f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593

Analysis

max time kernel
30s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-08-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe
Size

5.3MB
MD5

fbd9ad001bb2719f574c0705c5de05fb
SHA1

d07e77a490ad677935ac8213b88237e94440e791
SHA256

f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593
SHA512

5724e3f858ae7ea92ba4ce325f3f8f4b90ecc6d7c19476e2888c4b09f0913463191b977f71314300918cceb0a6ae0b80e29d3c70891e8aeb9314da233a929e96
SSDEEP

98304:oeZOuRuvqAgef1ndGaX6tJJQv2FKA75OpVclc02vDRZTEB:1ZOPNdo3u0jc02vVZoB

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

nemu-downloader.exe

description ioc process

File opened (read-only) \??\F: nemu-downloader.exe
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Executes dropped EXE 6 IoCs

Processes:

nemu-downloader.exeColaBoxChecker.exeHyperVChecker.exeHyperVChecker.exe7z.exeHyperVChecker.exe

pid process

4792 nemu-downloader.exe
2356 ColaBoxChecker.exe
232 HyperVChecker.exe
412 HyperVChecker.exe
1448 7z.exe
2336 HyperVChecker.exe
Loads dropped DLL 1 IoCs

Processes:

7z.exe

pid process

1448 7z.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\F:	nemu-downloader.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

pid	process
4792	nemu-downloader.exe
2356	ColaBoxChecker.exe
232	HyperVChecker.exe
412	HyperVChecker.exe
1448	7z.exe
2336	HyperVChecker.exe

pid	process
1448	7z.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exenemu-downloader.exeColaBoxChecker.exe7z.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nemu-downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColaBoxChecker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133694689096724562"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

nemu-downloader.exechrome.exe

pid process

4792 nemu-downloader.exe
4792 nemu-downloader.exe
4792 nemu-downloader.exe
4792 nemu-downloader.exe
2780 chrome.exe
2780 chrome.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

684
684
684
684
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

2780 chrome.exe
2780 chrome.exe
2780 chrome.exe
2780 chrome.exe
2780 chrome.exe
2780 chrome.exe
2780 chrome.exe
2780 chrome.exe
2780 chrome.exe

pid	process
4792	nemu-downloader.exe
4792	nemu-downloader.exe
4792	nemu-downloader.exe
4792	nemu-downloader.exe
2780	chrome.exe
2780	chrome.exe

pid	process
684
684
684
684

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

7z.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	1448	7z.exe
Token: 35	1448	7z.exe
Token: SeSecurityPrivilege	1448	7z.exe
Token: SeSecurityPrivilege	1448	7z.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe
Token: SeShutdownPrivilege	2780	chrome.exe
Token: SeCreatePagefilePrivilege	2780	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe
2780	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exenemu-downloader.exechrome.exe

description	pid	process	target process
PID 4192 wrote to memory of 4792	4192	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe	nemu-downloader.exe
PID 4192 wrote to memory of 4792	4192	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe	nemu-downloader.exe
PID 4192 wrote to memory of 4792	4192	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe	nemu-downloader.exe
PID 4792 wrote to memory of 2356	4792	nemu-downloader.exe	ColaBoxChecker.exe
PID 4792 wrote to memory of 2356	4792	nemu-downloader.exe	ColaBoxChecker.exe
PID 4792 wrote to memory of 2356	4792	nemu-downloader.exe	ColaBoxChecker.exe
PID 4792 wrote to memory of 232	4792	nemu-downloader.exe	HyperVChecker.exe
PID 4792 wrote to memory of 232	4792	nemu-downloader.exe	HyperVChecker.exe
PID 4792 wrote to memory of 412	4792	nemu-downloader.exe	HyperVChecker.exe
PID 4792 wrote to memory of 412	4792	nemu-downloader.exe	HyperVChecker.exe
PID 4792 wrote to memory of 1448	4792	nemu-downloader.exe	7z.exe
PID 4792 wrote to memory of 1448	4792	nemu-downloader.exe	7z.exe
PID 4792 wrote to memory of 1448	4792	nemu-downloader.exe	7z.exe
PID 4792 wrote to memory of 2336	4792	nemu-downloader.exe	HyperVChecker.exe
PID 4792 wrote to memory of 2336	4792	nemu-downloader.exe	HyperVChecker.exe
PID 2780 wrote to memory of 1968	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1968	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1604	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1636	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 1636	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe
PID 2780 wrote to memory of 3488	2780	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105 (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\nemu-downloader.exe
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\nemu-downloader.exe
2⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\ColaBoxChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\ColaBoxChecker.exe" checker /baseboard
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356

C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:232

C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:412

C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff9e1cc40,0x7ffff9e1cc4c,0x7ffff9e1cc58
2⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1844 /prefetch:2
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
2⤵
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2192 /prefetch:8
2⤵
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4452,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4460 /prefetch:8
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4588,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4576 /prefetch:1
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3792,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4476,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4540 /prefetch:1
2⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4468,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:1
2⤵
PID:3112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5268,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5296 /prefetch:1
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4916,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3552,i,1820150883037864409,4969639205603673172,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5404 /prefetch:1
2⤵
PID:572

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4cc68164b4596d69538ae4116c5d2e12

SHA1
3991d8a0f41e1fada53b3ad184fae6df2ffaab49

SHA256
0d574a536f3b512ce190ed09fa35ddb8a93d124e93f8e35edb67ddb78763db38

SHA512
f74c1bd9845551529f2b5360e9f2d5db8f17cf96b33e3261d8702ed0d356bcd5c1cdb1cf83a3353154dcc72eb9a28d3db3082514d1591d2c73e0a4c249bdcd86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
affc343e00534f26510b3555eda38cc7

SHA1
0d098618b8552b3fad03f6ef639ea0ac63441cc9

SHA256
4278a0e65eceaced770c4f211cf865b2c3bf399a03fb368b79a9e20dd84419ab

SHA512
dd595907ac048d93158794ff662564ef291af7969030f11f8a4ec2c340630737ffd4e4d944ff6c2fac2f720d16a740563dadeeefed66a01de9d82a698ad950eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d7b31f4e03ab033278c474a8b72202a1

SHA1
f9c05aef29a11a72a2e714deef02142bd2d0bf02

SHA256
cd9db55a78bf8fcc9312f25d148cb3afc2f47cb4fbbecc5e7bb8a341bbfce6b5

SHA512
7acb2034099066f1d85cc7866e8ce10b2d4cc4729dffb445f0683cf3f83b80310ccc3fdd25a3acff1152a48a95479f65e88387470cf1d37e7d70866909445f60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
e5407dd60487678b1b6c106e1d6a8346

SHA1
b6a248a2520bc51ac1161760f47adae6cbec9406

SHA256
10a509050a9f865800aad59b51f4105bbae5cd6b39bc46acfafc3a115b249f17

SHA512
e5e030147f88f3c02b88aa8e3775299b1b1f849a1078f2056cb987f94e02b10459569dc394fdceae6a17eb0cad535291b2feaddc03fca27a9729a143a73e1b17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
d2f217c74e3beb83fe025087eaa30f96

SHA1
18875694d2486654474dac63f6267f114f38d339

SHA256
fba8cd7718d1894b7a4f8ead1882aab8d865a592b6f9b86dd5fcc2b156e7837f

SHA512
7e569dbe1a15e46d7383952593a50b93fbeddf65db56cb05f8e686ea4e1042adedd3eb6b100792bad730f239aa00a8d43028de45c35b76ead539046ad96f1082

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\7z.dll

Filesize
1.1MB

MD5
0ffa2bff9e56e6122aec80d3c1119d83

SHA1
09b7eb124b8c83469ae7de6447d1b8a7f5c98c61

SHA256
609cba3a8704aa6f5e2623858402bc048de7198a3567a53183bf97de091a3e48

SHA512
42522bf850156577de397e527b8515b1bf0bdeceb170efae71d87c39a25c72c155a2fec6a88b5c3ae443752046f8840cd8afac9c42ed7bcf67aeb9e78aeb5f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\7z.exe

Filesize
292KB

MD5
97b382235264f18a53eff8e891997920

SHA1
cc0f3ad9411f54f70a2b1a1705e24048b06ea65c

SHA256
bf42783c293279c65b00e4f8b72be39e1cb0fcbe14d6679151b0d5e27fd8572d

SHA512
1e780698dbc0963ccbd73976da6898b3c0dc4b4e655a80563585518abd37a1a5561a980d035123011213a83c76320de6c08541caa71bfd6582eb93ff57672a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\ColaBoxChecker.exe

Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\HyperVChecker.exe

Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\baseboard

Filesize
114B

MD5
7b58f0d25e62b619642a7242d748de30

SHA1
8e9fb7323b10b7aaef2ffcb0b85812b771e846f9

SHA256
c37576dbe6af99fe91c98c7015868b91a3f3e98f6d306d233a2db2e9072e376d

SHA512
aaaed52f246f50a5c15fb82766723f9d8151a884353f2513c9371d53a06ab59b93b976df1795342de9daec0df79b0f5db2390eb676052eaf6be382ee63737b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\config.ini

Filesize
346B

MD5
d00fb4c61a255b58ff09886c6c72461b

SHA1
4e4f7d7ae36f67a4d6fc8479f8400b3eb769e978

SHA256
77dec4d79e1e844a2156f101defc0fc81c138a989e8ba1c722c58feb91b3cd4a

SHA512
8494ab9fe0594f3ff7b0893ca3e25d6d0a706e546e92c5b662aa864affcefe5f9721a6a95f37f40cdacf39d27a23e2b3cd5dbca4d7b8909cd7c186209d4b46db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\nemu-downloader.exe

Filesize
3.2MB

MD5
cdf8047ceae80d9cd9eb798a57bf6084

SHA1
8e7971401fada3099aed61849745fda37e1c0d32

SHA256
1f01a9abac64fae72e0a253ad9ffe2d62cd2967c1c2bc90fb956ac446fe2b11e

SHA512
ac366f38f39b935110192d1355147392ced5a21966cc22386804356dce24b2da7971a6a60d675689f93d74014d961bfb3b0c13cf06809b9f9feef580045e20dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\run-checker-log\baseboard-139442880993483580.log.log

Filesize
4KB

MD5
6ed265cf6e68ef2fe3cd0aa1bb190ba7

SHA1
8c746bb6e8de0a261cb82703b667eff1b0ac4773

SHA256
f7649e9fc32b5547ad5a30bc1a675016dc644613e18d58c87f1f096bd0124a5f

SHA512
30ea55ecf6217c8c85048d0c589a6f946ad1ba6afbaa6113210236777cd78f0741555fc30f60c83677d6a80e2aec9642df4cb1156b1b706cedb23396ac88c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9E5060\skin.zip

Filesize
509KB

MD5
ecb43530caf9566c1b76d5af8d2097f1

SHA1
34562ada66cd1501fcb7411a1e1d86729fd7fdc0

SHA256
a12381f97aee2d91568f44b23e866ccc99f0ae5e5961f318ed24b72f4f5da80a

SHA512
4a243c0bc4dbaf892bee91ea7eff9e6a7732d3aa2df5bebd9a4bea2859a30a8511945ce3bb823f7ef921f2e1a98906fb676fce85f25fd5908646b3a2f5d02563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
\??\pipe\crashpad_2780_PPXSDQOUYDGLIYDK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit