f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593

Analysis

max time kernel
149s
max time network
143s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
16-06-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Size

5.3MB
MD5

fbd9ad001bb2719f574c0705c5de05fb
SHA1

d07e77a490ad677935ac8213b88237e94440e791
SHA256

f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593
SHA512

5724e3f858ae7ea92ba4ce325f3f8f4b90ecc6d7c19476e2888c4b09f0913463191b977f71314300918cceb0a6ae0b80e29d3c70891e8aeb9314da233a929e96
SSDEEP

98304:oeZOuRuvqAgef1ndGaX6tJJQv2FKA75OpVclc02vDRZTEB:1ZOPNdo3u0jc02vVZoB

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

nemu-downloader.exeColaBoxChecker.exeHyperVChecker.exeHyperVChecker.exe7z.exe7z.exe

pid process

2020 nemu-downloader.exe
4916 ColaBoxChecker.exe
2236 HyperVChecker.exe
8 HyperVChecker.exe
3592 7z.exe
1816 7z.exe
Loads dropped DLL 2 IoCs

Processes:

7z.exe7z.exe

pid process

3592 7z.exe
1816 7z.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2020	nemu-downloader.exe
4916	ColaBoxChecker.exe
2236	HyperVChecker.exe
8	HyperVChecker.exe
3592	7z.exe
1816	7z.exe

pid	process
3592	7z.exe
1816	7z.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629944759788819"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exenemu-downloader.exechrome.exe

pid	process
1380	chrome.exe
1380	chrome.exe
2020	nemu-downloader.exe
2020	nemu-downloader.exe
2020	nemu-downloader.exe
2020	nemu-downloader.exe
1380	chrome.exe
1380	chrome.exe
1864	chrome.exe
1864	chrome.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

680
680
680
680

pid	process
680
680
680
680

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7z.exe7z.exe

description	pid	process
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeRestorePrivilege	3592	7z.exe
Token: 35	3592	7z.exe
Token: SeSecurityPrivilege	3592	7z.exe
Token: SeSecurityPrivilege	3592	7z.exe
Token: SeRestorePrivilege	1816	7z.exe
Token: 35	1816	7z.exe
Token: SeSecurityPrivilege	1816	7z.exe
Token: SeSecurityPrivilege	1816	7z.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exechrome.exe

description	pid	process	target process
PID 1832 wrote to memory of 2020	1832	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 1832 wrote to memory of 2020	1832	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 1832 wrote to memory of 2020	1832	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 1380 wrote to memory of 444	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 444	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4204	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4568	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 4568	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 1408	1380	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\7z72DE5728\nemu-downloader.exe
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\nemu-downloader.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Users\Admin\AppData\Local\Temp\7z72DE5728\ColaBoxChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z72DE5728\ColaBoxChecker.exe" checker /baseboard
3⤵
- Executes dropped EXE
PID:4916

C:\Users\Admin\AppData\Local\Temp\7z72DE5728\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z72DE5728\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:2236

C:\Users\Admin\AppData\Local\Temp\7z72DE5728\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z72DE5728\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:8

C:\Users\Admin\AppData\Local\Temp\7z72DE5728\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z72DE5728\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Users\Admin\AppData\Local\Temp\7z72DE5728\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z72DE5728\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd2e21ab58,0x7ffd2e21ab68,0x7ffd2e21ab78
2⤵
PID:444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:2
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:8
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:8
2⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3496 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:8
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:8
2⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4916 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4700 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4228 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3444 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4208 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:8
2⤵
PID:1236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:8
2⤵
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:8
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2420 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1928 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:1
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3440 --field-trial-handle=1960,i,17315069270847327637,3698188650124279621,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4d141ee14fe7ee62fa564a9d3e6074bd

SHA1
2213ef3ce0ea030f9c5e71c40cc29ffbf73cc489

SHA256
d72e586b414990995ee594fb516ada0b7c46e754f83ed1bc047b289465f62764

SHA512
5444411ae83eb0b6d0ca6424d9b397a45faa27be0e3a39df932fc47adf30157954fd005d5eb5f5634bf0ff2a71ecb0a3fe3077a68fe7fd23e14a5d32d0c426d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
1d7735425213fa34b0f5cf294f330797

SHA1
fcd2fb475fd3898af9674a3d993cce7d9bf8b5d0

SHA256
f2d9d9ff8a42012ca1274881ff66c1ca3ed23c0f67ae78bb0be0ffc1b925f2d8

SHA512
fa07aafaf867173e952a1943a11c5cfcf3312ee1a78774be007c4ab3cba7ca501e1c1e6a353e21aa2f4f59cf27e0f302840944be0929522e303947f73c052038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
131KB

MD5
e5145fab2f127b9f863970bf3669b12f

SHA1
b4e7f420e84a2fe46bbe14fbd188d4dafcf3ca1c

SHA256
ac5e337a3f897e7848940cc656567c10a70d9ea3782d9259ffcb9af955feaf11

SHA512
2d76a44d39b67ab5c303d5e8d1b6ef618a0481d5538df1fe153c21a521edfd4893bbccae29b20b4c7946fd6a39d20e83bf03ebead6b3baf0eb512c61b8762b0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
86KB

MD5
bedbd5d43d1f4c1f7ca249b7dcb8badd

SHA1
afad7199a98c62a637d35ad990d79214bf0b66e0

SHA256
eb21281fec40cce028afd8dbe4aeb19e2c5fadc328abf3870f1f1d04e2724181

SHA512
baa577d5bd1b878a2aba6b5c9f0ac402c03d4c70e17b5d2b6ea8eebd17e0880ab5a18e6b6df6a263e50414e77425696076ea772aa8fa3dbe38d56f535031006b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58318b.TMP
Filesize
83KB

MD5
8b3fb09a8e954348ed97a601707e12db

SHA1
221e9fd7fe2527754efb29983b15a76f359cb9d8

SHA256
eab7566d2b8888b6dea077a4268c5ebdeb416477a86c2013d4605bddd83336ba

SHA512
eeef645f8ac1c5baae7ca45cc2e28f16081d00c134596a69094dc4fd21e46a3adfea6794428bb10bf98abe1034480fabb2d142c1d9448442f7e9364416185d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\7z.dll
Filesize
1.1MB

MD5
0ffa2bff9e56e6122aec80d3c1119d83

SHA1
09b7eb124b8c83469ae7de6447d1b8a7f5c98c61

SHA256
609cba3a8704aa6f5e2623858402bc048de7198a3567a53183bf97de091a3e48

SHA512
42522bf850156577de397e527b8515b1bf0bdeceb170efae71d87c39a25c72c155a2fec6a88b5c3ae443752046f8840cd8afac9c42ed7bcf67aeb9e78aeb5f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\7z.exe
Filesize
292KB

MD5
97b382235264f18a53eff8e891997920

SHA1
cc0f3ad9411f54f70a2b1a1705e24048b06ea65c

SHA256
bf42783c293279c65b00e4f8b72be39e1cb0fcbe14d6679151b0d5e27fd8572d

SHA512
1e780698dbc0963ccbd73976da6898b3c0dc4b4e655a80563585518abd37a1a5561a980d035123011213a83c76320de6c08541caa71bfd6582eb93ff57672a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\ColaBoxChecker.exe
Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\HyperVChecker.exe
Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\baseboard
Filesize
114B

MD5
378ed3362ac2bf5ba495030911008bd3

SHA1
7f21ba601ff05621c343c2c1a59b501b16d41481

SHA256
99eec2f185be804338fa23367b7042dd4b9d1fe32affda7ac4e902f07e1f77c5

SHA512
ab4c669a000b4ac08f50109771d423becc9eb2abd833ab8df289f5a85309f21d5802a5a6609b79294d4736ea6c76348b9e3cb7f2bd7ff4904ece1a51122feb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\config.ini
Filesize
346B

MD5
d00fb4c61a255b58ff09886c6c72461b

SHA1
4e4f7d7ae36f67a4d6fc8479f8400b3eb769e978

SHA256
77dec4d79e1e844a2156f101defc0fc81c138a989e8ba1c722c58feb91b3cd4a

SHA512
8494ab9fe0594f3ff7b0893ca3e25d6d0a706e546e92c5b662aa864affcefe5f9721a6a95f37f40cdacf39d27a23e2b3cd5dbca4d7b8909cd7c186209d4b46db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\nemu-downloader.exe
Filesize
3.2MB

MD5
cdf8047ceae80d9cd9eb798a57bf6084

SHA1
8e7971401fada3099aed61849745fda37e1c0d32

SHA256
1f01a9abac64fae72e0a253ad9ffe2d62cd2967c1c2bc90fb956ac446fe2b11e

SHA512
ac366f38f39b935110192d1355147392ced5a21966cc22386804356dce24b2da7971a6a60d675689f93d74014d961bfb3b0c13cf06809b9f9feef580045e20dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\run-checker-log\baseboard-139378136854168830.log.log
Filesize
4KB

MD5
de208d54a9e3927428e599954c81880f

SHA1
7e2285f5810083de1e5eaa3a22add1689defbfb1

SHA256
21b6ecea66e5c9e9c04d67716e8e2d9c49051072e3c3e03b7b5dad27770795cf

SHA512
e9bab9f3056d19a4674a6e003d0bb05f966632cdd7bc7c7128927e8226e8a81a0787ff8082c83c0469e7f9c1d7cd404aba79125f6bb4a7accdc5116fb47c5a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z72DE5728\skin.zip
Filesize
509KB

MD5
ecb43530caf9566c1b76d5af8d2097f1

SHA1
34562ada66cd1501fcb7411a1e1d86729fd7fdc0

SHA256
a12381f97aee2d91568f44b23e866ccc99f0ae5e5961f318ed24b72f4f5da80a

SHA512
4a243c0bc4dbaf892bee91ea7eff9e6a7732d3aa2df5bebd9a4bea2859a30a8511945ce3bb823f7ef921f2e1a98906fb676fce85f25fd5908646b3a2f5d02563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux.zip
Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
\??\pipe\crashpad_1380_KIRGPBGSWEYNBFDC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit