baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
Size

5.3MB
MD5

86e0f88dcc69e631df6cfd28bb5babb1
SHA1

e7b3552cf10983c97bf3381fe66053f8f5a1ea9c
SHA256

baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc
SHA512

c2e0b76ea267cbe01019cd826c90ffcf84e88da1f16c83ae36cebe543cf75316b5a375a3f053165d4e8fe0b6d65a70558cb08693473d5710dc9de4a44fef7843
SSDEEP

98304:cevOCyjertpQj68ndGaX6tJJQv2FKA75OpVclc02vDRZTEW:pvOCyj2tpYo3u0jc02vVZoW

Score

6^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	nemu-downloader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	nemu-downloader.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\js\lang-en-json.3a107e70.js	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\webpdemux.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\js\lang-fr-json.aa3c6f9f.js	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\Switch.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\plugins\qmltooling\qmldbg_messages.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\RadioButton.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\PageIndicator.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\theme\theme.ini	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-core-file-l2-1-0.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\libzippp.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\TabButton.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\ToolBar.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\ToolTip.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetLwfUninstall.exe	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\SUPInstall.exe	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\switch-icon.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\labs\wavefrontmesh\plugins.qmltypes	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Action.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Drawer.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\page-icon.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\SwipeView.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\Menu.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\VBoxEFI64.fd	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\Tumbler.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\ScrollIndicator.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\static\images\empty.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetAdp6.inf	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\ButtonGroup.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Frame.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\[email protected]	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetLwf.inf	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\CheckBoxSpecifics.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\PageIndicatorSpecifics.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\frame-icon16.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\static\js\qwebchannel.js	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-core-memory-l1-1-0.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-crt-multibyte-l1-1-0.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\ApplicationWindow.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\MenuSeparator.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\ScrollViewSpecifics.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\icuin71.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\button-icon.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\VerticalHeaderView.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\ScrollBar.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\pane-icon.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\js\lang-ja-json.533fbf23.js	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\zstd.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\ScrollBar.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\StackView.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\ToolButton.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\slider-icon16.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\TextField.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\ButtonSection.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\progressbar-icon16.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\rangeslider-icon16.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\MuMuManager.exe	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\labs\settings\qmldir	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\MenuBarItem.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\stackview-icon.png	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-crt-environment-l1-1-0.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\Dial.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\SpinBox.qml	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\bz2.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\plugins\iconengines\qsvgicon.dll	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Executes dropped EXE 7 IoCs

pid	Process
852	nemu-downloader.exe
4580	ColaBoxChecker.exe
4764	HyperVChecker.exe
2344	HyperVChecker.exe
1796	HyperVChecker.exe
4492	MuMuDownloader.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7604	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both"	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
852	nemu-downloader.exe
852	nemu-downloader.exe
852	nemu-downloader.exe
852	nemu-downloader.exe
852	nemu-downloader.exe
852	nemu-downloader.exe
852	nemu-downloader.exe
852	nemu-downloader.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeRestorePrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
Token: SeTakeOwnershipPrivilege	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 852	1916	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	93
PID 1916 wrote to memory of 852	1916	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	93
PID 1916 wrote to memory of 852	1916	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	93
PID 852 wrote to memory of 4580	852	nemu-downloader.exe	96
PID 852 wrote to memory of 4580	852	nemu-downloader.exe	96
PID 852 wrote to memory of 4580	852	nemu-downloader.exe	96
PID 852 wrote to memory of 4764	852	nemu-downloader.exe	101
PID 852 wrote to memory of 4764	852	nemu-downloader.exe	101
PID 852 wrote to memory of 2344	852	nemu-downloader.exe	103
PID 852 wrote to memory of 2344	852	nemu-downloader.exe	103
PID 852 wrote to memory of 1796	852	nemu-downloader.exe	106
PID 852 wrote to memory of 1796	852	nemu-downloader.exe	106
PID 852 wrote to memory of 4492	852	nemu-downloader.exe	112
PID 852 wrote to memory of 4492	852	nemu-downloader.exe	112
PID 852 wrote to memory of 4492	852	nemu-downloader.exe	112
PID 852 wrote to memory of 4088	852	nemu-downloader.exe	116
PID 852 wrote to memory of 4088	852	nemu-downloader.exe	116
PID 852 wrote to memory of 4088	852	nemu-downloader.exe	116
PID 4088 wrote to memory of 7604	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	117
PID 4088 wrote to memory of 7604	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	117
PID 4088 wrote to memory of 7604	4088	MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe	117

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\7z7540677C\nemu-downloader.exe
  C:\Users\Admin\AppData\Local\Temp\7z7540677C\nemu-downloader.exe
  2⤵
  - Enumerates connected drives
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\7z7540677C\ColaBoxChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7540677C\ColaBoxChecker.exe" checker /baseboard
    3⤵
    - Executes dropped EXE
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\7z7540677C\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7540677C\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\7z7540677C\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7540677C\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\7z7540677C\HyperVChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7540677C\HyperVChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\7z7540677C\MuMuDownloader.exe
    "C:\Users\Admin\AppData\Local\Temp\7z7540677C\MuMuDownloader.exe" --log="C:\Users\Admin\AppData\Local\Temp\nemu-downloader-aria.log" --log-level=notice --check-certificate=false --enable-rpc=true --rpc-listen-port=49894 --continue --max-concurrent-downloads=10 --max-connection-per-server=5 --async-dns=false --file-allocation=prealloc --enable-mmap=true --connect-timeout=5 --rpc-max-request-size=1024M --stop-with-process=852
    3⤵
    - Executes dropped EXE
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
    "C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe" /S /auto_start=false /fchannel=yx-gl-codex /D=C:\Program Files\Netease\MuMuPlayerGlobal-12.0
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc.exe" query MuMuVMMDrv
      4⤵
      Launches sc.exe
      PID:7604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\comregister.cmd

Filesize
7KB

MD5
4c0c8a2aee978f63ff9c9bb91eaa98ef

SHA1
784043ee7acbedfa92ede9c6aface266e6ab0606

SHA256
dcddc8c892e73bdb7e3a05d3d7e5ff8cf193ec1e27497a3c0bf5641dc542ccbc

SHA512
cb22df98ec3e32d315e19bb139e08354c30fd64bb7ae11fd86633c042e9128dea0be1af275a9438f90114d1013d6e662327c3add7ef60797aacfd0e22c83bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7540677C\ColaBoxChecker.exe

Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7540677C\HyperVChecker.exe

Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7540677C\MuMuDownloader.exe

Filesize
5.7MB

MD5
2f3d77b4f587f956e9987598b0a218eb

SHA1
c067432f3282438b367a10f6b0bc0466319e34e9

SHA256
2f980c56d81f42ba47dc871a04406976dc490ded522131ce9a2e35c40ca8616e

SHA512
a63afc6d708e3b974f147a2d27d90689d8743acd53d60ad0f81a3ab54dfa851d73bcb869d1e476035abc5e234479812730285c0826a2c3da62f39715e315f221

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7540677C\baseboard

Filesize
115B

MD5
28198f1a7d5fb30729b2d1a32f855abf

SHA1
6a888c0c4040977d1eda03c63ac4fffa11c533b4

SHA256
69ec5e317149044e3ec5852146317984d134d785f0ecfd05a52f09a7f5bd16bc

SHA512
ae66d403ef5ed68924946d229bfed3988ba9b79d5739d58bc9d8d9d9fc9a371df98171e8b6aeea13fbef27f5dcc9bc5523fe216478db3c553b3825f9c79bc6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7540677C\config.ini

Filesize
342B

MD5
048404eeb7f19ff7aea3e0e282b2668f

SHA1
4ee3a5f86c9cc6a0f2fd597e41264249d49d7e30

SHA256
536276708fd9e141dc5036a7feb791a2467c667bb16d7ce90bf2917a68a772a2

SHA512
6fe975bfc6994edb1fddab0fa635a6d34d5624836fa7f77f6029c13ff633ee0af49fe513f1bb24d7c3cc90e83fcba837d82c8e593ca6e68e8101d4f44cf43b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7540677C\nemu-downloader.exe

Filesize
3.2MB

MD5
b311535e3673c225b4095f77ca7ea4f5

SHA1
4206e1cbe58428fdbc9b319b8919373646807583

SHA256
7662f1e4e1b4a52cce2fb8c57ffdd4ec8654f3bd1a830814845e75fdcd3f1735

SHA512
57d9d6e592a6cdc3a8ffd514ad21729de15fcdd8b4fd321ce013c9541e08ad6cf3a11bf1479464b5b0fff771552c19ccad2720239779fcd25290c436a287b6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7540677C\skin.zip

Filesize
509KB

MD5
d59a09fb475ed8cd967e1a5366d7884d

SHA1
8636b3f7d18482ce940607af9d0e51232d8491d4

SHA256
45a97dba97f3613ec8f357d9a36fe336c2795ead0f32081856b9b2dad4620ce1

SHA512
39a667a970f66ba6c28351a038c23bb4f4427e1b584a2cabf962711c64ad7540f09a00b2771c01c965d59f69b5b707e9659349aaf68b6f675695e9e83cf40e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Filesize
423.8MB

MD5
5ca722a811b8dfcb6dedbaf216d1bf11

SHA1
59c83b6757d0035028c8df47552fda3c9bdf78f1

SHA256
652ac4a7a8fc71d502676a6dc5be3ad5cc89b390616d9e94ec2d4acbdfd3392b

SHA512
39a9ac6dc79429b36b61479fc1d2187f82b87d2826e1a748f39735d5a7dbadeee84f32b15950c3d359fc66c56227f3121e78b033d4aeb03b71a1740184c7a928

Download Submit
C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

Filesize
295.3MB

MD5
b45b421d913f6e48a6dcb84af1e307e0

SHA1
319cdb5f5a078d195307cca1aa25d21e284af9cf

SHA256
ad2321612a7c819dc88ac761eee0e86e11427781b5bcdd557a1965432a650eaa

SHA512
5db0cd081037cb539a66a98ec5df9639dfea43b8560ba56ea2149b80398e2ee29edc1dd0b40d269e6be487536098e5c38d4e1b5ff766e8ba727d833e5a9130ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh6096.tmp\AccessControl.dll

Filesize
23KB

MD5
bb0f26c7a18434ee1d648c7e6743d1fe

SHA1
f7503b348aa7c7691668fbb64ccd541e247f87e5

SHA256
1b4d25f2f544f520c20493ee1e9ac7b3043aab88e4ff87953390d357de4c2096

SHA512
4311e960a4f8f441b25c5ec9a82d64112016ff9c4510dfb082a0c1bcce2d03cb2871912dcaafc5d00f07ed9ac4d6d7998cdcea2bfc84f7180b2f62a2cf24e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh6096.tmp\LogEx.dll

Filesize
52KB

MD5
6eba32325d2db645c958c551f0aa2e31

SHA1
b116cc9ff0369af681ebf805a1a3befedd9ab868

SHA256
cf7b45a69a13551db95dcdefc8bfdd4128e1c1db67198347b43469b69c36b844

SHA512
6c48038341bb16ce50b01c99f8ebfc919adfce61008d9718c06d55e92e54625ed2ab6ac850592e847bca61d7d57809dd531afeea4f0fb0c8310cfe1710f37927

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh6096.tmp\System.dll

Filesize
12KB

MD5
283555de06751c261b66243bbb1558da

SHA1
4532ed4e255ad0163494a02081b45e893ad666f9

SHA256
b6298637fea88a44e4de3f6b7fe254fb73857c08f1dcd8bd1af6f9eb5e6e7e3c

SHA512
469dbb4b7cc0d4f59d903415fbb7ea6417323f0daa2aeb2945a9744668f3d9fa95eb34a9d64a647835b563c74c3484c6d4b823a75119599aa5f975dbe471d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh6096.tmp\UAC.dll

Filesize
22KB

MD5
b7e1d609915cf0b3f9dfee488a92fc91

SHA1
d9c873b39e3cac648742568378fe788b2cae6e84

SHA256
fa3bb333f615689691ff98527dc3341e3b8ffee4bf97c6128820bf0d303930e7

SHA512
ae4a00659f522996600bd0754b2f2706e297939ea616ada66e590409c6c2f28ed7ed39b67a078ae72e9b472a97291c7f3da42339051ef1a3d1941b0368b2e775

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh6096.tmp\UserInfo.dll

Filesize
3KB

MD5
cb310d97bd72a6ae8fc6e44c88ef9e8c

SHA1
ed935c8f17340fecb7021dddd9dc7de0e23bf487

SHA256
d6fae2e57c84b25b73fe942fb7ba725158b21ec81c9d989845b64ba1ee337c27

SHA512
8351004d0bf86c5577940613cee26803d797b2375038726ce31827d66038664aaf74399d7d5e11c6487012942fb4f147b7021d6e887ac09c39f541991f594f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh6096.tmp\nsProcess.dll

Filesize
12KB

MD5
b6cd62358973125f52d756d6d3aee8b2

SHA1
7c9fcfa85a88c507517a659f778355b56cef921f

SHA256
44c14f1edfe7deef518264675e3e4edb6991d5ea0d50f0f6b18a819dc31bbcba

SHA512
a5b756e3e1a31ad7ad9026bc492de2ef8983385e7c920a2e3eea363df3c6d112cea2a0373cd9bd8be1fb3536ee9623c6844b3c7a92d8cf6ee050aeec7cee76bb

Download Submit
memory/4492-82-0x00000000004C0000-0x0000000000A75000-memory.dmp

Filesize
5.7MB

Download
memory/4492-80-0x00000000004C0000-0x0000000000A75000-memory.dmp

Filesize
5.7MB

Download
memory/4492-76-0x00000000004C0000-0x0000000000A75000-memory.dmp

Filesize
5.7MB

Download