baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc

Analysis

max time kernel
1348s
max time network
1174s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
Size

5.3MB
MD5

86e0f88dcc69e631df6cfd28bb5babb1
SHA1

e7b3552cf10983c97bf3381fe66053f8f5a1ea9c
SHA256

baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc
SHA512

c2e0b76ea267cbe01019cd826c90ffcf84e88da1f16c83ae36cebe543cf75316b5a375a3f053165d4e8fe0b6d65a70558cb08693473d5710dc9de4a44fef7843
SSDEEP

98304:cevOCyjertpQj68ndGaX6tJJQv2FKA75OpVclc02vDRZTEW:pvOCyj2tpYo3u0jc02vVZoW

Score

8^/10

persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nemu-downloader.exe

description	ioc	Process
File opened (read-only)	\??\F:	nemu-downloader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nemu-downloader.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	nemu-downloader.exe

Drops file in Program Files directory 64 IoCs

Processes:

MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

description	ioc	Process
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\libpng16.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\CheckIndicator.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\VBoxEFI64.fd	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\ButtonPanel.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\Dial.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\Qt5Network.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-core-util-l1-1-0.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\ToolSeparator.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\ButtonSpecifics.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-core-libraryloader-l1-1-0.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\Dialog.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMBalloonCtrl.exe	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMDD.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\VerticalHeaderView.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\qmldir	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\labs\platform\qtlabsplatformplugin.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\pageindicator-icon16.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\GroupBox.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\js\mine.498cdd21.js	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\test\qtestroot\qmldir	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\PaneSection.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQml\WorkerScript.2\qmldir	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\MuMuVMMVbox\Hypervisor\win7\mumuvmmdrv.cat	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMAuth.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDDR0.r0	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\MuMuStatisticsReporter.exe	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\brotlicommon.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\AbstractButtonSection.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\MuMuVMMVbox\Hypervisor\tools\vcruntime140.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\Qt5QuickShapes.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\harfbuzz.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\qtwebengine_resources_200p.pak	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSVC.exe	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\img\arrow_hover.08332636.svg	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMVMMR0.r0	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\BoxShadow.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\ToolButtonSpecifics.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQml\StateMachine\plugins.qmltypes	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\plugins\imageformats\qico.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\SplitView.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\RadioButton.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\Popup.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\shortcut_tools.exe	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\check_hdd.exe	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\HorizontalHeaderView.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\qtquickcontrols2universalstyleplugin.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\js\lang-ru-json.3b4195d7.js	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\MuMuVMMVbox\Hypervisor\win7\MuMuVMMVMMR0.inf	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDDU.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-core-errorhandling-l1-1-0.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-core-localization-l1-2-0.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\TabButton.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\TabButton.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\RadioDelegate.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\Switch.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\pane-icon.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDTrace.exe	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File opened for modification	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\PageIndicator.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\labs\calendar\qtlabscalendarplugin.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\GroupBox.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\TextArea.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Executes dropped EXE 19 IoCs

Processes:

nemu-downloader.exeColaBoxChecker.exeHyperVChecker.exeHyperVChecker.exeHyperVChecker.exeMuMuDownloader.exeMuMuNG-setup-V3.8.3.2696-overseas-0221213808.exeMuMuVMMSVC.exeMuMuVMMSVC.exeSUPUninstall.exeSUPUninstall.exeSUPInstall.exeSUPUninstall.exeSUPUninstall.exeMuMuVMMSVC.exeMuMuVMMSVC.exeSUPUninstall.exeSUPUninstall.exe7z.exe

pid	Process
1464	nemu-downloader.exe
1128	ColaBoxChecker.exe
1344	HyperVChecker.exe
5032	HyperVChecker.exe
1704	HyperVChecker.exe
3960	MuMuDownloader.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
8888	MuMuVMMSVC.exe
6296	MuMuVMMSVC.exe
8652	SUPUninstall.exe
8756	SUPUninstall.exe
9084	SUPInstall.exe
8020	SUPUninstall.exe
8680	SUPUninstall.exe
8488	MuMuVMMSVC.exe
9132	MuMuVMMSVC.exe
8552	SUPUninstall.exe
8892	SUPUninstall.exe
8184	7z.exe

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
6256	sc.exe
6288	sc.exe
2704	sc.exe
6380	sc.exe
8988	sc.exe
2556	sc.exe
2060	sc.exe
5988	sc.exe
812	sc.exe
6104	sc.exe
8328	sc.exe
1456	sc.exe
3452	sc.exe
5884	sc.exe
6244	sc.exe
5752	sc.exe

Loads dropped DLL 64 IoCs

Processes:

MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

pid	Process
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Registers COM server for autorun 1 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exeregsvr32.exeregsvr32.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208DF701-79C8-426C-814B-18828F6A0B61}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\InprocServer32\ = "C:\\Program Files\\MuMuVMMVbox\\Hypervisor\\MuMuVMMC.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85e56ead-33d4-410d-9130-2f2c0fb6a532}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23cd1535-edaa-4f21-a4ab-45d97fd1d58b}\LocalServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208DF701-79C8-426C-814B-18828F6A0B61}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85e56ead-33d4-410d-9130-2f2c0fb6a532}\InprocServer32\ = "C:\\Program Files\\MuMuVMMVbox\\Hypervisor\\MuMuVMMC.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208DF701-79C8-426C-814B-18828F6A0B61}\InProcServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23cd1535-edaa-4f21-a4ab-45d97fd1d58b}\LocalServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85e56ead-33d4-410d-9130-2f2c0fb6a532}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85e56ead-33d4-410d-9130-2f2c0fb6a532}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23cd1535-edaa-4f21-a4ab-45d97fd1d58b}\LocalServer32\ = "\"C:\\Program Files\\MuMuVMMVbox\\Hypervisor\\MuMuVMMSVC.exe\""	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208DF701-79C8-426C-814B-18828F6A0B61}\InProcServer32\ = "C:\\Program Files\\MuMuVMMVbox\\Hypervisor\\MuMuVMMProxyStub.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\InprocServer32	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeMuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5151471-9389-4A0D-8019-277A7E3DD0C7}\ = "IMouse"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A154665C-E091-46FD-857E-80717FEF416D}\ = "IVRDEServerInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D71D82A-6E1B-4BD8-B612-C0E33821EF78}\ = "IShowWindowEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B11EAEF5-7661-477C-9F21-697EFD7AD514}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7245E489-8969-4659-B0A5-5BD14907802B}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55DC8136-A4B7-49F8-BD09-A4CF110B59A2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{09F6E4D1-A9AC-4528-A672-B92090E81818}\ = "IAdditionsFacility"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EB71AA4-CB5F-4B9C-95E3-3F16307A2016}\ = "IExtPackPlugIn"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B4823E3-8012-47D1-A190-B463DFAC2EE0}\ = "IUSBDeviceStateChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68BAECE2-48F3-492E-86E8-EEF8E5C24AB6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA85612D-AD4A-4F0C-8B67-C288A053C5B2}\NumMethods\ = "32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B74BE542-BAC3-4E9A-9C95-AEE7BB97C874}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{742DA6A0-2406-46B6-B6E1-378505E43B24}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6467C67F-E0A2-4C05-B33C-A71D4F789083}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{82C607F2-69C9-49B8-A831-67EF7769159A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0323D2D0-F45B-4925-8D66-A2F06DCAD930}\ = "IExtPackFile"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{221F753B-585B-4037-803A-CA50508A0337}\ = "IMediumConfigChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{596DBD3B-45C2-428D-A6BD-4DB73146247B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B87FDF7E-7949-4D7A-9271-F9D000B63260}\ = "IGuestProcessInputNotifyEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5609FEEE-622E-42A3-A875-11308FD857B0}\NumMethods\ = "82"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5151471-9389-4A0D-8019-277A7E3DD0C7}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A57AA81C-CEF6-4128-BEC5-A76B1CD2424A}\ = "IVRDEServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D04F1D0-17B2-4D45-A053-7031E1DC18F1}\NumMethods\ = "14"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A4E35DA-E63E-4075-B88B-B26279936E0C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2ABC898-AAA2-46BB-AE9C-2312F3965DF8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B721E40-A37F-47BC-A7CF-F14FEF68B4D0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B4823E3-8012-47D1-A190-B463DFAC2EE0}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19BF0EE8-347E-47E0-8656-98C29419381F}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA85612D-AD4A-4F0C-8B67-C288A053C5B2}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0B80C50-F688-4576-BD04-DD4A561A502C}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDBC2652-02B4-48BB-AB94-9D5AF0A59CE3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6290458-9FD3-4DCA-98D2-10B029000051}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9CF3EBA-F2DD-481C-9E3F-87FD1D049CF5}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C0F3B60-ADC2-48C7-86E0-C1078F8A2C32}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78E57431-3DB9-4F6B-9D6E-F8D85E38C754}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{302101C0-C7FF-4B76-9E21-5725297216BD}\NumMethods\ = "48"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46896808-F102-4BA7-95FA-4A9872310082}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{711A3738-7C02-4BDE-BE9D-051F0EBE5319}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82C607F2-69C9-49B8-A831-67EF7769159A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C96666C-3DFB-46E9-BCE2-24452D0B08B8}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B03C9EB1-72BA-40FD-AF3C-7254027BEB85}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8BCBE07-EDE6-43F2-B466-BF3FA8E03B38}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C62F7E-446B-4ECE-BCF9-70208585BB7D}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D026AD1-8158-4EBC-BDFB-AFCA7630BA9E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{692277D0-9F3B-4E47-B046-C74C6473D2A6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17227208-4E3E-446B-96E3-C332C981CD16}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21640CFA-3173-46C9-B848-34C1AD2021F5}\ = "ICloudProvider"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B501BF7-5B6B-43EB-8B1A-CE8C341636C7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5A54764-90A4-4769-8647-258D640D6432}\ = "IEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11690280-302F-44CC-BFC4-3BD46A6AE61F}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F72857-F0C1-410B-97B6-8F48B3592ED0}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{302101C0-C7FF-4B76-9E21-5725297216BD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98E87E75-07D2-4D18-B28A-D7F2511B68C5}\ = "IExtPackManager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{221F753B-585B-4037-803A-CA50508A0337}\ = "IMediumConfigChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2A18265-7798-4B71-B151-9C482B5A01A1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68D9184B-207E-4C3D-9BFF-F97B1504AEBE}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3E25B6F-601F-4601-B7A0-B22A94045D8A}\NumMethods\ = "44"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{897F98E7-F00A-41B7-A309-E54AD805A8D7}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}"	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

nemu-downloader.exeMuMuNG-setup-V3.8.3.2696-overseas-0221213808.exemsedge.exemsedge.exeidentity_helper.exe

pid	Process
1464	nemu-downloader.exe
1464	nemu-downloader.exe
1464	nemu-downloader.exe
1464	nemu-downloader.exe
1464	nemu-downloader.exe
1464	nemu-downloader.exe
1464	nemu-downloader.exe
1464	nemu-downloader.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
8704	msedge.exe
8704	msedge.exe
8080	msedge.exe
8080	msedge.exe
9992	identity_helper.exe
9992	identity_helper.exe

Suspicious behavior: LoadsDriver 7 IoCs

Processes:

pid	Process
652
652
652
652
652
652
652

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exesvchost.exe7z.exefirefox.exe

description	pid	Process
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeManageVolumePrivilege	5572	svchost.exe
Token: SeRestorePrivilege	8184	7z.exe
Token: 35	8184	7z.exe
Token: SeSecurityPrivilege	8184	7z.exe
Token: SeSecurityPrivilege	8184	7z.exe
Token: SeDebugPrivilege	8332	firefox.exe
Token: SeDebugPrivilege	8332	firefox.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

msedge.exefirefox.exe

pid	Process
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exefirefox.exe

pid	Process
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exeMuMuVMMSVC.exeMuMuVMMSVC.exeMuMuVMMSVC.exeMuMuVMMSVC.exefirefox.exe

pid	Process
4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
8888	MuMuVMMSVC.exe
6296	MuMuVMMSVC.exe
8488	MuMuVMMSVC.exe
9132	MuMuVMMSVC.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe
8332	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exenemu-downloader.exeMuMuNG-setup-V3.8.3.2696-overseas-0221213808.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	Process	procid_target
PID 2732 wrote to memory of 1464	2732	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	89
PID 2732 wrote to memory of 1464	2732	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	89
PID 2732 wrote to memory of 1464	2732	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	89
PID 1464 wrote to memory of 1128	1464	nemu-downloader.exe	93
PID 1464 wrote to memory of 1128	1464	nemu-downloader.exe	93
PID 1464 wrote to memory of 1128	1464	nemu-downloader.exe	93
PID 1464 wrote to memory of 1344	1464	nemu-downloader.exe	97
PID 1464 wrote to memory of 1344	1464	nemu-downloader.exe	97
PID 1464 wrote to memory of 5032	1464	nemu-downloader.exe	101
PID 1464 wrote to memory of 5032	1464	nemu-downloader.exe	101
PID 1464 wrote to memory of 1704	1464	nemu-downloader.exe	104
PID 1464 wrote to memory of 1704	1464	nemu-downloader.exe	104
PID 1464 wrote to memory of 3960	1464	nemu-downloader.exe	114
PID 1464 wrote to memory of 3960	1464	nemu-downloader.exe	114
PID 1464 wrote to memory of 3960	1464	nemu-downloader.exe	114
PID 1464 wrote to memory of 4376	1464	nemu-downloader.exe	127
PID 1464 wrote to memory of 4376	1464	nemu-downloader.exe	127
PID 1464 wrote to memory of 4376	1464	nemu-downloader.exe	127
PID 4376 wrote to memory of 6256	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	136
PID 4376 wrote to memory of 6256	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	136
PID 4376 wrote to memory of 6256	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	136
PID 4376 wrote to memory of 8888	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	130
PID 4376 wrote to memory of 8888	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	130
PID 4376 wrote to memory of 5700	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	132
PID 4376 wrote to memory of 5700	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	132
PID 4376 wrote to memory of 5700	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	132
PID 5700 wrote to memory of 5744	5700	regsvr32.exe	158
PID 5700 wrote to memory of 5744	5700	regsvr32.exe	158
PID 4376 wrote to memory of 9048	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	134
PID 4376 wrote to memory of 9048	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	134
PID 4376 wrote to memory of 9048	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	134
PID 9048 wrote to memory of 9056	9048	regsvr32.exe	135
PID 9048 wrote to memory of 9056	9048	regsvr32.exe	135
PID 4376 wrote to memory of 6296	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	142
PID 4376 wrote to memory of 6296	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	142
PID 4376 wrote to memory of 8784	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	143
PID 4376 wrote to memory of 8784	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	143
PID 4376 wrote to memory of 8784	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	143
PID 8784 wrote to memory of 8256	8784	regsvr32.exe	144
PID 8784 wrote to memory of 8256	8784	regsvr32.exe	144
PID 4376 wrote to memory of 8188	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	186
PID 4376 wrote to memory of 8188	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	186
PID 4376 wrote to memory of 8188	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	186
PID 8188 wrote to memory of 8104	8188	regsvr32.exe	147
PID 8188 wrote to memory of 8104	8188	regsvr32.exe	147
PID 4376 wrote to memory of 8652	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	148
PID 4376 wrote to memory of 8652	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	148
PID 4376 wrote to memory of 8756	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	198
PID 4376 wrote to memory of 8756	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	198
PID 4376 wrote to memory of 8988	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	152
PID 4376 wrote to memory of 8988	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	152
PID 4376 wrote to memory of 8988	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	152
PID 4376 wrote to memory of 9084	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	154
PID 4376 wrote to memory of 9084	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	154
PID 4376 wrote to memory of 2556	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	156
PID 4376 wrote to memory of 2556	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	156
PID 4376 wrote to memory of 2556	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	156
PID 4376 wrote to memory of 2060	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	159
PID 4376 wrote to memory of 2060	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	159
PID 4376 wrote to memory of 2060	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	159
PID 4376 wrote to memory of 812	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	161
PID 4376 wrote to memory of 812	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	161
PID 4376 wrote to memory of 812	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	161
PID 4376 wrote to memory of 6104	4376	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\7z71724AAC\nemu-downloader.exe
  C:\Users\Admin\AppData\Local\Temp\7z71724AAC\nemu-downloader.exe
  2⤵
  - Enumerates connected drives
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\7z71724AAC\ColaBoxChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z71724AAC\ColaBoxChecker.exe" checker /baseboard
    3⤵
    - Executes dropped EXE
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\7z71724AAC\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z71724AAC\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:1344
- - C:\Users\Admin\AppData\Local\Temp\7z71724AAC\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z71724AAC\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Users\Admin\AppData\Local\Temp\7z71724AAC\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z71724AAC\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\7z71724AAC\MuMuDownloader.exe
    "C:\Users\Admin\AppData\Local\Temp\7z71724AAC\MuMuDownloader.exe" --log="C:\Users\Admin\AppData\Local\Temp\nemu-downloader-aria.log" --log-level=notice --check-certificate=false --enable-rpc=true --rpc-listen-port=59698 --continue --max-concurrent-downloads=10 --max-connection-per-server=5 --async-dns=false --file-allocation=prealloc --enable-mmap=true --connect-timeout=5 --rpc-max-request-size=1024M --stop-with-process=1464
    3⤵
    - Executes dropped EXE
    PID:3960
- - C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
    "C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe" /S /auto_start=false /fchannel=yx-gl-codex /D=C:\Program Files\Netease\MuMuPlayerGlobal-12.0
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:6256
  - - C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe
      "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe" /UnregServer
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:8888
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5700
    - - C:\Windows\system32\regsvr32.exe
        
        /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"
        5⤵
        
        PID:5744
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:9048
    - - C:\Windows\system32\regsvr32.exe
        
        /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"
        5⤵
        
        PID:9056
  - - C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe
      "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6296
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8784
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"
        5⤵
        
        PID:8256
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8188
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"
        5⤵
        Registers COM server for autorun
        Modifies registry class
        
        PID:8104
  - - C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
      "C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"
      4⤵
      Executes dropped EXE
      PID:8652
  - - C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
      "C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"
      4⤵
      Executes dropped EXE
      PID:8756
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:8988
  - - C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPInstall.exe
      "C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPInstall.exe"
      4⤵
      Executes dropped EXE
      PID:9084
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:2556
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5744
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" create MuMuVMMDrv binPath= "C:\Program Files\MuMuVMMVbox\LoadedDrivers\MuMuVMMDrv.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      PID:2060
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" create MuMuVMMDrv binPath= "C:\Program Files\MuMuVMMVbox\LoadedDrivers\MuMuVMMDrv.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      PID:812
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:6104
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" start MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:1456
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" start MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:3452
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:5988
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:6288
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:2704
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:6380
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:5884
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:6244
  - - C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
      "C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"
      4⤵
      Executes dropped EXE
      PID:8020
  - - C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
      "C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"
      4⤵
      Executes dropped EXE
      PID:8680
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:8328
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:8188
  - - C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe
      "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe" /UnregServer
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:8488
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"
      4⤵
      PID:4928
    - - C:\Windows\system32\regsvr32.exe
        
        /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"
        5⤵
        
        PID:8404
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"
      4⤵
      PID:3380
    - - C:\Windows\system32\regsvr32.exe
        
        /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"
        5⤵
        Registers COM server for autorun
        Modifies registry class
        
        PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "comregister.cmd -u"
      4⤵
      PID:8940
    - - C:\Windows\SysWOW64\net.exe
        
        NET FILE
        5⤵
        
        PID:8868
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 FILE
        6⤵
        
        PID:8848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cd
        5⤵
        
        PID:8744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cd
        5⤵
        
        PID:8300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        
        PID:8756
    - - C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe
        
        "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe" /UnregServer
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:9132
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\system32\regsvr32 /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"
        5⤵
        
        PID:9140
      - C:\Windows\system32\regsvr32.exe
        
        /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"
        6⤵
        
        PID:6300
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\syswow64\regsvr32 /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\x86\MuMuVMMClient-x86.dll"
        5⤵
        
        PID:8972
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\system32\regsvr32 /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"
        5⤵
        
        PID:9088
      - C:\Windows\system32\regsvr32.exe
        
        /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"
        6⤵
        
        PID:9148
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\syswow64\regsvr32 /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\x86\MuMuVMMProxyStub-x86.dll"
        5⤵
        
        PID:9188
  - - C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
      "C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"
      4⤵
      Executes dropped EXE
      PID:8552
  - - C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
      "C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"
      4⤵
      Executes dropped EXE
      PID:8892
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:5752
- - C:\Users\Admin\AppData\Local\Temp\7z71724AAC\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\7z71724AAC\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:8184

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:6256

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:6328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc1c3446f8,0x7ffc1c344708,0x7ffc1c344718
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:9124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:8340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:8220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:7152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  PID:10144
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:9992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:10052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
  2⤵
  PID:10068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:9844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,13699443353129088648,4872792829372509014,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:9676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6384
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:8332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8332.0.7788348\572621872" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f98749c-9437-4d14-b353-0c8ea5094e1b} 8332 "\\.\pipe\gecko-crash-server-pipe.8332" 1980 22f8d1d5158 gpu
    3⤵
    PID:448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8332.1.619659090\843718182" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {797af0b7-5a5b-469c-9e3d-b5d809ae2d94} 8332 "\\.\pipe\gecko-crash-server-pipe.8332" 2380 22f80771c58 socket
    3⤵
    - Checks processor information in registry
    PID:5552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8332.2.211152102\1402454092" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 3128 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {437d6a46-a6bb-4e7d-a294-db794a99328f} 8332 "\\.\pipe\gecko-crash-server-pipe.8332" 3144 22f910c6858 tab
    3⤵
    PID:724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8332.3.1792583916\375535624" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 1208 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50f42aad-821d-4389-b239-050761c11d55} 8332 "\\.\pipe\gecko-crash-server-pipe.8332" 2368 22f80771358 tab
    3⤵
    PID:3796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8332.4.1685630734\55026952" -childID 3 -isForBrowser -prefsHandle 3436 -prefMapHandle 3716 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25e5fd08-4f05-4235-85ac-5b9c647c6a95} 8332 "\\.\pipe\gecko-crash-server-pipe.8332" 3760 22f80768158 tab
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8332.5.1728031387\640670555" -childID 4 -isForBrowser -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {976edeaa-83e0-4a4d-8c1c-6a160289c073} 8332 "\\.\pipe\gecko-crash-server-pipe.8332" 5056 22f933d8e58 tab
    3⤵
    PID:5524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8332.6.876050380\1394503359" -childID 5 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {176640e8-a72b-4292-8b0d-dee1b43ac5b3} 8332 "\\.\pipe\gecko-crash-server-pipe.8332" 5188 22f933d9158 tab
    3⤵
    PID:5532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8332.7.2063200173\1479732621" -childID 6 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b9fe54d-97c2-449a-b248-97539dc296e4} 8332 "\\.\pipe\gecko-crash-server-pipe.8332" 5468 22f933da958 tab
    3⤵
    PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MuMuVMMVbox\Hypervisor\NetAdp6Install.exe

Filesize
109KB

MD5
379552c81cfcbc30ab13adabd4a271a3

SHA1
f333b93734ff5888918482d22ba1f3e256ddc31d

SHA256
859ea2b1a71333c32292d1df371b75557ec92d804ef6442c8dfa8756a94a343d

SHA512
b7351e25011a7aa491a716be82c75d541339bdf72c24ede231d1e9f64f4d63a13f37f86483c0e3b54d04a84f287e2df713fcfbbf71db458246765894eedb16c2

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMAuth.dll

Filesize
19KB

MD5
c76d97c177552c5322fe66e81b03708e

SHA1
8f0ceb1a082c364cb7e20cf9d10a533d883603fc

SHA256
5dfb7db56dedcd86beab5164e7f61ae51a78d9e917778c89cc2a3fed49f83e0a

SHA512
8d6bb1dc4dfb894a8d16db6f2ba1575a1b08aacfbd17be8c189a1f53a82adf06c89779854ea827f0934c6f92945bdbb2c778c334da12544e6fa9615913da5576

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMAuthSimple.dll

Filesize
28KB

MD5
eec5ef10b8c04c423dbbead8aa49e425

SHA1
161e6404d2dd0e0d631a4d45eab5a223a87ae759

SHA256
26e6a6e90259dbbc45e1976e06b6255a7fae98d543cd2cb43e7ab689644f75db

SHA512
30fb4b8967951548c17bf14620c4acb74bdc8180f355da2c9cc465265d59cf258aef34458c24be9812c8238dba65bf470bd3f4b099e1a7bf0eff6080c28cf7f4

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMBalloonCtrl.exe

Filesize
144KB

MD5
325f51e48792f68be2fb1e7105b48e6f

SHA1
e412689069cefdab7c2b6236da1a648d5d655099

SHA256
652ea2923bc4064566cc771cd526f23bcce4b1a3719eb6120cd5e7481f64f625

SHA512
caf3e8579f9fafe6f1617876fda384eebb7528a91f546ac81beb6e33da8110025a1fd3e3e428f2e4669faf379e68049af1cb1259904560d453ff80b7d49ea9de

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMC.dll

Filesize
2.9MB

MD5
71bb3cf6146eba75becdde1ba57d227f

SHA1
753462e7d4b3b44a9f70bacd4af3928c40699185

SHA256
223ee0f0c6554ee3205d449ebd5a51881f42d33a4c2732b13e843a0bf025e694

SHA512
ec4bcaada20079e6b77557419a4f47defec5db5d41dd81f74a89c6044a87b71289fa34bff872221951a5fbdcd506801881b9a72f6282e7313ea0c6a1664b5c62

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMCAPI.dll

Filesize
32KB

MD5
427fddb46782651cd2045cd1d234a5df

SHA1
abc1db27aad566591c358d2acecca75e7eafe5f5

SHA256
f1b4e191ae72dae0501921e7ee5378a4fb078a17d6acf69067374580841f0a9a

SHA512
597b77da475146afc15ffa3c43f5ef7d3a2b71d0650b791b681bdba5b811d5aaa3f15baec2acf04fae28bdf77d873ad3eb43b8f4e0ec0b606303c2bdfd9ac0a7

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDD.dll

Filesize
384KB

MD5
4d802889e2bdeb3a0d5fbd6e2956b605

SHA1
1c0d85f0059ba1a0dc1300c082c67058bae66857

SHA256
7e5b521c6ee1972339b78a8b07a1e1dd312fe2ac834cad8bd52a9d451efc7c5d

SHA512
bce30efc2fd887ffe6cde68b9e29379f0a9834e09ef53ea9977b90a0bb53c81967777c5606d541516c5062787474332c1e622017c7319e5e8da57edd7f553ce5

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDD2.dll

Filesize
4.1MB

MD5
cc0e8cccc9cfa072a07c2ecd09b1458b

SHA1
38dde45e25b16c3919c29d665cdb523b3bd16cfa

SHA256
f61ca6a03b0a97cdeb4b30802404b8468aec7349be896523feef1a9f236bd13a

SHA512
74bda15734400a2274682d589fdc4e28de3372e27c90706ca106496096315e0797d4981cf737861432c2d1233c6efac6736561529e9e0938e6387111ea47393f

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDDR0.r0

Filesize
200KB

MD5
106dae22290adf78a229d6d3ced17d92

SHA1
816485b26e9624174fa4cecebdcbd0a46d38f8e6

SHA256
d6d4b05170c02ce95c536ae1a2cdd7d3b7a5b54aa14a2a4c4aeed599f92dbb32

SHA512
a2c870bbb13a1bc9c133e3613d84d108d8a5b940bf416f7c82398125f5661102e8a9f41c9e3aa7b4ac11d7bb9beca2d3c101139b962bb5d77a502f2bc9f16957

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDDU.dll

Filesize
320KB

MD5
28ec39592a04789f9a2e8079ab192fed

SHA1
d23db2c421feac0283f71e34b6c21c7e342f0c16

SHA256
16d1dd13aa5e2347031469977609bbc7939cc89a1f474ef1a7474ea6e015e8f8

SHA512
08bed29475ecddd319bfba08cec302253d24ac2c5de6026dc8abc113d107bb3ac345e56ff799e602cb7e7c4ddb288498931e0f0884e4c19571edbb28a81fdec0

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDTrace.exe

Filesize
20KB

MD5
d1d6d03bd9d929d758a2ce3c001311e9

SHA1
90419ab8079ab823c71b29b83f8e69365ad0f22d

SHA256
90083a7a5b800c8dd78b16ad06a487b09c6c42c0d0ccb373e52819e6fefd8063

SHA512
578090df58177c32337b6b702804b7b227f1fa5dd871538f396882ad62cd12b8f8f97892f62667555e0f0ddc1efd1bd7f69a00b0cb572c0f65b31d7683618b36

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDragAndDropSvc.dll

Filesize
45KB

MD5
fd6eb2f0557d3ada91ef5141e50bd3ac

SHA1
60efbe3f9734fe46fdb496c72c3cac0a68a590a4

SHA256
4be0d9221a5a5265294715b70240fb6361c57e97072e010d06805e20cbfb53d7

SHA512
c6aa5064d11b32b4535a54362169720cb3318b720ce0d667e4fa5066d84d82e0d0b6542e18640a6e1a6dcc73ce87895cdf72d5fec6a5041a32b8ef486c2f1e71

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDrv.cat

Filesize
11KB

MD5
4d215ca4b7e3cccedc021955f3d8e0dc

SHA1
34281419e17cec26a26a39d74408d80c3a7dce6e

SHA256
67635e38e615cc70f6f6754ecc2d7485914a73b80685e057590eb4f72c1b5441

SHA512
13cdc1f631fad080f4539a65a59d050c7e42fad545f3c190bee5a2ea1b3526df0790f3c8f423b73ca5ab3e71ccb40c603174ce31aee77d24702c77dee8ca1865

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDrv.inf

Filesize
2KB

MD5
423a9e754c1d0067686b7dc1aeffa6b4

SHA1
a57450653e5d9c3126cebe754a1b7e4204044d06

SHA256
586128bd5dc9f67aa56f6b91d133e295c2a2cf3d3eab52672db8bba7cadf3ac2

SHA512
b31f468dfb55de5894962610b09218f49ad4be1148ea8aca9e5e3b5ca4592f0a0ce25d92464e9059e8b52354d3c7befed3db3e57428937b898a8eb492485b580

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDrv.sys

Filesize
358KB

MD5
14e93c14b6d5d5d9db26275dfc987015

SHA1
0585447d1400fcd57b86280453915799de24c7c3

SHA256
cfb29a2e7e938f7f2ec0443d5cf25261468e54c616eb74272c43924bb32e806e

SHA512
41da4d14075c3b47c4228cf1ad964b7a943b59c8e851bd2c264d88e37a7a3f525c9ad15683e5b0f512854eb1088c1d398fef8217a7c420d239c5de12c940639e

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMGuestControlSvc.dll

Filesize
43KB

MD5
386ef591b74853d5a855024392fcbf24

SHA1
5a9fc4a420d3018fa2913f3748e7874bd632be18

SHA256
c0756c2c11bc2cefc84d90fc3f916306611291a18d1ed41f2576f3382ae3e1ed

SHA512
3437cccc1199ab36192ce113968ac5f7a0bb260a30161e8f212c23e75971c88a4c6e62dec7e9218e3112aaa7c33013dafb60c78659ad35905511a4a31c54af9c

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMGuestPropSvc.dll

Filesize
43KB

MD5
71a3134a8a546b4f4b78442637c8c428

SHA1
6465b85fe2167c86606440d46ff0e91a4912aae2

SHA256
b6f68860d69ecdc558b881ee14627a9e24707baf171b1de43c691710a2d07c75

SHA512
3cb5bc398821d5dd7b4b3f6304bd3d8b597d42ddb6b045d5390e898c042e5f1ade233056338b0eafe176563e3b07ae18fa266615f381f7531a89025b090d8a88

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMHeadless.exe

Filesize
215KB

MD5
0ba088cd5bcf0f555b6aa4199995a8c1

SHA1
76d8842527bac0860c69792149e8fb111764dba9

SHA256
81f5b48ee08814225b77eb2d072892157ce06721fcfa4a79376442ccaa6e1de6

SHA512
b8de38002d260ec7d7caa1637eb8ca7863c68d5ee0f5a62cddb6090c5b3376288de2a3995143559b0ae7818355c49b51cb8abd5ed5b9bf390fef3bfee42f7e91

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMHostChannel.dll

Filesize
27KB

MD5
b4473ce7adb11f0936286eec29ac8dcd

SHA1
718c23296734f1bfc8327bc7cd9e84e9c753bb91

SHA256
24ae775e6debfa67b02b1d2ff6902f22d3ab6f93f0cdf44ee775f4bfac4cffa9

SHA512
a7ac0ef0d663fd7332f8e870168ffdd95ad4f5fcb5fd020fca369bc30c630d11547c82791af5f2f899d74ed54ae81d90b8d63a702611103ea2314de8a84d8d1c

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMInstallHelper.dll

Filesize
187KB

MD5
2da95955c1f8ffdfd429e3875a0b085b

SHA1
f9141d5e6d918cdb6819ca4b25f78a1b4fdf93ba

SHA256
b6544564eeb1cd98adb0c7fd5a3b92e430a6d9fd295ef9d50eb064c5f9686473

SHA512
f3eb903b7bfc4169033a1c977b68ba3cb6d1e3db54ac397618604b623b5f494340a5bcb35b28e576a11a5f9c7180bf7f6d9edd5dc81494aaeef89ebe4626d7a0

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMManage.exe

Filesize
1.3MB

MD5
e4f7442113454d1c39f43a4451841547

SHA1
ed54d46b704aa8129eef1a6331d4484406a6778b

SHA256
5608f4c624d8873f757cc3dd17c17885e505962e7825cfbdff75913d791b584d

SHA512
affbe534f61906b3f9c509341d568e47c4249952e0a0bbb17c068564f37dcace54868e048735956626b3827d7f6d5731a739867bfb9bb37360749f80773368fb

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp.cat

Filesize
11KB

MD5
4c8e27b491df706887eedcf71be13759

SHA1
e5e11388cd871f54c8c5602deab7ef8392843064

SHA256
8d106e9f8e78d6890161ab12be359ca0e357ce6ad46d9bdc5d80af3448eb94f7

SHA512
e4ed33bd3adc12e62718d93e5d8c8c4fcb61079ff64d50df77014b6730ea2aac15fbca2abb664e19b84bc9d6bde5025a8f71274b7dd7f3e2e66ef07dd5ecc76f

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp.inf

Filesize
3KB

MD5
92a337482c3995c561139ea8bd7c405b

SHA1
a164ab90cd6e1abedba0c54a96a450d94be4c93b

SHA256
898574b40ca3ab0ce278899e4e585d653eb5dc3a2ac7da57c904a0bf4b0cc014

SHA512
d46f8d7abdf445697303567845390b52a31f3c0e45e8aa357802e667bd4a0816555b3d841f19672adf69c2c31e3dd62e7e6d788d50d95172ac81f5781403a102

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp.sys

Filesize
193KB

MD5
e38eaf43e944f9c03104283f105f5363

SHA1
166df8ae9d5e2d3039a5b9a96725c98e43c268c4

SHA256
e7c6793ec48fd075d74eed04933cd256720e4bc4609baa12eb201ef6c89b8108

SHA512
39170fa2c6649106202a45f4dba9800efe0c9e93035df7a59ded989f746cd2d1de971069ef6aae60d34dfbcc7c33b14756a619b430c0289c54439970cc454e7f

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp6.cat

Filesize
11KB

MD5
5b06844dd324d3429d14220f8e03b100

SHA1
d3c29644571053595da3eb84543fb2965fde125a

SHA256
821841dbd1549bf444e8f5082da3feb75fee3f4feabf117b131058d252e5f68d

SHA512
a73a271ad633da89ffd112a9db387e9705edf30e03b18123abbc82671ea471c072be8a9ba81d1e4a7fd853138f64e265f1f01264a25b24a7118d7758b11d8db8

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp6.inf

Filesize
3KB

MD5
a8cf4a14790dcc315d764fa481adb5ea

SHA1
98d562c329fdbbcae881a4ea7148e6b15544d753

SHA256
94bff036fd5caac9be2ce2b60695f5b881e06211d8fa3ac771a82974c6cbef79

SHA512
05e08c8293f9faff2cb65aa0b5172324ae0adc1c73469fef4c42ad252ca4ce068f564bdfffaf134f1f72f6671ed4acf27d44d0dae17f354ef1c9e6c7373e37b6

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp6.sys

Filesize
226KB

MD5
4310bfff02dedf0d13d0b763300bdce2

SHA1
50aa2fbd794eba7a6018141eee510c139408d83f

SHA256
5150461b359ab6bd3be49edd77cd8ff429fb02d4e704155d794989f9b485aae9

SHA512
b181b835006ead6ddffe577a1089cef3b3f56475644433285d7274c6fd9e2bb4d2dd9e3bbced63a4e7778213aebeba5499ecb4aaf4dfc1751d895b862f4fa2f4

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFlt.cat

Filesize
12KB

MD5
91bab7bfdb03f17ef945f26ba626fd47

SHA1
79d5b9f174562756ce4649148bf9ee4bd2829dad

SHA256
5fab6bfc10c7feb4ab015373ad1368a7b5e2391c3b971341481a995f72fc07cb

SHA512
e53cecbb9670ea918e1946419c40ef2fa3ebea1e067e66fc244a701721bdad108a102d6d7978d9741afc144d4a4540e1142f865ac9932709fe49b3e31419701d

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFlt.inf

Filesize
3KB

MD5
e61b659c79361ee58dc58998e4cb6373

SHA1
d6e00c2002b23b7c4414319ebc435bbd404d3397

SHA256
1a15705f3aa1cbbf47c1b7fac1ea8a3e00e17958e6ad6b674be2bd7389a0dfbe

SHA512
6d7eec93f8dd10184707c2d0c343eca5caf9f0467bd7efc2b1e1bacd2b36389ebe062e3b8f6d5bea479f7fd0b1f27458923c6866cf6e322dd928473b1c72f669

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFlt.sys

Filesize
205KB

MD5
0ac3c5231442f711d34748bc5d3144e3

SHA1
afcb04e915cbae553d82ae58d54c2531d144e395

SHA256
2457a0c4a3176277e7db80e406f1ddd46c669e01f3f741c6cf3403da31e2ad07

SHA512
7f94a88ceabd9ace0cd65cd49297b482f040ad31b5bbd34955b25f6aafce315cb6fac28fa0a1d61614d3eeae7cdf3bd63e4191d59f2d17267870294ad8a861fa

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFltM.inf

Filesize
2KB

MD5
e87981c99ff763113ca116a3ad696027

SHA1
f8ad4145189c6afc08fbf5429a6da96aa1d34840

SHA256
4364c725e14a761776b123c92cc492c0404393cfa7960ffa173a54961774cdce

SHA512
4566c22c9c759cc5acd69846fc910760b68faf5aa4573d3f01c328d2bcd24d3cf735215682737752c22e3ebe11e6ff5e49ef8504fc72b1523bf995ac223cd8f5

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFltNobj.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetLwf.cat

Filesize
11KB

MD5
e1712d82f582f98c3a0e78e0d4651c2c

SHA1
6dd1fdf141151ec19916cbb52b6489589bc8d584

SHA256
7ef2dd59e21ca4845a9e09fb64b827cbf6e438e13091fc48ec649ae5fa69fb52

SHA512
0c780fc05b95dea9d1f542e842481f3d18d153a87121ad4cf026d001c8520251641005df7b93c8f17a512cee28cca95afa9ca0ebfa66808e11e19c2ea18c04c5

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetLwf.inf

Filesize
3KB

MD5
eeb987061c0c9fe0d0dc49532bc1d3d5

SHA1
ce2a9f432e29a78ddfdd20806cb5724d9e056c58

SHA256
bf673efdb64b7e81069eca5b0c50dfb7e6dbb3bb3295f5d034089cd16b528fef

SHA512
8703585843a33021f4bec2bf674702ca7f48a2fb6f8961539e256212c628660ac75edbf2fe9dae37f3d9267d1ab9451ba0e756307d6133f0875fa4f3898c0803

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetLwf.sys

Filesize
236KB

MD5
6c000ac4c46fd78b6599f8e45cc0ce7f

SHA1
c1d7e2809834e62326af0a46cf78f14eaac9dd2e

SHA256
05adb854983e9da8821eff5e50cca5a59ad0fa501966c269bd6e937f29d971da

SHA512
9d590138e97f72307fcf431a273f5af80409c9f2eb848b86b889cd1bab4f6a154719588b85093f244ca912d256584b65d7440dec900aab1160f5cd478435eb68

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMProxyStub.dll

Filesize
937KB

MD5
d5cd39948b825a16d8ebdc08f3d1efb1

SHA1
71ad1fa5a30b3229d2e720761c78cc86b52509d9

SHA256
0752616900c6ad425582b7873c3257c94b01057d62e8c7478de5293e496690bc

SHA512
bae53223aed5f39e91900d52862c44d3c85e52c087bd62e56a2a5e43d2e2005955c0dfa0678c36bc0b79302187615c6659fa084575f9688cc64a6d97dc4a284e

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMProxyStubLegacy.dll

Filesize
634KB

MD5
6e2701e30ac34b79a200b2ca17194462

SHA1
b0aa2e2695e35fa84cffbecaca0b417c335fe3a5

SHA256
236c54b06fe8f110a37cae01c26fdc3f6eeb237660ac579f6e370150de3494b8

SHA512
bb844e8fbc202f22e8c95a83d0fcab1b145b52a10a22397d6497c933ad1f95e3e01512bc4753486e56d1fa678839fef2f12d13680719f2479c55b9aa85ab8827

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMRT.dll

Filesize
3.8MB

MD5
a125b07a4303962a655f28421c2ba71a

SHA1
cbbe7537920f51f62217ae15e325421881a37922

SHA256
cb48324368a34d982392989716311be80f946b9c9e9f985b8c60614d39458540

SHA512
e64d777c790e40600bf004d3dbb0e208ba77910f10cb599c2738addbc6aead947c7f12aa6413d09cfb92ffdbe4bf3ab86a0242962572b47d014e5b91466645e7

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMRes.dll

Filesize
694KB

MD5
bb9efe3929c3c97dfb99216a38177998

SHA1
e41970119b8399e8d8abd3e348e010870ee7d9cd

SHA256
ef46be3486221b3d4ad86138bafb12f8c77277345e182926cc259171ef36371e

SHA512
81b4f9b66e3658e4111c0d4ceb142c2a37d82ebcb7706c9372a38be00362dc9609ba922bcb5e73dff5a6146abf6fe530ac45b00ad7c00c0c01c1d6f1f0e69498

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSVC.exe

Filesize
832KB

MD5
980649ba7b8522a8e6d2d67cc5b8c8f4

SHA1
36540d3a803194ab2689851f6493c12ce0bdf3ea

SHA256
46bb5ddd813b7d039a495fb66820549f086062d3143db5884b7be2d0bed9cd2a

SHA512
9a0517e8d142ea88ec0f4d24d135bfb2bc03ce8869b8469ef393a79389fbdeb43963c0e80751751a80ff868d33863ca69c777af482e6a4e71a4ac58f3cf6a1a1

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSVGA3D.dll

Filesize
216KB

MD5
eff20cc41f771c23dcb7a920a4e8832c

SHA1
9994522cf077cdd76ebc1214a7e03d2e8a2cef7d

SHA256
4186e3b37ceebd30fa09cd7afcb96fddc8f368fdcf1005f29c905eba28ced5bf

SHA512
ffcc111625b2a4703c5250822f41a42a4d5f99b03ce8d84d21f0e37c0d19a585d8b5dec1b9882301cc4263b15a6e3631d6e5fda1c36fb74ccb8fbe953d516d85

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSharedClipboard.dll

Filesize
57KB

MD5
b1bee656eac17d44ddd4f141cc0ff511

SHA1
76a8318031d9a7b3b1821d719d6a0ede6d9cfced

SHA256
39aa5ff58708df119ae680f3bbf7a24458cc1230468823ab1e45fe8c757c43f3

SHA512
e3799184855124e2e412c70e01b0af3876baaf7eb5401692846536be188c5e4a896d8591e4d1d7cc8f9540c8d5afd191f51f6d011de6bb6346c4617043007f8d

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSharedFolders.dll

Filesize
67KB

MD5
3ed04e945c2195901ab9809a88879728

SHA1
d71af40616c11d3cc33bdc1d35960db1b760e056

SHA256
ff8ff653813ad72785e247f4a3e381b2e08ea0cb1e7b3f3ddf687bb24b221301

SHA512
8b4f73af65942d33b2437a0b8f56f628432da1000b033e920c085d2f08aace283676d0912185158a4830553e7a6ead928d9b06a029b969710a7436891ce1243a

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSupLib.dll

Filesize
16KB

MD5
0f4bcf2ec0b57c99844f2a809564a227

SHA1
8f4285e68b9b4abe976054c8a664095535f5d29e

SHA256
7e1de6728d222e48274f9526d858178540cf38abf5db9169d7164cd46f29e9e3

SHA512
5b9cf0665333aed5b322d0e56acc12e7707bfd046730a70872ebd3f731831a93bb841945b51933cf2a5243eeb3a8f28dd1c833ce28a38f244a54f78b13595557

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMVMM.dll

Filesize
1.3MB

MD5
305807e7b7f08a7ca571b30092f9ac7f

SHA1
a1c328b1b85cf57126cf42d8634be4c50cdc3e61

SHA256
fdf1e82a889d60e77768280c675ceb24e5238d40af0dc431ba1470e58105ef2e

SHA512
3f1b5a7ea2e0c0891460185b150542d7087aefb042fcabdfc8d6df9ad1581569dd2ea14315d1c7c525db202e4b130529864d98bbf7a63bbe2aec317e6a737c2c

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMVMMR0.inf

Filesize
1KB

MD5
9ef94bd0428340d94cec3ed921cc2eb4

SHA1
dd94165626d95ab1d351298843f77e9ca0ce0801

SHA256
023cf519b63b84224cb092be487568cac6a75e5da2acb394873dcd48d8747954

SHA512
161b31d7870f06b6fd6648f3106e9582825ab81d2279794ea08eef4ec947740b7c4b8a7b4f21e74dff0e2a654cdfcc9f1f1b5727a8c1abb952e31de3b796bc0e

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMVMMR0.r0

Filesize
1.5MB

MD5
3fba4bc28fcf269cae647d13a3b4cbe3

SHA1
47eb1f7dfbbee99200ac47bc9d5cce17fdd78e62

SHA256
d33aa386475bd529f8c3c9edf9449e9b51b71d8a84515390e405bb246bd57807

SHA512
5ac2042ae175938754ec9918014ea546bd70cea8ee2b9670360b9e4043982bfb103d3fcc6d5c811076fa52205532d5b00e3e6e8923144e4bfb37bb852e8bd041

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetAdp6Uninstall.exe

Filesize
97KB

MD5
21d48087b37d52165fa953dd09ecfce9

SHA1
4611c63b9adaca5d42b2b88df17348f58c4d0935

SHA256
42cd5212575e0740698b32266c7aa51f461df1554786cbd59b2d68c192fc17fb

SHA512
23cfe6d47c265aabfff2d90446e07b5c699ba2bd486f7ee47aa9a504ff5ff95a65f680d90456836d668d5e0ad5eb17766deb843e08ec2bb0c09d80bd97ece646

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetAdpInstall.exe

Filesize
109KB

MD5
355afc25415cc3c09203a444f4bb9db7

SHA1
98a0a16b97329d80e1c3f91a98ac967093b59244

SHA256
656e5816670f80ba8d7689b308a98dd13d6e81a34b75b2b90a563e9ee7c79538

SHA512
dd8ee4482b67b2c9c1dd86fa7e04e9f85438ed2d0afa26e8adfa87feb3c40e955c84ed760316fc2d39fd3480eec89d6cfbcba25bf39db20940802296192cdffa

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetAdpUninstall.exe

Filesize
97KB

MD5
970570f96eb9b8f7949654a281e9a203

SHA1
c4ed5b561939e245c3098cd4550d4c69e598d0e9

SHA256
e0a4024c4287d3c92e80e72548fc0e8d9034689e58aa8f847bb9a7282f1f8a38

SHA512
97f5bb508c8eb5925ab664f5c4a28a6853c90abfcb933ef553561532da276407f43117b340c05a0387cc954dc1e46b4c24944c7fdb7ee12709cd595876be91df

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetFltInstall.exe

Filesize
101KB

MD5
1c5d45adf21fcf448fd2f4270f08d965

SHA1
1d086240e9619c4304fb2452f7c74dc98f9c2982

SHA256
356b6f2cbe804061e608f779e1d56545c1075d510eaae6ef0bfff59848b2bf12

SHA512
5e19b9583f739f9355a41368a0d4d348a8bbc5f7afd0cd32122198323fdec3caa35d93933aed2e2ed3173ba15d6201ceda3e78e6031acaacb4fb2eb0c41fe01e

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetFltUninstall.exe

Filesize
96KB

MD5
a398ee2341f5e67ac074c58669b4a422

SHA1
c40e753c781631e2c06d62292946d32b312d2265

SHA256
248cbd6724f4389b5b6ab27b283d3cc40d014657240c67e4bd7c21e0ff455c9c

SHA512
ea5c33c89c2e1fa4b62275279cc5d78fb712dff330ac6f4798dc9e590298a6df16d5aa8627141cc5f866b72c874c01c5cf003b617a291b277a093ed249eab5fa

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetLwfInstall.exe

Filesize
102KB

MD5
a590bb38f5a02772d7b0cdc1efceddc0

SHA1
f69d3931aa9691f5aa4c5b53fd4cb0b439d2ae1a

SHA256
1ce235659ea80fc1262f5ce08ac2e761a3f50a841af299e8894aedfd077f23ea

SHA512
dc5b28b151ff457b7117a0c3375698a931a0276c3ee11dee9b94b51b912ad9ace4ea3b74be0a6ceea60c60058451c1fd8545044a8ec171f7f69795be8d7644a6

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetLwfUninstall.exe

Filesize
96KB

MD5
df68847694d9190adc4f0d8a756b138b

SHA1
78866898b148b7a0a428cd70477ffdde1899900c

SHA256
85c5b93d85e99b447f5b86974727db645cab66fdcb60365f832c060c59105c24

SHA512
fc2c396ab39d01b3e7d8282dd861958439b57cc92ffcb0a0f79fa6173263ef4f995b4c848bf481c0f6226539aca2c138f6ddc8328568fb2c7d85470efe905682

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\SUPInstall.exe

Filesize
17KB

MD5
b093803b81ce1264243649451f5f088d

SHA1
c8373dffa0f7fb9e5bffc051ea600ff63e9e4180

SHA256
af7144e202f0d5c626fc7971fa4ff96cfccecc0a7ba7c3f6c2a9261ec2d152e0

SHA512
2f4ed566df781b30f7a8ecb5b556f1afd52e9497ee363923e0170d35b117aea24203b861e1ce60fd6365ca52493741d79fddb05eb2b2b1a1703c639cc8f48fc1

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\SUPUninstall.exe

Filesize
17KB

MD5
6fb9b37528231b848753836ea6200a55

SHA1
98e0d6d846dde6237bb590a5f36bf4cc19d24deb

SHA256
3127af241f3da9f849307f6003ce5e74b697fd3154b4a14e77d890b8c18a49d5

SHA512
bb412940b1d65d9c1433fe6733f752e4f8c9a46e11ca9e2b34265bb677a61864c99cbbe55d5a3b338ee3dd5b17a78e476a9521435deea5097c292b1da1208adc

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\VBoxEFI32.fd

Filesize
3.0MB

MD5
d596e949ddabc778c4a3ba168d660154

SHA1
bc293ff55bdb2fcdd163b200b21d4bc47d7a371d

SHA256
bc25106654baff6c2c9c4cb6508daf8e2932d4abc1fd1d22880459baff050a22

SHA512
2ba0875b3653f5b83d6c12311d7cdcda96032434c89a4016dcc2d4d09b7f3f2c68103c897bcc1549cec2672a69384b2abb643d88729edfc4ac4f190b81bea462

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\comregister.cmd

Filesize
7KB

MD5
4c0c8a2aee978f63ff9c9bb91eaa98ef

SHA1
784043ee7acbedfa92ede9c6aface266e6ab0606

SHA256
dcddc8c892e73bdb7e3a05d3d7e5ff8cf193ec1e27497a3c0bf5641dc542ccbc

SHA512
cb22df98ec3e32d315e19bb139e08354c30fd64bb7ae11fd86633c042e9128dea0be1af275a9438f90114d1013d6e662327c3add7ef60797aacfd0e22c83bc62

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\libAccelerator.dll

Filesize
168KB

MD5
8041ed0f7b41a89d6aa0fae432ba9316

SHA1
4c30b8a9647cd06a7c3c6d883e1dd9ccbd7f716d

SHA256
5a5f25c1d17557c9cd8740967f2c8de8b23d1caff2011043cf61e4b59cabb9ee

SHA512
3b3295605cd2d043ea6ebb0e0489f2225d85e2915a1f15e1f8b5424fd7140828f3e342a65c42aa5ca243ba3f10e1e27ecb5e16865484e407fcfce9aa8b96485f

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\load.cmd

Filesize
4KB

MD5
cc59f91feffd99c115c0a903cff28168

SHA1
e83df545f5d390d0b7210f7aac0d4ef37e00f0f2

SHA256
25bd2bd5472fb2097f2e79e66ffc3bb6aa3d2f974bf9b43d08045f09928a2efc

SHA512
46369b7866fd4215620806a7c12938865bf7416447ccd3fc15cfc6f3905bc4ac07a162b015586183e3c35ff17b607ba963f6ade3de81f15401e2d6d3418756d8

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\loadall.cmd

Filesize
5KB

MD5
571b20f2505a377eea3b6a2bcb2a31f9

SHA1
6240b4fb57d2844fc7a5bade5096f096617a86b7

SHA256
13f7090c7200549b7853e929931ccff1ba29e3497286d37866c14232f1048c8d

SHA512
930b966ce36d21014bfce9e117af38718ad0a0ea1b49bc1fedc6136ff71b043107cb07d8a879e3588dd64f45c2181fa7db6261363d80f5bb31144fda673d34d2

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\msvcp100.dll

Filesize
576KB

MD5
17b9e42327bf0a3ad9b78c13640df18e

SHA1
acde56a7ac97cf932570ee983199f61c964acb5e

SHA256
13cfb2154c2e2ea5fa593dd8e815bc632f6225cd3fb6392f8ee36f62964c0f85

SHA512
e70493e55d76618509db5c5cb8fd413854d2538dc815180b73b7a5ca193f9e51eff648b4179c4e6ffe110e0a8fcbb7cf49619682b793fbe414bd1fb1518a18a1

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\msvcr100.dll

Filesize
512KB

MD5
cffd49b5a84013b68d85eeb47bda7157

SHA1
91d871b852a2afb4562de802fcf67ac371b2a0b7

SHA256
8ae52b0e98b4f77e9c3cd0f5fe9938a10fe75b50c4db77d0ea89d07010f1ba95

SHA512
43f69798303257bab0ad0a6b79b33857ce5408c337e80b26c28e4c55eae498cffa43d6573401ede9d6047769030cdaf7a2969587d2d98111ff4f55d072f99baf

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\mumuvmmvmmr0.cat

Filesize
12KB

MD5
d554aec99709b5e977ac72b2e4cf31d8

SHA1
d12dc22ad13349970effd971c77f9d5a165ce2eb

SHA256
6f0ce3c8c3f125d56e6f6c19afc88d38c4679475c720afc1224ab29b8cfb451f

SHA512
4a441d764792e23d8749b2eec563a66d2a4fdb6c61e195fd76095aefde1b1806f7b5699080c0539df4081f0d15c53e8dd5eba76171abb9661b85a7004bb47038

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\tools\my_upload_md5.exe

Filesize
735KB

MD5
ece6882c94aaeab536fc8a168d744e04

SHA1
9ac8a75b32c9f846231994ef43b2bc8e7bad44d9

SHA256
ab96dd5cc65c4bb1b827561496af5712722441cfd9fb3418847e274e7c114798

SHA512
b6b1a8bb1e3877e2280e9ef6164626da2b580e1e9471294898a1bf27e231560fd3540ce8821759a0dcc7b6680eca81500152d666492c1ff7fc9cdc8bd33080ae

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\tools\ucrtbase.dll

Filesize
969KB

MD5
aeea6662f0f7819a077b99441c36178c

SHA1
c3a2ec7fd791235b8b1f2371e94f25a1670f7d00

SHA256
cd48756e96740f84a2aacd6c308997a4a36a953cd77f50cb54c27915a5c5c302

SHA512
b4b3c42e716fffe98f1c65bd2b0f522725ab8b43a7739c0a925b850fc0601e77cdc1e2071813229477d129caa73813ef6eb5c4c806d1c48c90332c429365d639

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\tools\vcruntime140.dll

Filesize
83KB

MD5
0c583614eb8ffb4c8c2d9e9880220f1d

SHA1
0b7fca03a971a0d3b0776698b51f62bca5043e4d

SHA256
6cadb4fef773c23b511acc8b715a084815c6e41dd8c694bc70090a97b3b03fb9

SHA512
79bbf50e38e358e492f24fe0923824d02f4b831336dae9572540af1ae7df162457d08de13e720f180309d537667bc1b108bdd782af84356562cca44d3e9e3b64

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\tools\vcruntime140_1.dll

Filesize
43KB

MD5
3b22b2ec303b0721827dd768c87df6ed

SHA1
86f8af095cf7368ccbff2d0fd6d33586145acd2b

SHA256
3b792da47040c3b3e0804cdc5153eef4e802b6975963029d8dc360cb824a7b62

SHA512
79db774980ee132797f7e7dbc0e055b724d8fbf0e4917523b285f918730adfff81022cc6f5e15469b011d55501fd7b085bc070e9ecdfb75c05f4d6622a7f2475

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.63.0\VAddressDevice.dll

Filesize
67KB

MD5
8c7fa231e13b7b380f8d2b456bfbedb8

SHA1
66e153f427c44c90ef1e59e92723e95a99f75e8b

SHA256
310e5d67c32429145f05e82848fec26176fd1c50d01418a784669c32eb0288c5

SHA512
a62156e2f6db5b5efcaaa17d30233c167bf6b062d6410636d99e56fd0361d936ff3fcb8b80726165dda7bac0f7eb3b178dd604614a380addd1ba7be508e2e4dd

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.69.0\VAddressDevice.dll

Filesize
67KB

MD5
5396238bbc8c218e819f6715b20e6031

SHA1
55ab28093742e28424688799729bc46d60a95a4c

SHA256
33236aa3dcaa4714e0e663799a3fac83593c8afb6e164c1c1c2fa3176a95b15f

SHA512
54df0b2dc50a26c1597932e2362c7c3c92afe83c262a8fea7221c15a3f77caa55897d34c675370eb9b7b955cf2398d26c1bfec4d3e0484b0606b57a4cf0f9c1b

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.86.0\VAddressDevice.dll

Filesize
69KB

MD5
e618cb77d4bb5f61a88fdb91303a2c1e

SHA1
df3f87309db42eb084b46ac963e1c7d69eba8a78

SHA256
55fd58e38c0a9e2f60b5c03750d45ecf0b1b7b873b84a531c224e4bcaa4bd064

SHA512
5acd329ead414008cc670303f404ddfa68abb67dc6f4211d932bd74f7ccbf36e138caaef1ea35b783be5eb11d2efe2c33fb0088aff8036c3fa738db9f5c62020

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.92.0\VAddressDevice.dll

Filesize
80KB

MD5
c452f408b06cf88692c03ba5c534bd76

SHA1
8b3c315e115ba8ffbeecc7878a3034cefe65b5a3

SHA256
bc2f9fa16c1899e8d92a5d3a3f7dfbdbb9a1fc124e252259f2d86f207c2b09d4

SHA512
3ba6e6ffe15a3db3c9a5531a6572de75e428f0608a8b8abbea8e1c3e84bd6a278524b818e9b2351d2cf10094d881696e8051272ad0bd741c893efe31b62f6ae2

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.94.0\VAddressDevice.dll

Filesize
80KB

MD5
d1b49099704f416236c17d028c2a601c

SHA1
b7b04f381dab7838e7d42d5716652debe287ade7

SHA256
1baa6c717e0b402a75872210e878749d021e6b354d21cb94e59012d2f19a9b32

SHA512
c98a3b8e4294240f556603bfb79fc06a92a436629c84284b7beed0999296469e4315ddab04ea0e76cca22a40641272dd53a88d5d0f2570aedd11c0dbb589dae6

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vbox-img.exe

Filesize
1.1MB

MD5
aaf488d3fe838977871f2cf77e4123a4

SHA1
220ba567446c15538fbba66251081b5dc26d15f3

SHA256
8d9ee4c72159a46c2d133cc0f3cb354ae557688b828d46dfecda3cdd3e385557

SHA512
66d64252c33441eca345710da2762f35d75c75250b25d5b3e77e54fdff1568d65cce1af1b803a9c17d55b77440df4d411be40e1459b6e68d58fd783249d74c90

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMDDR0.r0

Filesize
189KB

MD5
f4ed8c30dd14afd80baf61af4f8aef5c

SHA1
e3d6f1480131e932c1473c6b1d4bec6ec6c2aaf1

SHA256
c65929b0e12123e079114fc67e6052e03de5934fb65429d637b6242fb021c5b3

SHA512
922862e372048f29d4eb39c0a2e5fc921e6643e454825f476cfb98780b3d02181b91a9b6f5590d5f4206d7de391aeb6e5e3b72a8a9ca321b77bfc10d9040a3e8

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMDrv.inf

Filesize
2KB

MD5
2741226667bdcd9e759f536756f56eda

SHA1
cf437c8a63ce26b0e2a573409c976fa1f7c629c1

SHA256
82606488633ca10859a8a80d00be705a08509b35a9c02aef8b3dc70335bdaa93

SHA512
774699f466a423eb24c1d3b5ed45f49e2eac8f931fc7ca825d14a10a19402e3fd95ebdb5c7c2cfee6a4aa6219ffc157c09a222512fb7b3cef888756c1c12c810

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMDrv.sys

Filesize
364KB

MD5
55879de9dca1782537ae1064b2760007

SHA1
f5ad275c3ed5bd8baa829edfe008b626e49f42b4

SHA256
a9bb3be7ce97d0f4ecb78788ffbff7379ab0f7548715049b59a587ded1e8dfb7

SHA512
d8efac11593638fb2baadc7d173113601d3da3aa30efa0af3d295e8f814642bfe81cee7bbece2426ccccda48ecf1969f9de04fb54b44f185ff2f9f740178eb98

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetAdp6.inf

Filesize
3KB

MD5
127d117df95f3a294b254f65ca929340

SHA1
49f365425911dcfb17ce8f08aa156a66878f0e4b

SHA256
6421fe11bfd94be2a659b4a39483dd71d0c983de9d26caeb22ce92d0d224f39f

SHA512
13e9ee1496af276ae37e8dc236a48109e06b0b044fe05d88415939d3a1db0076a0c95cd7c88e715ac4df01603dd3808a6bf21ccf1ab19895b782b2f91f32f08f

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetAdp6.sys

Filesize
231KB

MD5
565d6d7e77d6fd5be5ef21fa8188a652

SHA1
02bbb60161ac4da75ced5257633b52462baeb908

SHA256
8517e15ed543bc12a940b03ac5da50c63af1173813640bb1569ec62e45073584

SHA512
7f4763249278e8c89559d0b32646ced82107b440a9819cf9ba967a0cc749114f02f45ce393ab89a07bdc89d6febe047304d5d2e85fa8ebf48cacde814e3dd2f1

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetLwf.inf

Filesize
3KB

MD5
d284b3ebd57e803451aee5aa7d07d496

SHA1
4cf6e3f2984fadbd2fe71c6a0d403b2e5c2cc759

SHA256
f2eb223b9f3eb6383bbbfea0b195f3672e8492041d8bfe89505f2f3cc7d462bc

SHA512
c11de75732b67fa2bbb695e60c0c7f75a52cabad86c58d72a05b4f6fca56bb886bf9451f6ef5abcb91c3e65f195176c45eff15846ccc60e7f782fe725685b5ee

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetLwf.sys

Filesize
241KB

MD5
a8071a473dcf9147820fa684fe725ac9

SHA1
33bffd62c5555692d3d314ba211b40414f5f580a

SHA256
f377895a45410c5585c27ffb7a44b68b1002985f0c03f562b4b21ff6399f8eca

SHA512
436af1b9bef2cadfd1ece3215cae1662217f4f2e5a299f4773db6748c6e26a78c3957a2e314c4faa22b930b08b811210b25e176f3a985ec0d9322d66077d4250

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMVMMR0.inf

Filesize
1KB

MD5
3a31f44dff80797d944dc1c76abc306c

SHA1
02a336a7614ec019a65a90c971c648c34c814e66

SHA256
f39e3b98a17d4d946879284466a27ec946a07bf869f59ffecbb38451d81337d1

SHA512
1e3382d8bb6f99d96ac9272d9aaac5012fcb31e83a072d22cb4b8965c8c636ccefd31f61e51ac6b8fa79b7fd70038fc259dd45d22b9bbb267f8f17c9b66472cc

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMVMMR0.r0

Filesize
576KB

MD5
16f7dfbd97493324de8af1d859719031

SHA1
e9d042527acc18385d5376b619cc489ccf30628c

SHA256
1c554267ad4f604a812be436a1e2a9888a54192e84af25fab85d6863af0f8acd

SHA512
22754c252f055d95870ed4b7018ee5aafa92db2ac36dedfd9ac16de998d938d85254aab826fd9dc8609912d23b02bcea3492b2c0e4dcd946ddca1fee502978bf

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\mumuvmmdrv.cat

Filesize
10KB

MD5
838ca6cdba04a33267a12f9af842154c

SHA1
a85f476eec0f129676a5552e8984fe9ace437118

SHA256
f10c1616e67f2f9d4ccc15e59ee3df8e6413129f6905db6aa84d9ffe7e7fe662

SHA512
3c522db4d5e835d8fd342ce65f0ec876b3e20dff1c9fd7044b04cf1a0f7fa9c7b8766bbbc8ca71a25c64a7e3ffdbc8a04c7b110494ec440806961439b5b9ae34

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\mumuvmmnetadp6.cat

Filesize
10KB

MD5
cab436e5abe7f446f8848dea729679e1

SHA1
6c6175df099341fdd9a67cce631e2fe55fb1dc2c

SHA256
ff9525380df941cb1bd07fd72f27882db4b96699d9b785e4c3078b3cbd6ae618

SHA512
15b3c72e20e3c1dd1f184e6bd6b8541efc798e7d57878bcab44bcd46f8d30593faf83596d5d1e0862558cfd316d5f1967be912056efd0582521548e9c963a9bb

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\mumuvmmnetlwf.cat

Filesize
10KB

MD5
6744dc4f16200c37a96cc3a0e5556285

SHA1
e338196e4af4d5a19b42a2a03cb98447625673d2

SHA256
5aa222dfd3ab9f7316c1c39441946973ab801c00763375a90cf7532b592c4086

SHA512
ba89277be0f910184f0a72a1b0f1d7aae2e540775e86d48f42ab9074e58b7ff6c3b2cf4c717d3d1923f7ff10886a76bf926ebd6189872c6c3fca799fb74b0213

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\mumuvmmvmmr0.cat

Filesize
11KB

MD5
2e23d6718ce96dbfc1be7382fead6ced

SHA1
09b89d917222114b82ac1c3476ee31e01c33842d

SHA256
0885d7ea48192a21d5f37597315c961f6f6a569a4c79080c3229e3c443239efa

SHA512
54f8737e7d3139b654860ae0aed9ec28d5c2049b1e76bff244f8524196c4516023a7cf69b03e4151106eba7145f7c8ad5ae5c2cd62d96cf959e97071aa1b85d9

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\aria2.exe

Filesize
1.2MB

MD5
abbf6d58716db263186781822416d56f

SHA1
364d2ae0eeb191fe7ddac6481b687832de3e42ce

SHA256
a95c5cac7770e0549172014f9959f7a181fbe2d57166febeab007e106b754d22

SHA512
4876968bd5ed7adbeccbd574b1f3317e86202b0e971c5f029be4c5280cf45db93aaacd8e7c6626f61cb49dda2a040016b4528920acb91d27c62347b2bbd6b625

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\RadioDelegateSpecifics.qml

Filesize
2KB

MD5
5435f060331a523b9e5db9c9957756aa

SHA1
e0f07b59a0ac83b7cea1716cdae4a59aeafa396b

SHA256
91d7772e4a193e91a093d59451508cdb89448eaffb4febda26789777afbacf3d

SHA512
536e731672c1348222490d39099712c7bbcbf8d0c6be5d0f3517c10feb1b47d7942c18703e18c28f36774546a41f18d61fa8096e022a82947d43b11a2641d187

Download Submit
C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\SwitchSpecifics.qml

Filesize
2KB

MD5
e6dd3db4f8a582e30f07b77e801428f0

SHA1
d207e34278440fc9b47c6480a47fef13870ffff6

SHA256
a3fff66cd7217029792e7fce403cc658b0ea03b2d3a2860f57479c8ea6bc1372

SHA512
f58e27d7f36e05cb1d6277629ee2e3cc239b2ba73a75d1399a048191e4443dbb1360922b2cc0d36c3a19b04fcdb64f5dbbd0a838736dca658b9caf856031c5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
041ac11d4e41c2d4098d2cde4f0bcd61

SHA1
91e103ace7258aa3f7c4d682be9e464a903d7a4a

SHA256
eb653e30b46f463588263930dac70d226bcfec1c96bad7639b3e2f32fcb32c62

SHA512
f29add062a233f87d4ce1bace9857372ab7b8c6cfbf6bc31d123e60c6b2b6e3dd30a4332a7322770f650e4fc4ad4193cfffa805ce13fbf15c1006b896a00c0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02a79f52e2d8ded528b3682cf933301d

SHA1
e0d52a296644bec86b5880e10cded3c2aa56f0b2

SHA256
d9cb5b83b8c23dc6a60abd5d50dd7c24511a3e14dbd18766ce560d388c8074d7

SHA512
e5e716ce89116a9df5026496e676197c2dde8e16c54cba17acbf0eed7f39b47eda89a77329aecde957cd8968fac2da1840267efe1775d9694220f9defaeefde1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c6ef00dcb30075382afa2ebaf8504df7

SHA1
d13ac0418224df7ec5bc8a3389e2f41660766948

SHA256
770cdfdddac0158a14b9e746dede4b7b8736740ce4c472a68f5656f8f2d76712

SHA512
7bd52dccd1b979a650e3acb8d6ae52f311e4f86c926e903d9e8d2fe5e3fd587f235ceacc270ab6f244e267cbbc4a851fbe1a37813645710a09002ebda37f0b72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ac750d1c3b1ac2e79969ed292514f60

SHA1
d61ceb103df54cb4cef03b43784f646fbfb0954e

SHA256
52094e621abf886dc737640be3923cc76cada0eb825469aff66c8e20b3699202

SHA512
65803a6756e63d93ec3948716d4138809e46c53a30c5ac3117728d093216e08cccd7820ee342d6a170878e0ca7878eca430d45dce123356d6a319434b1a94e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c3eae37ce84e485ce8312f518a7fe095

SHA1
6df1d647cf585b6784b354fd55478cab08fd566b

SHA256
f6a1fc4bfbf2fac34c6605446caeb45216e0880a87f8442afbb99c687b1ac248

SHA512
0f833504e162e6d60698a5654dc368c68b91ecf266ecdcfa1ff687101f413b5e09d2cfb7924fa158ae90c3861555aa8ebe7dd3d49cbdc26248c5234e2583ef8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71724AAC\ColaBoxChecker.exe

Filesize
3.7MB

MD5
eed7663df8f794e1c20ece639e17a01c

SHA1
8fa42392fbc64559387e0d8670c26cff7c915052

SHA256
0ef4052dd42000860e577f0107b411bd85431428764173bc8888a9fafe9cc915

SHA512
4552a254b2752dfe7d1f32671a90eb512233b6cc75e33b89cea5522634b2e7d49cf9d47ad42bdcc9862ef57e59601721ffc8c7951e29ec67d1d798cf57d25338

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71724AAC\ColaBoxChecker.exe

Filesize
250KB

MD5
06437cadcf445f4da9ad45e5d64456cc

SHA1
5c21c5c440f71c99d9f48e673c59be019da54bbd

SHA256
162c850d54e2ff30a579a5315f0ce6a7a3614ab89732cf59601279bdf54e65d2

SHA512
9f96fbaafa94f5acdc31d566ecacd40fc10b91c46400c68485e1c721f83558c33d21078b9499eb95cb7c724c2757554d07b13750390da78386214740b8c1d3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71724AAC\HyperVChecker.exe

Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71724AAC\MuMuDownloader.exe

Filesize
5.7MB

MD5
2f3d77b4f587f956e9987598b0a218eb

SHA1
c067432f3282438b367a10f6b0bc0466319e34e9

SHA256
2f980c56d81f42ba47dc871a04406976dc490ded522131ce9a2e35c40ca8616e

SHA512
a63afc6d708e3b974f147a2d27d90689d8743acd53d60ad0f81a3ab54dfa851d73bcb869d1e476035abc5e234479812730285c0826a2c3da62f39715e315f221

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71724AAC\baseboard

Filesize
115B

MD5
9eba2e220085492e2a81f503b86e24b1

SHA1
d968960fc74e9a4fb3473eccc63d4bca5f920e5d

SHA256
b56985129088e254e4a29565953ccf585730570636690dc748fa428af4c1e2d3

SHA512
fb48d4e2155c4ee0922ed04b3bdf19ba1daca2e6831ff67cb3f24d6501820cb1fe8f3c48cb126c27486a6f269b5de593b43ef3e8d95fb623c4a45f04efebe9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71724AAC\config.ini

Filesize
342B

MD5
048404eeb7f19ff7aea3e0e282b2668f

SHA1
4ee3a5f86c9cc6a0f2fd597e41264249d49d7e30

SHA256
536276708fd9e141dc5036a7feb791a2467c667bb16d7ce90bf2917a68a772a2

SHA512
6fe975bfc6994edb1fddab0fa635a6d34d5624836fa7f77f6029c13ff633ee0af49fe513f1bb24d7c3cc90e83fcba837d82c8e593ca6e68e8101d4f44cf43b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71724AAC\nemu-downloader.exe

Filesize
1.9MB

MD5
600f4f320a377f68d63cac5a5fdc0a45

SHA1
77cb33e7904d8d994a6f4c159ba8a2da1c94c9c2

SHA256
715e4e87fc023bd5d7e32d1e57c1180f9953e3b6cd465d1a578aab9034965b08

SHA512
030e5bed5fb1fdbc7505a0795906496a2583df2faa5b2a3e3698336fc8ce0011a8a7a018cd5908d53a9ad76e58bfc39868e45bd836c2295a229528a8369cc116

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z71724AAC\skin.zip

Filesize
509KB

MD5
d59a09fb475ed8cd967e1a5366d7884d

SHA1
8636b3f7d18482ce940607af9d0e51232d8491d4

SHA256
45a97dba97f3613ec8f357d9a36fe336c2795ead0f32081856b9b2dad4620ce1

SHA512
39a667a970f66ba6c28351a038c23bb4f4427e1b584a2cabf962711c64ad7540f09a00b2771c01c965d59f69b5b707e9659349aaf68b6f675695e9e83cf40e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Filesize
20.1MB

MD5
1f93ec1ccad2ed9089dc7d73379576b8

SHA1
ef4b9c10849042d0e8027eec6e02605873157996

SHA256
4f784190ae647a52cc9bd8ce83bc8422d7a06eee998c3a0912d7a0a30cc8f1d1

SHA512
0f683ca8637e3a949f553769f0d237c3a96460268cfdbd6b4115071097aa332b4d105fae835af61047c660a81623f037f7b52814d7a4f39a6ab060404c4f2c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Filesize
77.5MB

MD5
d5338f57a30bec9115884c8646ea1cad

SHA1
0dcfccc2a41528e0323d0cb8158e5f122509bd73

SHA256
628742d39aff8c8819571f7f5ac259f2d8a409204287f18a9f8cd2c66ea97e4b

SHA512
e6377a0a461ce91a11058bc6edb428d13e08197093a7e0e46580fbbb2573abed16d2f2224fea7c303f9e342e4cd6e5ae710210501e111de442f87c52d968126e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux-downloader-f1c4385d-abdc-4aa2-9821-7d6b043f96f3.log

Filesize
1.3MB

MD5
d9ee736e53ddb848943d823448d58e11

SHA1
480db01a2d7f3144bd73b4debc47e38f32f9cc71

SHA256
72b955d5b0bd3789f9064519c218e8bce6d9ef928c11a7c18a6b8a7e9ed36ff7

SHA512
0c65fb358f07d0453883131fded9f94b5235b15d525904e5e06aa222fa84ee2c13a8c09373a08cb907e57cdb0d43a51f4dd23f7a21b6f0a36e5a7d866e4cca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux\MuMuPlayerGlobal-12.0\nemux-HypervisorDriverUninstall.log

Filesize
50B

MD5
abdafce361b743ce2b265c8fa2b9c1ae

SHA1
dad27f32a35288ec4dd75115e2b73932968c0241

SHA256
54aa3c35d1230b46f7b3db82936b288312f7b1ce654a77252d170c5f38aa9124

SHA512
fcb6f7c029dd38cee4d83af4af4a0942c94af053c2e69f32566ab214febb413509876c79cf0450d7a0f81b167994aa15f2d861c3d55ebcafdabef2fb9315a939

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux\MuMuPlayerGlobal-12.0\nemux-scQueryMuMuVMMDrvBeforeScStart.log

Filesize
270B

MD5
0649d4c069fb3136de50d9ebe44b7cac

SHA1
a58bf5d93120eb91eab5ad7af282c99c0e36c4ba

SHA256
aba93de5e732f49ecdd398b49f44752478a6ba279222bfce8b622a37124fbcf5

SHA512
829daae9029c6741c06374f2b7f642e88d3f5707d7eb9ef45692a16d1a05f8d6f66305ddf51a222a8748157317f76c5115cbf1bcce0cbbb4b0c4e56a50813854

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux\MuMuPlayerGlobal-12.0\nemux-scQueryMuMuVMMDrvBeginUninstall.log

Filesize
122B

MD5
6bbcfd360c0797e6650f0d3cb1c36109

SHA1
e22b5f6a4654134d687a3908464e67faa23d84ff

SHA256
df023ca139e8dcb21f0d4a603b34af95f980c1e388c97e4735dd698d0329113c

SHA512
0281c1cc1b104c73f130068a905e37b75f3c3a40884d3e2cc421aeaf6a3c6b938393894fe750fa7de44b9d0a25f9b3c11bb386fd133b3d710a549632ed9ea604

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3366.tmp\AccessControl.dll

Filesize
23KB

MD5
bb0f26c7a18434ee1d648c7e6743d1fe

SHA1
f7503b348aa7c7691668fbb64ccd541e247f87e5

SHA256
1b4d25f2f544f520c20493ee1e9ac7b3043aab88e4ff87953390d357de4c2096

SHA512
4311e960a4f8f441b25c5ec9a82d64112016ff9c4510dfb082a0c1bcce2d03cb2871912dcaafc5d00f07ed9ac4d6d7998cdcea2bfc84f7180b2f62a2cf24e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3366.tmp\ExecDos.dll

Filesize
14KB

MD5
e2716246ee731417abee9ea26cec1d56

SHA1
6687e5d8b0b705fcdd9a4020215891d5b7723084

SHA256
691ffd34264d1813827c35083367a08aec974e9f79fb585b7d2d367c83760fbd

SHA512
355bb040570a1ba64a03463a9e6695015c2ffda5f30b7ce801c39ab1a7ba36134bb8fa9b5a1ffd102f6d71091b77133f8d68d305d5c1949ccad2e8eab0258505

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3366.tmp\LogEx.dll

Filesize
52KB

MD5
6eba32325d2db645c958c551f0aa2e31

SHA1
b116cc9ff0369af681ebf805a1a3befedd9ab868

SHA256
cf7b45a69a13551db95dcdefc8bfdd4128e1c1db67198347b43469b69c36b844

SHA512
6c48038341bb16ce50b01c99f8ebfc919adfce61008d9718c06d55e92e54625ed2ab6ac850592e847bca61d7d57809dd531afeea4f0fb0c8310cfe1710f37927

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3366.tmp\System.dll

Filesize
12KB

MD5
283555de06751c261b66243bbb1558da

SHA1
4532ed4e255ad0163494a02081b45e893ad666f9

SHA256
b6298637fea88a44e4de3f6b7fe254fb73857c08f1dcd8bd1af6f9eb5e6e7e3c

SHA512
469dbb4b7cc0d4f59d903415fbb7ea6417323f0daa2aeb2945a9744668f3d9fa95eb34a9d64a647835b563c74c3484c6d4b823a75119599aa5f975dbe471d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3366.tmp\UAC.dll

Filesize
22KB

MD5
b7e1d609915cf0b3f9dfee488a92fc91

SHA1
d9c873b39e3cac648742568378fe788b2cae6e84

SHA256
fa3bb333f615689691ff98527dc3341e3b8ffee4bf97c6128820bf0d303930e7

SHA512
ae4a00659f522996600bd0754b2f2706e297939ea616ada66e590409c6c2f28ed7ed39b67a078ae72e9b472a97291c7f3da42339051ef1a3d1941b0368b2e775

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3366.tmp\UserInfo.dll

Filesize
3KB

MD5
cb310d97bd72a6ae8fc6e44c88ef9e8c

SHA1
ed935c8f17340fecb7021dddd9dc7de0e23bf487

SHA256
d6fae2e57c84b25b73fe942fb7ba725158b21ec81c9d989845b64ba1ee337c27

SHA512
8351004d0bf86c5577940613cee26803d797b2375038726ce31827d66038664aaf74399d7d5e11c6487012942fb4f147b7021d6e887ac09c39f541991f594f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz3366.tmp\nsProcess.dll

Filesize
12KB

MD5
b6cd62358973125f52d756d6d3aee8b2

SHA1
7c9fcfa85a88c507517a659f778355b56cef921f

SHA256
44c14f1edfe7deef518264675e3e4edb6991d5ea0d50f0f6b18a819dc31bbcba

SHA512
a5b756e3e1a31ad7ad9026bc492de2ef8983385e7c920a2e3eea363df3c6d112cea2a0373cd9bd8be1fb3536ee9623c6844b3c7a92d8cf6ee050aeec7cee76bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
5b031577040e1dc139a9664011884719

SHA1
e0eb1328b319f2c7c1d4dc7909180fcb447a85ec

SHA256
5b69de3d71fea43610e3b107985eae1775d19a11f1a70e7b3a4e0768e619cfaf

SHA512
06736ac9d6e5a9643969e18671dbc3d8e9d7ccfea1a41d8eb399d99d95ecdc2a85baea0b0a994fe23420db656693b37f2932a49aa8ca9df3e3203ec8a0c269e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\77faca4d-d146-4673-b4ba-43fcee703b61

Filesize
11KB

MD5
fcd6b1bc346c51d67c55c8066e1bb9b6

SHA1
355583d0ff8bb190462174fef1478c33064c1f57

SHA256
f7eecfd5a2b7e760b9498097171d53beb2fa6d86917ad9de4e7cac708875339c

SHA512
15cebd87133487beeb1f9aa1e06f181d808d6d34f9cf7cfaf502c9babf8076cd8f38f9653bc570f75a1bdbc9c6872118e340ab338e25e4c82b752b757ebad1d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\95f84a15-0e62-4319-9a6a-94bca5a581ef

Filesize
746B

MD5
b528b38fd31ee8145e9cb7d447fdb040

SHA1
c4a0de80dcd85c14ff3fd5baed95039bc884c407

SHA256
938541f6db146938e3b4e061c5b67acf101d25f99cc05267f0950d0425fb0893

SHA512
f83c1e3459ca9b712421b5c460736d83ebe890d59d030c948acc926a1695ce02c2b51ad45d33a0518d1689ff1ccf37a8a1a51744bce243c1c41cc559e1523a85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
0c5688b304453a28d8704ea102c70cf7

SHA1
c7f6a03c54486817bbf6348a74e1459c6dde303a

SHA256
eb411b7df805ef113d156a724993b44b488f2924d93613cb65c4942fe595eda9

SHA512
c3b725e33875b1d2311564de7c8221a674982733552a809e7e4f97e441ad0064a8bac2dacf6fcb4ffa504541976965d5ebf549fc09b0f4f8c6460ccdfe99e38e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs.js

Filesize
6KB

MD5
b441ed310a38487b7505d4264ff8a28f

SHA1
5cc6625cc2c6b62c1d7137881c56686c1b288ff9

SHA256
a512c02ccd1f59495f662b8766f285f57402ec722e54e03a71fc667f8b65840b

SHA512
f69c88de93c099b5be2c67a6db2c012b08420c7a2bd3e477e99c084e0a04e14214bc9d500f8db9c684b35a2cfed0ec38c21d3c8f191e9fc49f550acf6231f097

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
d9696ed14b95f437f4afd1c80bbc6cba

SHA1
5b5a851508990a51189bb7ed1f80585d77dcc59b

SHA256
dc4b0e2c1cd98ab2ed9c9af3daf7db666f7b411dda18a94a236a812523f44245

SHA512
bbbd92a894d2f0258d157e21915cc826e80ca5801a13d62736cc121226d03d4cf8e7d07e2709a39227cf9d72ca5d36c031285f9a31283622ded1cdaeebac6433

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore.jsonlz4

Filesize
911B

MD5
f9cedfd7c2bc111095b9f7f5faf1174e

SHA1
c9ced7e0e737160e57bbb8f30dec53017ffc2cb8

SHA256
202fb39a4b6881ffb83ea79c5af93e999d52ea6ac29b8ccfe4571a2a8e5ff760

SHA512
9bb963aabfdf03c9b691929f961d70389b514b7306aeca32a507d49ae0e15070e465b66f9267ee878752db710c6477e706e02c72e3e1fd0a669d5d9598b4bcb5

Download Submit
memory/3960-86-0x00000000001F0000-0x00000000007A5000-memory.dmp

Filesize
5.7MB

Download
memory/3960-79-0x00000000001F0000-0x00000000007A5000-memory.dmp

Filesize
5.7MB

Download
memory/5572-1662-0x00000233C1840000-0x00000233C1850000-memory.dmp

Filesize
64KB

Download
memory/5572-1678-0x00000233C1940000-0x00000233C1950000-memory.dmp

Filesize
64KB

Download
memory/5572-1694-0x00000233C9C70000-0x00000233C9C71000-memory.dmp

Filesize
4KB

Download
memory/5572-1698-0x00000233C9DB0000-0x00000233C9DB1000-memory.dmp

Filesize
4KB

Download
memory/5572-1696-0x00000233C9CA0000-0x00000233C9CA1000-memory.dmp

Filesize
4KB

Download
memory/5572-1697-0x00000233C9CA0000-0x00000233C9CA1000-memory.dmp

Filesize
4KB

Download