdownPrivilege	5104	Netmarble Launcher.exe
Token: SeCreatePagefilePrivilege	5104	Netmarble Launcher.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1468	netmarble_sololv_A_installer_80946.exe
1468	netmarble_sololv_A_installer_80946.exe
1468	netmarble_sololv_A_installer_80946.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4112	1468	netmarble_sololv_A_installer_80946.exe	73
PID 1468 wrote to memory of 4112	1468	netmarble_sololv_A_installer_80946.exe	73
PID 1468 wrote to memory of 4112	1468	netmarble_sololv_A_installer_80946.exe	73
PID 5104 wrote to memory of 3700	5104	Netmarble Launcher.exe	77
PID 5104 wrote to memory of 3700	5104	Netmarble Launcher.exe	77
PID 3700 wrote to memory of 2008	3700	cmd.exe	79
PID 3700 wrote to memory of 2008	3700	cmd.exe	79
PID 5104 wrote to memory of 3744	5104	Netmarble Launcher.exe	80
PID 5104 wrote to memory of 3744	5104	Netmarble Launcher.exe	80
PID 5104 wrote to memory of 4528	5104	Netmarble Launcher.exe	81
PID 5104 wrote to memory of 4528	5104	Netmarble Launcher.exe	81
PID 5104 wrote to memory of 2196	5104	Netmarble Launcher.exe	83
PID 5104 wrote to memory of 2196	5104	Netmarble Launcher.exe	83
PID 5104 wrote to memory of 3580	5104	Netmarble Launcher.exe	86
PID 5104 wrote to memory of 3580	5104	Netmarble Launcher.exe	86
PID 5104 wrote to memory of 3844	5104	Netmarble Launcher.exe	87
PID 5104 wrote to memory of 3844	5104	Netmarble Launcher.exe	87
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 1112	5104	Netmarble Launcher.exe	90
PID 5104 wrote to memory of 2420	5104	Netmarble Launcher.exe	91
PID 5104 wrote to memory of 2420	5104	Netmarble Launcher.exe	91

C:\Users\Admin\AppData\Local\Temp\netmarble_sololv_A_installer_80946.exe
"C:\Users\Admin\AppData\Local\Temp\netmarble_sololv_A_installer_80946.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\Netmarble_Launcher_Setup_sololv_A.exe
  C:\Users\Admin\AppData\Local\Temp\Netmarble_Launcher_Setup_sololv_A.exe --gameCode=sololv --buildCode=A
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4112

C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe
"C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --productcode=/Game/sololv --buildcode=A install
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2008
- C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe
  "C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Netmarble Launcher" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Netmarble Launcher\Crashpad" --url=https://pnm_netmarble_com.bugsplat.com/post/electron/crash.php --annotation=_companyName=Netmarble "--annotation=_productName=Netmarble Launcher" --annotation=_version=0.4.3 --annotation=comments=globalExtra --annotation=email=4656ba34-07c1-472a-b573-7332b7c5a781 --annotation=key=real_0.4.3_Windows_NT_10.0.15063_win32 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=22.3.8 --initial-client-data=0x510,0x4c0,0x4d4,0x458,0x4cc,0x7ff792e42898,0x7ff792e428a8,0x7ff792e428b8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3744
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKCU\Software\Netmarble Corp" /f
  2⤵
  PID:4528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKCU\Software\Netmarble Corp" /v AppDrive /t REG_SZ /d "C:\Program Files\Netmarble\Netmarble Launcher" /f
  2⤵
  PID:3580
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe ADD "HKCU\Software\Netmarble Corp" /v GameDrive /t REG_SZ /d "C:\Program Files\Netmarble\Netmarble Game" /f
  2⤵
  PID:3844
- C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe
  "C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Netmarble Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1940,i,850134253709146546,5294739276387509185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1112
- C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe
  "C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Netmarble Launcher" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2016 --field-trial-handle=1940,i,850134253709146546,5294739276387509185,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Netmarble\Netmarble Launcher\chrome_100_percent.pak

Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\chrome_200_percent.pak

Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\icudtl.dat

Filesize
10.0MB

MD5
76bef9b8bb32e1e54fe1054c97b84a10

SHA1
05dfea2a3afeda799ab01bb7fbce628cacd596f4

SHA256
97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3

SHA512
7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\libegl.dll

Filesize
473KB

MD5
26e1758eb69012d9fbd6aee47b58ce1a

SHA1
6cb6d0b464df1a456895714a228ff091c774357b

SHA256
3de9cc3f187e51d80839c97d991f4c38bcd77e10dc7731e8d99ff8c2d1656bf4

SHA512
5a5227d9777bcfe974440a313793eb879df41d95c7113e3d3e325392343a5a4bab8d12220ba6e9acd54eea8060ea19f3ac2508cde9945bccbc9b23a448a2c534

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\locales\en-US.pak

Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\resources.pak

Filesize
5.1MB

MD5
fb620332959ee6e46ac1c2a2f0e1b2d1

SHA1
eb18c735d187647c3c529932b8b80d9c9af09286

SHA256
66153f7b388503a9bab9df1fa157d3af88548bee264525694bca9a61ce3495e7

SHA512
1e5bfcac24a76ca8fae7b7fa5407f4eafeecfcda54726d66586f1171a7ba30cf76544d75aa44f1eb64b202e686ccd2c00c8cc0b24b249fc5c6c28c156cd03775

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar

Filesize
7.6MB

MD5
9fb3bc110c5e026ba3719164777bbed1

SHA1
b3cda36ea0f4bf0b829a9b8c3a1a9583119c160d

SHA256
bacb8aa893c3f31c676db2d73a8c97fb63b0f1d36e4ea34be2bf22848622b43f

SHA512
705048f359aff79732fdaef8ac7f65236f3f3ee1acb58d478ed929592c54f872b2d57ac77e6a7672af034e7a5ff521af4f2fb9305abc4b251b942fae0c93c276

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\index.js

Filesize
500B

MD5
9fe8a485038be54d687ad7dd9dff80d3

SHA1
76fc7b47a329b759539bca0b785ad41c083c29be

SHA256
48659f660a13b5fa01622f87dc8a5306ce7c232abf93b82a3b2f6e94c2cf5c86

SHA512
0f3b2ce074ede02079bdab4229f6d4ded5eb7ec64546c3b9f103114aabb35093fecfd04677a0a84d3691fb49bae8a6c5489cee946c7f5f4b86aec3e96434dfac

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar.unpacked\node_modules\7zip-bin\package.json

Filesize
244B

MD5
2a3677c6c6bba9a148bc83c2f145d136

SHA1
1b828bd2e2b4eaaed8e68821692a0bf87bdd54db

SHA256
acabcd4f1c0b7399de4c213e8fdfd5d064f29e278f94bd5b763d8ac8555e2c18

SHA512
907651c11e31ce7c8242c825033e168c04a185e4717d6c28b1c77a48317ef662419c833300198fc6292721299905d7fe32069307bcc5751e3192e50c3c26209b

Download Submit
C:\Program Files\Netmarble\Netmarble Launcher\v8_context_snapshot.bin

Filesize
471KB

MD5
031ea03da08fe1247280cfe781658791

SHA1
e91db50ad16b5a5fbbaf4118672d60b347ea6161

SHA256
c16dcec41919a6d2850214f2275824be8a97d8c5e694e2ec8dd7d16ab2d5015c

SHA512
b3d6f282761f8ab8760728ecb108f64741f6f3cd2a143813042ff63a3b6604fcfe7c1feabafb65f9f67906217edb5851f44605a34f7a50ed2058c25ce5efb30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfgampfe.xof.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json

Filesize
155B

MD5
b85f212649787a834d1d748f05560c3b

SHA1
fade895cf66441e24855806256912ddc013d273d

SHA256
e5fc4099d243e5f475a55ec682ac9201fbe87b4afa4bc20c8452790eec7ff72f

SHA512
977bdc1b5c8c377592ecdc6f4a339118183a73741c460a6c716dcb06ac2e8bd2fded255856cd385c8ee6523390cdd59623999779df498368652b4cf85c0611b1

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json

Filesize
53B

MD5
06b8473787d73b92a957864bcb621d47

SHA1
c823edae12e7fbcfd9418b2356d7753ddd6dd275

SHA256
cf606ee094d67d48a6bea98036e3b992b613ec20f90cdf424922878d3cb0f311

SHA512
db3cf4b08173e432b0ad13c7222d19a9d59450eb0fbfa1fa341cc85a2606d3c02029bbe8e6d75c316575556b9f2f57938aa77e9cdedff26a56ec060d8cf95fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-51922865315b0288

Filesize
89B

MD5
97a731fba0093bbb59cdd9188ea9a43d

SHA1
851ee120631a6dcd88a4c6fa23030d8e85f81de2

SHA256
8d05219fedb5ca90afb7fcc7dda0f06ad65abbc817cab44a7286fdaafcbd6b6e

SHA512
409ce37d91cef58edf6974a0f3797c95b2197bd615a01a1cb2ba263d263e675d8664ce6a3b37158f97ff77e3101a2ca9e0af8dba88d171e7bd6be66a830a2d99

Download Submit
C:\Users\Admin\AppData\Roaming\Netmarble Launcher\config.json.tmp-5192288750eea491

Filesize
202B

MD5
c06f47821b085a622315491e431213cd

SHA1
1b44467146618e542b0083457c1f1c8cf23938d0

SHA256
9d5a8cdc5034d604d279bccb86862f7127d0b86bc592f6c0975243b325c589c7

SHA512
e73dec9f219a02b62104430984bef74390fbf0900bb807c0f7fe473dad4cd84f3f867067eed9c335032637decd84b70689c6331bfb0a6496e9a33268c19f57b1

Download Submit
\Program Files\Netmarble\Netmarble Launcher\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
\Program Files\Netmarble\Netmarble Launcher\ffmpeg.dll

Filesize
2.6MB

MD5
cf0ce44eeaeadb63f262dd1f9cc79b30

SHA1
f223d46b7dbd0694b17067430800e242c517c050

SHA256
cff733297361ff45090f0e0901a0e8c5a22ccf1ed2d22f7ef8025fa210e7d657

SHA512
cebb3ab59553fe4c2b96a72dc86cdc34a2b6d6380f57ffbfd3fbd16d55561ee9fc684b8839852e82b84e2063a9eb6a68b53ea8f67eaf74d356e9358dccead723

Download Submit
\Program Files\Netmarble\Netmarble Launcher\libGLESv2.dll

Filesize
7.2MB

MD5
71907c88b17a6e1d7917b9b504985c73

SHA1
111094effb16e84f2d035dfd93c9f63c89e7d6d5

SHA256
086c98136c102e9e1438539a9f42c50cf05b4cd1048e349daed173fc53da0964

SHA512
e99608d581f49d4f23e263de8e782d275c87fc11d56ff1d8db5d2192cd96341fb0b267f39fcd2e8746bdf02d49f7f3c3cc74a9dc6504e865f2d13e08c5677a70

Download Submit
\Program Files\Netmarble\Netmarble Launcher\vk_swiftshader.dll

Filesize
4.9MB

MD5
684b6d889559dc5d3485173fcc4f3659

SHA1
484a928d8f555671d19b49fe2557ae863dd76dd4

SHA256
ce16d8195d9851d521e012e3a0ed3d19474d53fdde27752a67ff1760e16bf3ad

SHA512
5fe6707a7af0b7865f87af0d7960f6d278900c7d185d1a2e150a2f37ff3c008674947629bb68195bd668d64a7a1d9cbce024504992eafe4abc48cab4fe215627

Download Submit
\Users\Admin\AppData\Local\Temp\nse437D.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nse437D.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nse437D.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nse437D.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nse437D.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nse437D.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
\Users\Admin\AppData\Local\Temp\nsj83A8.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/1112-572-0x00007FFA7CE50000-0x00007FFA7CE51000-memory.dmp

Filesize
4KB

Download
memory/2196-508-0x000001DD4A8B0000-0x000001DD4A926000-memory.dmp

Filesize
472KB

Download
memory/2196-497-0x000001DD4A3D0000-0x000001DD4A40C000-memory.dmp

Filesize
240KB

Download
memory/2196-470-0x000001DD32200000-0x000001DD32222000-memory.dmp

Filesize
136KB

Download