f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593

Resubmissions

13-05-2024 05:37

240513-ga48zsdb59 6

13-05-2024 04:09

240513-erblwscg83 6

10-05-2024 08:25

240510-kbge4aga52 6

Analysis

max time kernel
1799s
max time network
1695s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
13-05-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe
Size

5.3MB
MD5

fbd9ad001bb2719f574c0705c5de05fb
SHA1

d07e77a490ad677935ac8213b88237e94440e791
SHA256

f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593
SHA512

5724e3f858ae7ea92ba4ce325f3f8f4b90ecc6d7c19476e2888c4b09f0913463191b977f71314300918cceb0a6ae0b80e29d3c70891e8aeb9314da233a929e96
SSDEEP

98304:oeZOuRuvqAgef1ndGaX6tJJQv2FKA75OpVclc02vDRZTEB:1ZOPNdo3u0jc02vVZoB

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

nemu-downloader.exe

description ioc process

File opened (read-only) \??\F: nemu-downloader.exe
Executes dropped EXE 6 IoCs

Processes:

nemu-downloader.exeColaBoxChecker.exeHyperVChecker.exe7z.exeHyperVChecker.exeHyperVChecker.exe

pid process

4236 nemu-downloader.exe
2772 ColaBoxChecker.exe
4840 HyperVChecker.exe
3188 7z.exe
3332 HyperVChecker.exe
4796 HyperVChecker.exe
Loads dropped DLL 1 IoCs

Processes:

7z.exe

pid process

3188 7z.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\F:	nemu-downloader.exe

pid	process
3188	7z.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133600470781745213"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

nemu-downloader.exemsedge.exemsedge.exechrome.exechrome.exe

pid	process
4236	nemu-downloader.exe
4236	nemu-downloader.exe
4236	nemu-downloader.exe
4236	nemu-downloader.exe
3504	msedge.exe
3504	msedge.exe
2064	msedge.exe
2064	msedge.exe
2300	chrome.exe
2300	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

648
648
648
648

pid	process
648
648
648
648

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exechrome.exe

pid	process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7z.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	3188	7z.exe
Token: 35	3188	7z.exe
Token: SeSecurityPrivilege	3188	7z.exe
Token: SeSecurityPrivilege	3188	7z.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe
Token: SeShutdownPrivilege	2300	chrome.exe
Token: SeCreatePagefilePrivilege	2300	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exe

pid	process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exechrome.exe

pid	process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe
2300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exenemu-downloader.exemsedge.exe

description	pid	process	target process
PID 1912 wrote to memory of 4236	1912	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe	nemu-downloader.exe
PID 1912 wrote to memory of 4236	1912	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe	nemu-downloader.exe
PID 1912 wrote to memory of 4236	1912	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe	nemu-downloader.exe
PID 4236 wrote to memory of 2772	4236	nemu-downloader.exe	ColaBoxChecker.exe
PID 4236 wrote to memory of 2772	4236	nemu-downloader.exe	ColaBoxChecker.exe
PID 4236 wrote to memory of 2772	4236	nemu-downloader.exe	ColaBoxChecker.exe
PID 4236 wrote to memory of 4840	4236	nemu-downloader.exe	HyperVChecker.exe
PID 4236 wrote to memory of 4840	4236	nemu-downloader.exe	HyperVChecker.exe
PID 4236 wrote to memory of 3188	4236	nemu-downloader.exe	7z.exe
PID 4236 wrote to memory of 3188	4236	nemu-downloader.exe	7z.exe
PID 4236 wrote to memory of 3188	4236	nemu-downloader.exe	7z.exe
PID 4236 wrote to memory of 3332	4236	nemu-downloader.exe	HyperVChecker.exe
PID 4236 wrote to memory of 3332	4236	nemu-downloader.exe	HyperVChecker.exe
PID 4236 wrote to memory of 4796	4236	nemu-downloader.exe	HyperVChecker.exe
PID 4236 wrote to memory of 4796	4236	nemu-downloader.exe	HyperVChecker.exe
PID 3504 wrote to memory of 3096	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 3096	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2904	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2064	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 2064	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 4880	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 4880	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 4880	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 4880	3504	msedge.exe	msedge.exe
PID 3504 wrote to memory of 4880	3504	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\7z7895D778\nemu-downloader.exe
C:\Users\Admin\AppData\Local\Temp\7z7895D778\nemu-downloader.exe
2⤵
- Enumerates connected drives
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\7z7895D778\ColaBoxChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z7895D778\ColaBoxChecker.exe" checker /baseboard
3⤵
- Executes dropped EXE
PID:2772

C:\Users\Admin\AppData\Local\Temp\7z7895D778\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z7895D778\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:4840

C:\Users\Admin\AppData\Local\Temp\7z7895D778\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z7895D778\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Users\Admin\AppData\Local\Temp\7z7895D778\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z7895D778\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:3332

C:\Users\Admin\AppData\Local\Temp\7z7895D778\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z7895D778\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6903cb8,0x7ffaf6903cc8,0x7ffaf6903cd8
2⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,16809009568235145625,13352708589580906399,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
2⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,16809009568235145625,13352708589580906399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,16809009568235145625,13352708589580906399,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
2⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16809009568235145625,13352708589580906399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16809009568235145625,13352708589580906399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16809009568235145625,13352708589580906399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
2⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,16809009568235145625,13352708589580906399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
2⤵
PID:1744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf67bab58,0x7ffaf67bab68,0x7ffaf67bab78
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:2
2⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:3112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4200 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4496 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4728 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4068 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5204 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4372 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5220 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2660 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5524 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5772 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4780 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5864 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5768 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6016 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6176 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6332 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6900 --field-trial-handle=1844,i,8901571275522149023,17990611037890333062,131072 /prefetch:1
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3140

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004C8
1⤵
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
7a924cbf0412e1de06b0e38590ecb6a6

SHA1
db32fdf7c23f28a2fd3350dbd94ee25ce78b615c

SHA256
6ae5ffbda60d117944970cb446612309126b1f131f52f904847281ed4fcb8e54

SHA512
7feef2199bf9003eed113aefd0d28f0cd359e26daf9bde23d918a39af0a9815c641c3befb1650b86cd121bf98d3b899c852cf81a89dc1e416ee3f7a423fc86c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
9631b3bb6081e61a0f48e9e7e495122e

SHA1
2068b1115494451d52eec10d723ec0912b1ef6c0

SHA256
e961049e286433a267ce9c8507862b8a8c3549c7f871538e7c0da70b0c11358a

SHA512
837bc00a02ca4922c6f5d2ebf7513afdb54616589ee3bb75f59f0101a0bde9f859db235f7fac509343e06351260767d5ab6e75a4b8825d7f814a7550fde660b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
aa73d3e50a62c3c0ea70071adfeb72f4

SHA1
a726a1d2d4f89c4b77f5668978e114e88ae70c57

SHA256
fb299169a6ba81a32f2e53efb9da7259a807c7558e482df922e73575b9661309

SHA512
9403ec1784c8bb534de08940414a7a45a34bfbd9bf43d701596be00246f588bece2093caba29aea97d6131873c286f4e9daad5b32d941acd03809cffb622a057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bd363399a293a0ff238953dfd453cbf4

SHA1
a3384cdbb0170a3fa0958d444df7f7e5f9676c21

SHA256
595e11511bffd94a64561742af444e355edf4187dad0c3ffbcb89da19004bad9

SHA512
b96fa18682afb0fc72ab1839d5a0d14009f8a25f9ccad6d4b8e5d4233ab1986fef1b2bd48ae42430a7a966955ba554ae6a48590f00df07ec75eb80ff8ee1d720

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
48f2b532992cd4060963cf63514a9741

SHA1
683afbd123ca6242d444bc204e1e0df21d23d42f

SHA256
6c5f85f8e82cb30d2672b5e5a07aaad78a772d4655639f0dd821ba0986d54f99

SHA512
ee45d0de0d2166af77632da23271e171de11cef66b1bff99714bca55fb07d18c569073d4d5ff972cac2d37d53816a44388f8f17d97b9bc2825f0a9c9699640e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
82a62c3060470284b386597d8bc28b76

SHA1
68ff2732ef4149cc3044f3321c4275fb01d8b13f

SHA256
908de2d5e31bb3d81cac3645969613bb745e1bdb8ea58da6713bfe3e7c31cc7e

SHA512
b2feb60a9583ee5d8c6fc4a2a284848af2ea294647060465bec9786068aedb086e54f90451f758faf65ad4cb2890b5fecb175b33d8695799d97a330141ce6282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fcf9338000f1df05e50d6bf60fb00d40

SHA1
7c1ecc5b76078a569141b39cdacd58c6c2ae0556

SHA256
c2cbd44554c7a9cb3be979c323db3f35cf9e10cd9082dcd1a66cb5e8c0cfb327

SHA512
afb88b971d162fca4e550540972923599c524d9e02df20d43f39410e3b8c6248865f5c9940b8ce3d7925d7d1c751547a5e2d55c0c1e6e71d15204cc46cb59b7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
e42b65442efcbaec78653ee44b7650ec

SHA1
c0f4708763501b359cbb115d00d4c813782ef550

SHA256
59a49fcc2c8b9a7cb0005305fd4d8ebdb99547c1975d6f89369b5d437a8d58d5

SHA512
40915aa5cd288a46735366169e4ce1e0ae4d70d89d0a4e16a91ab468bfa3d157520c3b490dd0746dc58cc05d8fb2564a11c36ba13e1ae1c4e692d1ce289fd5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
5604af05b6eaad6e7d08bebd2fbd5913

SHA1
3b16e748e097dcf0c4a14de53708a1ebf1162670

SHA256
07d9a9159200685e4690000b903df48dec87a2398b7b454ca9194b340c97bfef

SHA512
ea89fa25653baae6abb7d3a1df77b37222315ffb1fd82c22259873d3dda518daa15ce1d5af518e8e41120413665c2e8c698d17cd0929895434f3334cb5958e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
c2fe6bf2f894ff60943d9fe935f0c64e

SHA1
b1d5dbf76dab836cf03f510e94c930327c588297

SHA256
1385791179a21a432dd3f92b2a6f674db06074cae4b5c98962111e465a3cbba4

SHA512
8dd976e6ce6d563fc8deef81e85606f737b3ae6f49f7bfcec778e596ff12770e245f2b143d2e4e0252c770717f10b3b443087bd8e53701c1b815cdd3537a0a1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
56a4b372ec0504ae6dcaad80a7119ef4

SHA1
08ae45406a32cfac1a9d8addd9df9dea33405925

SHA256
6e147a7d26d35e0e3fee2c24ede8191b267635d6cf7fb1b875e8b83dd9d2e0e9

SHA512
8e797eaea1a926b8b30584202098f149247ce6d1a230583d3dde2f2c45cdb5fee40d95a75b79ef5c1929781be785e5afce39c6d9e8f928b732343cd8ff3fee27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
0bd89f2df4ef9bd43a247982239052c2

SHA1
0de4f4b42a6a759f8c53aa95fc14e0f7437f9ed0

SHA256
89b3bfb31d1da90500d3465ed1928dfcb0867a0e8eaacec811e2d636f522db6b

SHA512
e768656190d7b2840114c42f135126c5551799d7dfb23eabb923ac866825d57eda597bcc27a730472cb900e7dc560a77b6bb9a4115d0f38c7a303cee6f2a4a88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
aa6c8a271c5fff05004a0fa46053b70b

SHA1
a5b0f32e49d96c3c46b052abc302a0e9d9db22c1

SHA256
8390a1731f5fc7ee2faf51162da140f359428f01240662ed30ddfca4341b7bfb

SHA512
c61d139b2dc4a5fb4f4d9bd68cd16059d94c7390021ff0d2a4cbabe362786417c3b85846ba97e5d036a6ebf39fb3c4d0b2b265a537182aad41a9b609f173d264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
66cc184415681846d53b65addb43dcd7

SHA1
9a6f6ae2369a17369029e5e9f8e4b1085d684035

SHA256
f441b6ffdeb0afe6e40c2c6991c886228e28f029b0c7ac4c9fd8cdc81511c6d4

SHA512
ff51665863459451fc5f9af5ccbb908c0318df0f3584aa89ec20655a0feebd4038fb396dee72091112c981ff32ebf8f9a1a60d936b372243ce1576637c12a533

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
85KB

MD5
591c8613f9ca55dfbb2d547f7d71b2bb

SHA1
b573b0e4c41f4f707ff16862c699c80b01517e58

SHA256
97672f089c5b0e28174cbd65ed1568f8dd9a00eec8b83061ef2c3fb6ff26b603

SHA512
65ad04dfe7c448a4184926ba11c09aed655927ecdde97d0df800bc8bb9a4e6e0e4a41e0a8c047e9c3864ad03ff57f9734fd1b2c098ca302c9406ce147a015795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
83KB

MD5
2a5036d22b8ecd9d460894d4fbc6f257

SHA1
204154a1b8b0e1f8dcb23b5b8be0486fcb5e910e

SHA256
b38a662871bbf8c5649f2d7a9e1d5e425e245cae056a405224cf33a0c9a1f80f

SHA512
81bc52bd1218a60eae678fca27a9a2b8ef54e3d1f761b68b42308849b106f6528581c1ffb149754380563ef48676e5f34e9283c2031e24e40bf67ec4d2d9c3fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
88KB

MD5
c5b5a9944d1c55d8cd3babebef8c69c4

SHA1
2ef85dd447315f515bff5d1bb9696925ea457511

SHA256
06eaf912063e522738f6f3912715641a99e8be24f56bde67212225880ed40f3f

SHA512
dfd768b0b751ee56348e28a124047684abdcf30f1b003b96743d952d2c21d806d6c463b523a83734001352da1c95b64d33ef4c264995ba73353895b908077dc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
86KB

MD5
255671ec10cd4b9b8882ef5df96764f4

SHA1
1ae596140f1e78af1f9e71ef641dd83a1aab9f0a

SHA256
91d52887ab994b4b701b1785a135bd69832a211b29985267bfd9a218b5d940f3

SHA512
437f29a2172ed63654cc17d99727cd0cbfd484c4096755d2267d2d1b2ef0d3c89670bd5342328131f8b67712cb81f853ab2e5db3af7e1209469025e4a082c7e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580fca.TMP

Filesize
83KB

MD5
439f267f5e3a6ffc62fbf3c384aafe41

SHA1
a010613f8e1178ec24779b037ab4fb928630a5a4

SHA256
6482aebbb6729bfcc7eb5c590556a62f9120af0f11718ecceb780304009f0526

SHA512
93f83dfd26ee5e6e8779aa7aa3a4e641653bad5732a121bc9893e61683698320cd4bfd76cbfef1680d6f8f3939e5435e2f77f65e5376a1d6a574a28ead073b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ce3e0fd5b425b305c306da0a6c8924b

SHA1
47d93d99a76ad23265b999c240170162e47ebb94

SHA256
027e2a5d9c2e75004ff808d993eae0b2bb81f87f8c47ed904344b1b2fb0ca056

SHA512
f88eaff01aa719fdd59c44c9c4e85d9d37b2356aee94ce5c10a347cd80d8fa470d90e092bee0bb0f7cc306272f4804eac0d29a2771bc64a383a5462fe2d4b3c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c3e92823d19d8290a43152aad1c0bdec

SHA1
0e55e56b3f18f1824298597506b2bc4c7a24ad76

SHA256
a457e638fa28d933a08d3be84003484a1ec5bf008135e25b36d85875feaf260b

SHA512
9aa745e2ff080d87bba766574a0caa344d5c6ddfe65284cf010612e8fdbd33015e8d43f048069b4d5c69dfb1392261b57dc6c2664f2159c224bded9c003c4132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2de5355d917a944afd65d5a863f69cfd

SHA1
b409f0a8cc37e468defaffebc0588d95af5588c2

SHA256
c782a7b7b7846b200cad851e0f3b03817d1b8dbc142dfe71048940004f8d4b8c

SHA512
1bc39b13daea7fc93080a23e1e02bb5bef2552e3165cccc5805b10c4b751188113940db666daef5cf252a2a93f71a4d572d042de9303036c1f4fe746b9df9c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895D778\7z.dll

Filesize
1.1MB

MD5
0ffa2bff9e56e6122aec80d3c1119d83

SHA1
09b7eb124b8c83469ae7de6447d1b8a7f5c98c61

SHA256
609cba3a8704aa6f5e2623858402bc048de7198a3567a53183bf97de091a3e48

SHA512
42522bf850156577de397e527b8515b1bf0bdeceb170efae71d87c39a25c72c155a2fec6a88b5c3ae443752046f8840cd8afac9c42ed7bcf67aeb9e78aeb5f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895D778\7z.exe

Filesize
292KB

MD5
97b382235264f18a53eff8e891997920

SHA1
cc0f3ad9411f54f70a2b1a1705e24048b06ea65c

SHA256
bf42783c293279c65b00e4f8b72be39e1cb0fcbe14d6679151b0d5e27fd8572d

SHA512
1e780698dbc0963ccbd73976da6898b3c0dc4b4e655a80563585518abd37a1a5561a980d035123011213a83c76320de6c08541caa71bfd6582eb93ff57672a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895D778\ColaBoxChecker.exe

Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895D778\HyperVChecker.exe

Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895D778\baseboard

Filesize
113B

MD5
4f678c0be76f9c7f4c0f33c73864d1e0

SHA1
5a1ba28b9942330172ff50da41f28271c7745c2e

SHA256
d8f28493750c84ca4f6d7ea1534fc49271eb2255873a87a0f80c87bc29c7ee42

SHA512
264ecf3353c4db43d63be5a0f279baf0ab34cc46658922776d1d15b4ff2a960d8999df64969a701aac33ab942b03cb762e6d091f599962f59ea4abc3d19c3e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895D778\config.ini

Filesize
346B

MD5
d00fb4c61a255b58ff09886c6c72461b

SHA1
4e4f7d7ae36f67a4d6fc8479f8400b3eb769e978

SHA256
77dec4d79e1e844a2156f101defc0fc81c138a989e8ba1c722c58feb91b3cd4a

SHA512
8494ab9fe0594f3ff7b0893ca3e25d6d0a706e546e92c5b662aa864affcefe5f9721a6a95f37f40cdacf39d27a23e2b3cd5dbca4d7b8909cd7c186209d4b46db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895D778\nemu-downloader.exe

Filesize
3.2MB

MD5
cdf8047ceae80d9cd9eb798a57bf6084

SHA1
8e7971401fada3099aed61849745fda37e1c0d32

SHA256
1f01a9abac64fae72e0a253ad9ffe2d62cd2967c1c2bc90fb956ac446fe2b11e

SHA512
ac366f38f39b935110192d1355147392ced5a21966cc22386804356dce24b2da7971a6a60d675689f93d74014d961bfb3b0c13cf06809b9f9feef580045e20dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895D778\run-checker-log\baseboard-139348662662831800.log.log

Filesize
4KB

MD5
b9127e501c0e5dceaf4ad23ba10d8658

SHA1
8ac69a02bd7f29bd966e5e83e4c3cc46cd40d63b

SHA256
7b688aa9b86ba05486aa1db61c4d7629c6f8d3a65f51acd77aa687b33738a1a8

SHA512
20502abc75aa73fbc9e4ec36f470c4e972a9582fa7c36a07a66814ea36bcc20a3a5460bee775d2d16486eafa3cf9833e19debf20bb381a836bc4d54d76fe7bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7895D778\skin.zip

Filesize
509KB

MD5
ecb43530caf9566c1b76d5af8d2097f1

SHA1
34562ada66cd1501fcb7411a1e1d86729fd7fdc0

SHA256
a12381f97aee2d91568f44b23e866ccc99f0ae5e5961f318ed24b72f4f5da80a

SHA512
4a243c0bc4dbaf892bee91ea7eff9e6a7732d3aa2df5bebd9a4bea2859a30a8511945ce3bb823f7ef921f2e1a98906fb676fce85f25fd5908646b3a2f5d02563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_3504_WSZBCKEKISLTZPFH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

pid	process
4236	nemu-downloader.exe
2772	ColaBoxChecker.exe
4840	HyperVChecker.exe
3188	7z.exe
3332	HyperVChecker.exe
4796	HyperVChecker.exe