f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593

Analysis

max time kernel
149s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-09-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Size

5.3MB
MD5

fbd9ad001bb2719f574c0705c5de05fb
SHA1

d07e77a490ad677935ac8213b88237e94440e791
SHA256

f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593
SHA512

5724e3f858ae7ea92ba4ce325f3f8f4b90ecc6d7c19476e2888c4b09f0913463191b977f71314300918cceb0a6ae0b80e29d3c70891e8aeb9314da233a929e96
SSDEEP

98304:oeZOuRuvqAgef1ndGaX6tJJQv2FKA75OpVclc02vDRZTEB:1ZOPNdo3u0jc02vVZoB

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

nemu-downloader.exe

description ioc process

File opened (read-only) \??\F: nemu-downloader.exe

description	ioc	process
File opened (read-only)	\??\F:	nemu-downloader.exe

Drops file in Windows directory 4 IoCs

Processes:

chrome.exesetup.exesetup.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Executes dropped EXE 6 IoCs

Processes:

nemu-downloader.exeColaBoxChecker.exeHyperVChecker.exeHyperVChecker.exeHyperVChecker.exe7z.exe

pid process

924 nemu-downloader.exe
4048 ColaBoxChecker.exe
328 HyperVChecker.exe
1532 HyperVChecker.exe
1468 HyperVChecker.exe
3660 7z.exe
Loads dropped DLL 1 IoCs

Processes:

7z.exe

pid process

3660 7z.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3660	7z.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exenemu-downloader.exeColaBoxChecker.exe7z.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nemu-downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColaBoxChecker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133701023572779081"	chrome.exe

Modifies registry class 2 IoCs

Processes:

MiniSearchHost.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-661032028-162657920-1226909816-1000\{F1C446F1-99AF-4802-B090-CFC3F94A1E86}	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

nemu-downloader.exemsedge.exemsedge.exemsedge.exechrome.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
924	nemu-downloader.exe
924	nemu-downloader.exe
924	nemu-downloader.exe
924	nemu-downloader.exe
4672	msedge.exe
4672	msedge.exe
3416	msedge.exe
3416	msedge.exe
4972	msedge.exe
4972	msedge.exe
1716	chrome.exe
1716	chrome.exe
652	msedge.exe
652	msedge.exe
4120	msedge.exe
4120	msedge.exe
576	msedge.exe
576	msedge.exe
2924	identity_helper.exe
2924	identity_helper.exe
408	msedge.exe
408	msedge.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

680
680
680
680

pid	process
680
680
680
680

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7z.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	3660	7z.exe
Token: 35	3660	7z.exe
Token: SeSecurityPrivilege	3660	7z.exe
Token: SeSecurityPrivilege	3660	7z.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

1968 MiniSearchHost.exe

pid	process
1968	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exenemu-downloader.exemsedge.exe

description	pid	process	target process
PID 2476 wrote to memory of 924	2476	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2476 wrote to memory of 924	2476	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2476 wrote to memory of 924	2476	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 924 wrote to memory of 4048	924	nemu-downloader.exe	ColaBoxChecker.exe
PID 924 wrote to memory of 4048	924	nemu-downloader.exe	ColaBoxChecker.exe
PID 924 wrote to memory of 4048	924	nemu-downloader.exe	ColaBoxChecker.exe
PID 924 wrote to memory of 328	924	nemu-downloader.exe	HyperVChecker.exe
PID 924 wrote to memory of 328	924	nemu-downloader.exe	HyperVChecker.exe
PID 924 wrote to memory of 1532	924	nemu-downloader.exe	HyperVChecker.exe
PID 924 wrote to memory of 1532	924	nemu-downloader.exe	HyperVChecker.exe
PID 924 wrote to memory of 1468	924	nemu-downloader.exe	HyperVChecker.exe
PID 924 wrote to memory of 1468	924	nemu-downloader.exe	HyperVChecker.exe
PID 924 wrote to memory of 3416	924	nemu-downloader.exe	msedge.exe
PID 924 wrote to memory of 3416	924	nemu-downloader.exe	msedge.exe
PID 924 wrote to memory of 3660	924	nemu-downloader.exe	7z.exe
PID 924 wrote to memory of 3660	924	nemu-downloader.exe	7z.exe
PID 924 wrote to memory of 3660	924	nemu-downloader.exe	7z.exe
PID 3416 wrote to memory of 1556	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 1556	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 3832	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 4672	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 4672	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 4284	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 4284	3416	msedge.exe	msedge.exe
PID 3416 wrote to memory of 4284	3416	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\nemu-downloader.exe
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\nemu-downloader.exe
2⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\ColaBoxChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\ColaBoxChecker.exe" checker /baseboard
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4048

C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:328

C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mumuglobal.com/problem/q57/?lang=en
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff430f3cb8,0x7fff430f3cc8,0x7fff430f3cd8
4⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,7613340960114797053,13131728421569542664,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
4⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,7613340960114797053,13131728421569542664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,7613340960114797053,13131728421569542664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
4⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,7613340960114797053,13131728421569542664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
4⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,7613340960114797053,13131728421569542664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
4⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,7613340960114797053,13131728421569542664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
4⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,7613340960114797053,13131728421569542664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,7613340960114797053,13131728421569542664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
4⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff42facc40,0x7fff42facc4c,0x7fff42facc58
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1796 /prefetch:2
2⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:3
2⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3056,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4452 /prefetch:1
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4360,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4808 /prefetch:8
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4584,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4240 /prefetch:1
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4384,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4780,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4276 /prefetch:1
2⤵
PID:716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5252,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5244 /prefetch:1
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3384,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3460 /prefetch:1
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4620,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5380 /prefetch:1
2⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5380,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5128 /prefetch:1
2⤵
PID:3856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3376,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4808 /prefetch:1
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4980,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4332,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3424 /prefetch:1
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3784,i,9792427670769299142,15861552806343006078,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
- Drops file in Windows directory
PID:1108

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7a3d94698,0x7ff7a3d946a4,0x7ff7a3d946b0
3⤵
- Drops file in Windows directory
PID:2128

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3124

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff430f3cb8,0x7fff430f3cc8,0x7fff430f3cd8
2⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
2⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
2⤵
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
2⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
2⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
2⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
2⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
2⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:576

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
2⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
2⤵
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
2⤵
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4332 /prefetch:8
2⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5252 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
2⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
2⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,11470943323001402358,7586757055928154566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
2⤵
PID:5112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
65e87650a789a8db66bc348768a245e4

SHA1
5d211124c30d21832faaf6db71e5975ca0c41712

SHA256
3584f859a91133eb51d27f8f4044fb629e766a33c41ff1509528cd833ed9040f

SHA512
0b507994de33bb2bb398db585c8b82332982854040259dc763044f86debedfde9c915a0c8099c3bfe6f6ab33a1fcade92fcef493216e1f0268d1d5dd786cf995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
19c9287368af21a43f1540e6fa8819ad

SHA1
f1992215c2606c0bd4b63cdd0ae36e1c014e4fee

SHA256
f19b10c49621deddf66f13719b6241818df2d76d96ff275637ed2ceda2d754c6

SHA512
d0e80e75a9837f8e87724df716497f8134da100b299568b1568733959d4f61bc85057fc5260e5938736568cc245b5a7d002c15b4e8adf5bf82257f61ae3f6329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
4243bcd37103877fb3c98ac8bca13098

SHA1
efd7f36da4151156f6d0424019ab45b1bddf64a2

SHA256
448c987c500b6e8531b593f34b80ae9d3d3a60cb2f76fa70ee626a4d99f69cb7

SHA512
fc05810bb51e1597e83ef7946ca5b7d4ee218c30e90ec0f143ca63aa5a79c4c54053757de5078f1fbd0dcf91e721209ab5ffc0c8d96c52c256bda436bed2b931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
8d323ebafb43b972ffff4301fb647aff

SHA1
10ef822837dec6d1be3b760baf6f40994200fcb1

SHA256
d1d1b15b2bd95f44bbc781f5c5faa91dba6d1a2f4b0ae8588a04a4564d857a70

SHA512
2152ad71d16fb9159dc4dd87bfbdc7e8ff2784684aaeeb94d383350d90645a952d3c109d763e02a407c6f4b8402aa5439320f7cd54bcdc529d4af6bc90134f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
8702ddf29d515ca0f9fae129d081357b

SHA1
d1c2a43767ec30b8aa0d6b5cff7c49bfa4426c07

SHA256
7fbf58a91d6f4e85bc8023ef10cd3ef3c832db4ec0cff92404ab419675bb832d

SHA512
950cbb7317f97f66bed2df229c13830a0efb62c8c16e4605cfe833fbccf228f6517b2dcd8467a5fbc5b974e00958bd0851956d26c1682bb7aa08cac286ac1a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
e5d8b58a4fbcc990a6587b9586c28154

SHA1
6a002a711990e535a007972a1ad229e475350dba

SHA256
7cbe07f37342289dda81f0974122e669d335ebfb419eb09c3b0ad6d63aa23e1c

SHA512
b7803dace55ab874195e657a2eece5e9d67515d952f45d8a78850e0274972b264b8a3f4649545f5808769e54c30e54af03791c0c645b90c7f9fd44d8f627888e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
d01b0b0038b09bf8e097eefa3b4728fe

SHA1
ab7c2da660e1925a3a8751c34b8e64ac65a05d6c

SHA256
b28887ecb8d51af5924195756b70e4d6c0a18bde9bdc5883ddf20ccf318e7eca

SHA512
cfdc87b85a64c0ff5283c68d29716e5d157412d1541359edc096a76cb1071fb26d35799e9138be20ce34eb0970c5d8032ca43e584a90a9d94a4922c806ac0212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
5a3cf90c2f23a43a4a82b82e151ec45d

SHA1
26b66a3b7236ededde8927f31ed156b63cd04cc6

SHA256
641c43102996336c900ea072953356108a606b5f6d55049d1a015ea906579b62

SHA512
603ff290d29a2e9f7be5c2bc5d0643c5a2fa2bfc2251f0905aff7ab99d9a66c90b0b35a98b8c17d984341f28eb2f049411ec6b59f0286d6e830e293cc7ab4de4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
643afb1b659cf5bda05623e76fc28945

SHA1
f830e2bb23baac9934427b5440701922f75115aa

SHA256
3dac50b641c0e641fffac36d9b12c7d30133e218fb5bcc835508b63f839c3d9c

SHA512
5ae83bed3f044004459b72b72c78322b4964ede16ae668e40cb4f2347335aef44bea7b1ba82e2775a2add30bcd805d7d8833927fb6b736e385cd1732d474cf30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
230407fd974b81722be8258df68efaad

SHA1
95fa92577f7fea956e127abb64fdec5c472ffb75

SHA256
03e58b9278204b4eec5fd4a5d384b5a51d26bf7a5596826e69a5954801809561

SHA512
3365e99b077f28c8549f8075a5af914c6e7f511f5535a03897b7d35d656a0d89cdeb6fab775f31b8f47d6655a4894d9044bf4414ea9c78a3c7bca85391b0e38f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
13KB

MD5
fc5e3c00d1045c7a51ed88a11c2c2752

SHA1
54721b1ea1d89b6a7ed97c90e6924117c72dbaba

SHA256
2d75f5a443328f02fcf8a331222cd8bafb9caadc4cef4a3e241443f5e59c1d75

SHA512
a711cc3b268b1f0cb1bae80b54d4a6d8c34529d6fb4120739fdffe039afb4e57a6c8f3a4880115c6bf4b0dfba4c70116cd9a110c527d9a5a7a12c947a238af8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
205KB

MD5
1cb9f220720d915472789e1af8443c1d

SHA1
956a425726637bb9f3939ff56c2b085d93f65a49

SHA256
fc264db700834a88c51d9a53c8b320e55a689541d8716c64a2207331a634a89a

SHA512
746fa71e2b20776f345503c4108e26417e6084abdcb4af889f7192610a713871306b088fa86ccda4213ac929696becb48d33f59f19ebb3c7d0d02b237b5d872d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
205KB

MD5
fd4e427331baeab53528ded6860780fe

SHA1
21f4e9b3dffe2c8024e69f7f70741c8a67cdbfc4

SHA256
f40d9abf3fd86bbb97078330ddd5056a12498b20c389feac4f6640a67c506c5f

SHA512
8ad7b416f61773afd425c9cd7f8da28b7eccee25b0338f66f84dbaad815ac1fd9a105df8fa069772dc48af826adf64e6d35ffeaf8b00f2d7e7246687eed00c8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
205KB

MD5
1298e0243d4920824563bd7e216c182d

SHA1
094aae832a0899a9d5dd3814a83bf88e08495806

SHA256
238c6cd7f107be7ed1beb505acc3e26abee9beac2def9ec560be6dda19e51062

SHA512
9cda9e634a832451347bf88f3a662264236ff7d8f3398e1cc697a1523000db6426a8760f4759a56f2700d08b8731724e84047b850301763de9f19b7e26f007b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a162c134b333ec037a4a88b94992dc

SHA1
e6ec53fec643daca63deb418684b56ccc207f37f

SHA256
17481ee96f204cf1d5b24b2528bc8b3eff33a3dd48656fae8e80bb2e266187e4

SHA512
4d72bba176d1d7537c860249579c5783cfb361366132d7f9bad8ad74bf4786f5ad364ca3205a6f834aa15dc450dc44e2c33bac98697983d55be4d0e76438e0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a71bd1034952d1a2b93ca1c49e706f1f

SHA1
004285cea522d4eabb21275ba9f08a4379bcf0bd

SHA256
14df733930c518c246396d8277004648f1352a0fb1c51acdc2a1f539da1772c4

SHA512
aa3f7e75c9c9595ad98b98a6534e8fe01b1f28c8574681ea89efda2f07a600f4184ef99e1d38124968df1031b3d18e75ae849a79d49b79e93c7707674fb04165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2123873f-cefb-49b5-9ea9-583fe356a7cf.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
b71ab9145eee38199027e811423193b3

SHA1
2c07630cf798b35cd94dbce0537e48f503215886

SHA256
35a0a3e0dc4bd8185810e4d040db8ce3b4bb4640d4bd83bc89c70b4987ca8130

SHA512
61a78a99bc80a0b85d41351d121e128196cb36fe4690cbfc1d532130814792a2c112fab1b4c91a4dcd383fcb0685e81ef372771c2878f6281861d19cd6201689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
300dbd8dada2f7296098915227945072

SHA1
d8d8327353d7677720ecd19a0d1b29131bd1c333

SHA256
53fa42fd2d0395d9dc475c3778aed49f68fab6829dd4e832b74964c43adc1ef4

SHA512
c045517a310f6015a5c6a3a6ca97c67c4b2925ff86d546d772a9ffa9c7696103eaa0bffafb22e4cb64f7f982f549efe79b005791cdc47b0e1f8c637e6af4ce94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
Filesize
20KB

MD5
03fed50c2828f5ba653e661dafb1ab3c

SHA1
48060d6178a03510d927d48a5fb3ef7b5a5889ae

SHA256
510f736d17c34d3117ac149da2629e2064966b014ac511c9f5755557d4a40410

SHA512
94ddcf354d613711b3a31585befeea619b5cb9224cfdc697fb26e6bf11e963ee349486e8f718d88076f48c5ee99ffa3cdfae43843d2a3783a65637e0c54b6344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
116KB

MD5
160b610fa53a62cdb4e4d4d29ad2062c

SHA1
9b089c1598935182e6d3ffaef13fa08c6aeb5bc4

SHA256
10ba602506d6d402b393245670b59c62115c4426e33a568f4a591d9d7c21429b

SHA512
24c01da48bc1b5a20a8a9cc283a7022edddf101c4e943f6f0cf9bbd8d777e05a37b3f58245a05139f26d317dba2bebf07d20bdf12e6b040e05f48cb2fb8c5bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
1KB

MD5
170d39b3b99a1f5d9d320908048831b7

SHA1
503493f04b9712adce2167e1bc55a08fd480cd81

SHA256
500de821379d4ff56847d02faafe720b006ac6d8dd0c4833fbf31a9e535b3b51

SHA512
c7096ba54c7e1000c32ecd5429dbe09d202e5992f1a1d9c420841b92636d5c069c48758f3e7408761f46ffa8056bb570bcd9d7096925d8255c2e12fe51f553bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
fbde8a30a65324e4a10e188384e0663a

SHA1
b00bdbd502e9130997f5ee4c84cf1fa01de3814b

SHA256
b692e64b4600440dc6bd84686826140bd8cdfc2f61f1375b52d1917662133615

SHA512
758b72dc5c1c81a11bb1b98c2b4d92467c5f4f978363f8818532367ba92bb7607e47e31b8c54fdd22ef2325ca1bcf4c56f56f8a0a0dde455cc5f7e312544b2a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
712B

MD5
4c087109f60e7af8411cf67ad980ab3e

SHA1
ec10e9fd5edf7ff92f60ea09e757724ae64d8a36

SHA256
78ae21c147833256cc9cd7b094fc14c206c48f704c790b297723838055bfd6c9

SHA512
9f58e8c6b2343d57b7f879afbb53fc7af22475aa7f0f6361a60583a8b598560b64698e5c2e2c690e501be005f947946801645256ed7a5ff4006a8009d1e4f6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4d529dc0c56c46328bef088e8c0e7128

SHA1
72f4ede7cc53fa74fbcd43d5828c2c8f5795e25e

SHA256
c51ef148de9cd5a45fa1503848d39cc13eed9eadb90016bf37c1c1693b348d6a

SHA512
8f9aaea45c39e29a5336c1161616272545e404d87f548aa38cb20ad481144ff3038e45b6a8daef92936e3dd40a85a72cc316c07292158270aaf278625c839446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e8348d51aea9c692cf50d4102924f162

SHA1
a11884f53d8ecbc50716283b591be46b697a640d

SHA256
a8cf82fbe971730e0640bb9c89bab43bf05f4112f309691b9c34f162a378bc7d

SHA512
15bdf68980646d55cba9e628a5d8f4092a5926fd5d19f1a20ea17872798f67da8e911a3c0bb62772d81bfc24a685adcaf8259af4a85ef876dc459d77fdedbc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
272da5c409da0bd852c3f4b4cff1f4cb

SHA1
eb244a2e04d012b27e890a59c540dea38f0e4398

SHA256
52031e8c1128b5dad7deaedc34ffdd7dbac7da1f231130e3e0558e3a9a88acf8

SHA512
f7360cbc41288fa2a134f2224f4a28d7071a06d01b2d81c2bfaa353e70723cf75acf5d252dd1ad8642764b4f2de9ff52432a6ca01269d519dfc35315c188411e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1fd87e70db5fa60c3fa0a09880af4df3

SHA1
68a182e62d2f772afe7bf6a37a604476202f1654

SHA256
7f43cc0177d37c59d6a9ed3e6f46ba22e3847e996424dcada769c236b105de37

SHA512
3bb732680fae6dbcb89332dc0480e89a2baf3e57fbb0c49c0fb31d90c340509af56c12ba55c2dd22fe401fe24fed1e5d4796e4698a72d87e8982073d0e26c15a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
e3a330411d90fc92acd9a578d574d384

SHA1
1575d35bec62889d33b3afc361cefbb14770e964

SHA256
561fc79218e2ada0389397ad05be2ce97f314b527be6e059df652374688aab2d

SHA512
0ecf0ccbc67373bbdcbecd31604c212667ec21f5bebe1588cb33026d0f88fdea7776ae5a0ebc67541a4c42152dc084c4543f9a0ec0a032436c58ba71749d240f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
Filesize
319B

MD5
b197757b7920a30f8885062100ed2c73

SHA1
93bb05d6d2e24b79e7dc611330e857c118ed54fb

SHA256
eb4d3343148539325c2486e5bef898ffc8c36d539045ab088a2926b0c02a451d

SHA512
9d90b77a29af222e44616fd79eb5aaef4ee4db8861b3af6e14a96011a4feb6845a8cda6ea84a78c93fabbf4b7f1e1f67c7ca9f0aa0d2a5c30c19294d523042a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13370102351343598
Filesize
1KB

MD5
3e5d2e6b4ff4da34a9fbc8764cbef05e

SHA1
5454bf3c3c744f7edb161408aae5082ee5a77984

SHA256
bf2116750f8670aaac390cab49c23a390dfcc82765fbcd14693ba14e02d956f9

SHA512
5d053e4ac4f13babeaf6419d2a6975e7d7d2058ed0137bfc53c112fc68712238db9273f15a56b9b24a1036be746dc4e1574ac90d8f9fbb6844e1f6b00e51146d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
350B

MD5
39e7fee04aad8cc97a8d2282e2f496ac

SHA1
bcd6575a18b29b6e0ed03a462c9fab2bc7f42db3

SHA256
017d1f84ef79c9473faee67c1db78ff4a83e05194d9d07f379e1a5e301161b83

SHA512
52fb004329a0d1497c03f212da94c6d0b4249bd9da03f62be695f8e6f25c36ac6b60977d31e74ac90b19687c9d41492978f5a01a6906cff4f62d244a74424062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
323B

MD5
2c6e1e0697814c49fa72e81ada22243e

SHA1
e4b19a549b5ee05a6b02e167cb9b10f363058cb5

SHA256
a11c8730ad25f742e58fb9f33310b1162418bcd41ef0a2c35a3bd22074ec261b

SHA512
a8652f78669d1a4e18e84ffe41a30d3fea37da2a5b3764d1e1d3c25ea827a6327955a6ccf35bd1228edb0aea601d54983da183d439815a9d91a61920d9455a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
873B

MD5
ec1270fb5709fb978b25584574ac5272

SHA1
4795730bc828e9199aef4f59d413b435b60eafc1

SHA256
416e38699f3fcfae998aade8c53a3a77e1beb20e70c97ae8ebbc97bbb42565b3

SHA512
78523efd6839f37ee834db13e5ca222a8172f6c3cf1c6acbb0cf80021b1db21eebfa176f788e2df2a69e5bd0269296a235babdd46eff0b5ad144e1c8da633de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
6bb42e00f31b8bfbb2bf1b1a7d4b8f84

SHA1
929335fc1eb0570850c7e2129433dfbabc5d935d

SHA256
9d454b2023fcf2d54a74d05414a818e14eb1a0dae22012b4a03984a3b3b47542

SHA512
04f75e1594475f6be78e7696cdc7e49f452c39d0ea8758740fbf0a959a85cebf38c912a6db6970220a84ab56462ba4808a712cce8e3794f5edd18211668b933d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
44KB

MD5
84b1afe16b6ceecbc225851da496a79f

SHA1
635c131fe361344f2abe9a5a3398bca9428362ef

SHA256
de00ec12caf93fa2c4c5a454e043b715916aa27c353816025e786835f9367789

SHA512
d7178c15834f4aa825cebe1bd4c2e8218ebe10e7c745d92148a74907f7bb50bea837706b6bbeffa433f4bd3b907366bd93c7e6ce857b3e22cabe42eeb79fb44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
319B

MD5
044ddd5fa9099f3b172e4eba683eb626

SHA1
4bc58095c091beb63cf53cb8f5e2a96b7727e9e9

SHA256
c657bd314d913cfbaf6520b61ca6be2abb73ebca68b332772c3fbebfb6046030

SHA512
bf321f77ed48deadc2df7316fa5677358937664d69f54572ca4d3ed764c0b06b0eeae4fba9183c0405f0ba78c4febac47f2da4fd22ed664bfff18aa2af418b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
337B

MD5
90de372a93146ab9213ce1166829dde1

SHA1
1cbb8aa18fbc85f97c222920f3ecd8c43ff75619

SHA256
6f8096bdb08f3123b42c23f3297ce07871452e4064796867aca731f97ed1516c

SHA512
84a0f114448b438d6c1f30c5fd4cc219b04c4d5b8982fbf341c1b1759e1f4b369d5dc140308bed19a0ace8642e3b721d58468c701bfd52af29dbe414ae3c7191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
b97827d44b1519a266e86e85ba8a6b51

SHA1
f98433bf11b5cd731f151b3d6d9b6c07d53a1c9e

SHA256
c30db6a049c539016ac17811755d2902c06008b492592b8f20e14611a567ecae

SHA512
20f6ce57cb27c9aa8edf16fc362962a063a8434e855481b51a0a87c3fb04360bf0efa86cd397250769aee78e204d53f6edaac23d6bf442a02c3adffd256c63f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
da4f945785e7fb00fd163ea2f23c967f

SHA1
235e06cfa1076071154c172881110eacd15bf34b

SHA256
f170cc88742b79b74a10bd9d328440abb3727599c86dc6b65b93e45f4bf5a8c3

SHA512
c7fcd9a54cd7e7f33f60ef8add961f92bfe22f4790e10b0d9cbdc6bf097954312f51b27ee904ce96f8b41fbd11e9336a05a1f06e5a747d8903d4d48cc7aa4194

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
30f9f69bd4cb3ca8ed4af465e6bf3b72

SHA1
1f7bf3625d683c1af38485d1eb39152949648749

SHA256
fbb114871abc3901711a5f204cb370f1cc1602ad89fa0c8155288ec72e4eaf36

SHA512
ae96746716d0b47912c191ca52db48ee40aca9591444c1f0ffbc913346be1fff1e9f71c6e66cb4c175fd308e04a504367dd56bf84920f94c65142cd8508258c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\7z.dll
Filesize
1.1MB

MD5
0ffa2bff9e56e6122aec80d3c1119d83

SHA1
09b7eb124b8c83469ae7de6447d1b8a7f5c98c61

SHA256
609cba3a8704aa6f5e2623858402bc048de7198a3567a53183bf97de091a3e48

SHA512
42522bf850156577de397e527b8515b1bf0bdeceb170efae71d87c39a25c72c155a2fec6a88b5c3ae443752046f8840cd8afac9c42ed7bcf67aeb9e78aeb5f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\7z.exe
Filesize
292KB

MD5
97b382235264f18a53eff8e891997920

SHA1
cc0f3ad9411f54f70a2b1a1705e24048b06ea65c

SHA256
bf42783c293279c65b00e4f8b72be39e1cb0fcbe14d6679151b0d5e27fd8572d

SHA512
1e780698dbc0963ccbd73976da6898b3c0dc4b4e655a80563585518abd37a1a5561a980d035123011213a83c76320de6c08541caa71bfd6582eb93ff57672a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\ColaBoxChecker.exe
Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\HyperVChecker.exe
Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\baseboard
Filesize
113B

MD5
e132d4157b6be5e531c69ebbfe2f36ca

SHA1
508f819a213165ec2570b57a46728de6445e89dd

SHA256
99fa03077be9dec605f7d14d04b91102c91c39cfea70e183189430a03905adf1

SHA512
85106e1c6d44a6fad399325b739a1cc03701a96618dcb4f5bd151978781281acbace5f2fb0050afb6647d0493c515fd234d53b29cb43076d60b73555749342a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\config.ini
Filesize
346B

MD5
d00fb4c61a255b58ff09886c6c72461b

SHA1
4e4f7d7ae36f67a4d6fc8479f8400b3eb769e978

SHA256
77dec4d79e1e844a2156f101defc0fc81c138a989e8ba1c722c58feb91b3cd4a

SHA512
8494ab9fe0594f3ff7b0893ca3e25d6d0a706e546e92c5b662aa864affcefe5f9721a6a95f37f40cdacf39d27a23e2b3cd5dbca4d7b8909cd7c186209d4b46db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\nemu-downloader.exe
Filesize
3.2MB

MD5
cdf8047ceae80d9cd9eb798a57bf6084

SHA1
8e7971401fada3099aed61849745fda37e1c0d32

SHA256
1f01a9abac64fae72e0a253ad9ffe2d62cd2967c1c2bc90fb956ac446fe2b11e

SHA512
ac366f38f39b935110192d1355147392ced5a21966cc22386804356dce24b2da7971a6a60d675689f93d74014d961bfb3b0c13cf06809b9f9feef580045e20dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\run-checker-log\baseboard-139449215302796460.log.log
Filesize
4KB

MD5
67fd4081a444caceb8e0f12cc8ee71f6

SHA1
28dea21a0566f348d817dc2d55d6259593d1e53c

SHA256
2ab68167299a1569c5361ed7545d688fc42f33d9d0319ae22bff541543712f8e

SHA512
2375a21bfe76ae501774c326b0edb4154a1a70007f8175dfbbbc27bf352a2bf745a5ef9462be3aea5214f7ef7462c72728a2138431f9fd4d1a796be56fe3b2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76FCC9AC\skin.zip
Filesize
509KB

MD5
ecb43530caf9566c1b76d5af8d2097f1

SHA1
34562ada66cd1501fcb7411a1e1d86729fd7fdc0

SHA256
a12381f97aee2d91568f44b23e866ccc99f0ae5e5961f318ed24b72f4f5da80a

SHA512
4a243c0bc4dbaf892bee91ea7eff9e6a7732d3aa2df5bebd9a4bea2859a30a8511945ce3bb823f7ef921f2e1a98906fb676fce85f25fd5908646b3a2f5d02563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux.zip
Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
\??\pipe\LOCAL\crashpad_3416_HFKFOKABQQNUWSAP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

pid	process
924	nemu-downloader.exe
4048	ColaBoxChecker.exe
328	HyperVChecker.exe
1532	HyperVChecker.exe
1468	HyperVChecker.exe
3660	7z.exe