Malware Analysis Report

2025-03-14 22:32

Sample ID 240407-xk8bdsbh66
Target MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
SHA256 baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc

Threat Level: Likely malicious

The file MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence

Creates new service(s)

Downloads MZ/PE file

Enumerates connected drives

Checks computer location settings

Registers COM server for autorun

Launches sc.exe

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy WMI provider

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy service COM API

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:55

Reported

2024-04-07 19:09

Platform

win10v2004-20231215-en

Max time kernel

512s

Max time network

782s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe"

Signatures

Creates new service(s)

persistence

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\[email protected] C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\TumblerSpecifics.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\TabButton.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick.2\plugins.qmltypes C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\MuMuVMMVbox\Hypervisor\VBoxEFI64.fd C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\js\lang-th-json.c8a63538.js C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\plugins\mediaservice\dsengine.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\MuMuVMMVbox\Hypervisor\NetFltUninstall.exe C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\SpinBox.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Particles.2\plugins.qmltypes C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\x86\nemu-api.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFlt.cat C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\page-icon16.png C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\SwitchDelegate.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMAuthSimple.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\MuMuVMMVbox\Hypervisor\tools\vcruntime140_1.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\PocoUtil.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\MumuApk.ico C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\vccorlib140.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\toolseparator-icon.png C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMDrv.cat C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFltM.inf C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Frame.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-crt-math-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\ButtonGroup.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\Drawer.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\RoundButton.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\Qt5Gui.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\builtins.qmltypes C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\CheckIndicator.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\.backup\ C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetAdp6.inf C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\plugins\qmltooling\qmldbg_nativedebugger.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\images\roundbutton-icon.png C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\Menu.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\Label.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vbox-img.exe C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\device\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\MuMuPlayer.exe C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\plugins\playlistformats\ C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\RadioDelegateSpecifics.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\Popup.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtTest\TestCase.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\api-ms-win-crt-math-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\labs\folderlistmodel\ C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\MuMuVMMVbox\Hypervisor\SUPInstall.exe C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMDDR0.r0 C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\Qt\labs\qmlmodels\labsmodelsplugin.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\MuMuPlayerCrashReporter.exe C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\DelayButton.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Imagine\Switch.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\plugins.qmltypes C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetLwf.cat C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\BusyIndicator.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\resources\dist\message_center\src\js\mine.498cdd21.js C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\run_checker\bcdedit.exe C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Material\Dialog.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Universal\BusyIndicator.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\Switch.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\Fusion\TextArea.qml C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\device\libMediaCodec.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMRT.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
File opened for modification C:\Program Files\MuMuVMMVbox\Hypervisor\tools\ucrtbase.dll C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208DF701-79C8-426C-814B-18828F6A0B61}\InProcServer32\ = "C:\\Program Files\\MuMuVMMVbox\\Hypervisor\\MuMuVMMProxyStub.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208DF701-79C8-426C-814B-18828F6A0B61}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23cd1535-edaa-4f21-a4ab-45d97fd1d58b}\LocalServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll" C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll" C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208DF701-79C8-426C-814B-18828F6A0B61}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\InprocServer32\ = "C:\\Program Files\\MuMuVMMVbox\\Hypervisor\\MuMuVMMC.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85e56ead-33d4-410d-9130-2f2c0fb6a532}\InprocServer32\ = "C:\\Program Files\\MuMuVMMVbox\\Hypervisor\\MuMuVMMC.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85e56ead-33d4-410d-9130-2f2c0fb6a532}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85e56ead-33d4-410d-9130-2f2c0fb6a532}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208DF701-79C8-426C-814B-18828F6A0B61}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23cd1535-edaa-4f21-a4ab-45d97fd1d58b}\LocalServer32\ = "\"C:\\Program Files\\MuMuVMMVbox\\Hypervisor\\MuMuVMMSVC.exe\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23cd1535-edaa-4f21-a4ab-45d97fd1d58b}\LocalServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85e56ead-33d4-410d-9130-2f2c0fb6a532}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll" C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll" C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32 = "C:\\Windows\\system32\\oleaut32.dll" C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Windows\\system32\\oleaut32.dll" C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6734F6F5-1D20-4413-BD35-B97B11112581}\NumMethods\ = "14" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAA00610-81F0-4950-8C36-DA6EEB3A80D3}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F57E1537-1373-4413-BC68-5895E16702BE}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{09F6E4D1-A9AC-4528-A672-B92090E81818}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6017EEC-AB97-4117-B0D3-7DC53A2000BA}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B4FDB01C-1329-450B-B269-F7E4713F2285} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D04F1D0-17B2-4D45-A053-7031E1DC18F1}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3E25B6F-601F-4601-B7A0-B22A94045D8A}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{968951F2-BD74-4274-AE8E-351C5E2E8342}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FD4E709-A36D-442F-9CC4-123F7C48D95B} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85e56ead-33d4-410d-9130-2f2c0fb6a532}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6467C67F-E0A2-4C05-B33C-A71D4F789083}\NumMethods\ = "15" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0B1F28EC-F9B0-48B8-8BD3-3BFA63611019}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0B4B851-C3E0-4AF0-9C28-3BAFFEF3D187}\NumMethods\ = "61" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDBC2652-02B4-48BB-AB94-9D5AF0A59CE3}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17227208-4E3E-446B-96E3-C332C981CD16}\NumMethods\ = "11" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA85612D-AD4A-4F0C-8B67-C288A053C5B2}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{897F98E7-F00A-41B7-A309-E54AD805A8D7}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C96666C-3DFB-46E9-BCE2-24452D0B08B8}\ = "IDHCPGroupConfig" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE66372E-2231-400D-B562-715E8D5E1580}\ = "IGuest" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDBC2652-02B4-48BB-AB94-9D5AF0A59CE3}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC634167-E319-4ED6-97C2-370B63531111}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B11EAEF5-7661-477C-9F21-697EFD7AD514}\NumMethods\ = "13" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\ = "VirtualBoxClient Class" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{659A41BB-448A-4687-B370-056586550524}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68D9184B-207E-4C3D-9BFF-F97B1504AEBE} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0381A564-2369-457B-A6DD-1612809E3134} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D04F1D0-17B2-4D45-A053-7031E1DC18F1}\ = "ICPUChangedEvent" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Software C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A3E25B6F-601F-4601-B7A0-B22A94045D8A} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78E57431-3DB9-4F6B-9D6E-F8D85E38C754}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{711A3738-7C02-4BDE-BE9D-051F0EBE5319}\NumMethods\ = "17" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9CF3EBA-F2DD-481C-9E3F-87FD1D049CF5}\ = "ICloudProfile" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CB9509E6-BC6A-4F32-96E0-FC60D7051B9B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{799781CD-3C2B-4543-81D2-631FCA5F4A97}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCCAB3EA-EED8-447D-9505-6DD1A0C030BE}\NumMethods\ = "11" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36F8B239-55D5-4F00-9148-53426D15F9E0}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EF884C6-BBA4-41C7-9A3D-98C7D46D4CFA} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0329D7B1-7F4C-4440-940A-1995CD836098}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D04F1D0-17B2-4D45-A053-7031E1DC18F1}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FEC2495-04D2-4D48-AF4B-7B69A16CC89D} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DC413FAF-562D-4D88-821D-46334445EE56}\ = "IGuestFile" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9CF3EBA-F2DD-481C-9E3F-87FD1D049CF5}\ = "ICloudProfile" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7245E489-8969-4659-B0A5-5BD14907802B}\ = "IGuestFileIOEvent" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1091049E-61C1-4EB7-A8AD-2F639B529514}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6734F6F5-1D20-4413-BD35-B97B11112581}\ProxyStubClsid32\ = "{208DF701-79C8-426C-814B-18828F6A0B61}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0329D7B1-7F4C-4440-940A-1995CD836098} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19BF0EE8-347E-47E0-8656-98C29419381F} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68D9184B-207E-4C3D-9BFF-F97B1504AEBE}\ = "IGuestDnDTarget" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82C607F2-69C9-49B8-A831-67EF7769159A}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{091B8C0B-EAD2-494C-AC98-666B083FD278}\ = "IGuestUserStateChangedEvent" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DA7803E-B5F0-4BAC-9714-25C395CF3213}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b0fe7a06-cdc7-4ece-9c43-5dfd8bdd179c}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B33BB58D-48C6-40AF-B5F6-D64048FF6FF3}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D04F1D0-17B2-4D45-A053-7031E1DC18F1}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59E49F18-EE2F-4321-AF6B-67F13D044F8F} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59E49F18-EE2F-4321-AF6B-67F13D044F8F} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78E57431-3DB9-4F6B-9D6E-F8D85E38C754}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A99CB1AA-F6D4-4376-9765-C29D87CC51C6}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4BBC7AA-47D9-443A-B411-61CC680A6EB4} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C60FEDB7-D987-4956-9F1C-9969189810F9} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C60FEDB7-D987-4956-9F1C-9969189810F9} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C173A96-7E5F-45CA-852F-CE6843BE28FF}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\7z.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe
PID 5112 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe
PID 5112 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe
PID 3936 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\ColaBoxChecker.exe
PID 3936 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\ColaBoxChecker.exe
PID 3936 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\ColaBoxChecker.exe
PID 3936 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe
PID 3936 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe
PID 3936 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe
PID 3936 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe
PID 3936 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe
PID 3936 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe
PID 3936 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\MuMuDownloader.exe
PID 3936 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\MuMuDownloader.exe
PID 3936 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\7z74B513F8\MuMuDownloader.exe
PID 3936 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
PID 3936 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
PID 3936 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe
PID 4400 wrote to memory of 8112 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 8112 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 8112 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 7520 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe
PID 4400 wrote to memory of 7520 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe
PID 4400 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4400 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4400 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3644 wrote to memory of 6248 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3644 wrote to memory of 6248 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4400 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 6064 wrote to memory of 8168 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 6064 wrote to memory of 8168 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4400 wrote to memory of 6568 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe
PID 4400 wrote to memory of 6568 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe
PID 4400 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\System32\Conhost.exe
PID 4400 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\System32\Conhost.exe
PID 4400 wrote to memory of 6676 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\System32\Conhost.exe
PID 6676 wrote to memory of 6684 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 6676 wrote to memory of 6684 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4400 wrote to memory of 6744 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4400 wrote to memory of 6744 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4400 wrote to memory of 6744 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\regsvr32.exe
PID 6744 wrote to memory of 6072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 6744 wrote to memory of 6072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4400 wrote to memory of 7872 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
PID 4400 wrote to memory of 7872 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
PID 4400 wrote to memory of 6508 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
PID 4400 wrote to memory of 6508 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe
PID 4400 wrote to memory of 7752 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 7752 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 7752 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 7552 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPInstall.exe
PID 4400 wrote to memory of 7552 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPInstall.exe
PID 4400 wrote to memory of 7904 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 7904 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 7904 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 6404 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 6404 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 6404 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 6364 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 6364 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 6364 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe
PID 4400 wrote to memory of 6492 N/A C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe

"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe"

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\ColaBoxChecker.exe

"C:\Users\Admin\AppData\Local\Temp\7z74B513F8\ColaBoxChecker.exe" checker /baseboard

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe

"C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe"

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe

"C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe"

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe

"C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe"

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\MuMuDownloader.exe

"C:\Users\Admin\AppData\Local\Temp\7z74B513F8\MuMuDownloader.exe" --log="C:\Users\Admin\AppData\Local\Temp\nemu-downloader-aria.log" --log-level=notice --check-certificate=false --enable-rpc=true --rpc-listen-port=50746 --continue --max-concurrent-downloads=10 --max-connection-per-server=5 --async-dns=false --file-allocation=prealloc --enable-mmap=true --connect-timeout=5 --rpc-max-request-size=1024M --stop-with-process=3936

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

"C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe" /S /auto_start=false /fchannel=yx-gl-codex /D=C:\Program Files\Netease\MuMuPlayerGlobal-12.0

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe

"C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe" /UnregServer

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"

C:\Windows\system32\regsvr32.exe

/u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"

C:\Windows\system32\regsvr32.exe

/u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"

C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe

"C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe" /RegServer

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"

C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe

"C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"

C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe

"C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPInstall.exe

"C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPInstall.exe"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" create MuMuVMMDrv binPath= "C:\Program Files\MuMuVMMVbox\LoadedDrivers\MuMuVMMDrv.sys" type= kernel start= auto

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" create MuMuVMMDrv binPath= "C:\Program Files\MuMuVMMVbox\LoadedDrivers\MuMuVMMDrv.sys" type= kernel start= auto

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" start MuMuVMMDrv

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" start MuMuVMMDrv

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe

"C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"

C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe

"C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe

"C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe" /UnregServer

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"

C:\Windows\system32\regsvr32.exe

/u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"

C:\Windows\system32\regsvr32.exe

/u /s "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "comregister.cmd -u"

C:\Windows\SysWOW64\net.exe

NET FILE

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 FILE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cd

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cd

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ver

C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe

"C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMSVC.exe" /UnregServer

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"

C:\Windows\system32\regsvr32.exe

/s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMC.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\syswow64\regsvr32 /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\x86\MuMuVMMClient-x86.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"

C:\Windows\system32\regsvr32.exe

/s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMProxyStub.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\syswow64\regsvr32 /s /u "C:\Program Files\MuMuVMMVbox\Hypervisor\x86\MuMuVMMProxyStub-x86.dll"

C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe

"C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"

C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe

"C:\Program Files\MuMuVMMVbox\LoadedDrivers\SUPUninstall.exe"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc.exe" query MuMuVMMDrv

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\7z.exe

"C:\Users\Admin\AppData\Local\Temp\7z74B513F8\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 api.mumuglobal.com udp
JP 3.114.242.101:443 api.mumuglobal.com tcp
JP 3.114.242.101:443 api.mumuglobal.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 101.242.114.3.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 dns.update.easebar.com udp
BE 104.68.95.105:443 dns.update.easebar.com tcp
US 8.8.8.8:53 mumu-global.fp.ps.easebar.com udp
GB 23.62.198.73:443 mumu-global.fp.ps.easebar.com tcp
US 8.8.8.8:53 105.95.68.104.in-addr.arpa udp
US 8.8.8.8:53 73.198.62.23.in-addr.arpa udp
US 76.223.88.1:80 76.223.88.1 tcp
GB 104.77.118.114:80 a11.gdl.netease.com tcp
US 8.8.8.8:53 a11.gdl.netease.com udp
N/A 127.0.0.1:50746 tcp
US 8.8.8.8:53 1.88.223.76.in-addr.arpa udp
US 8.8.8.8:53 114.118.77.104.in-addr.arpa udp
GB 104.77.118.114:80 a11.gdl.netease.com tcp
GB 104.77.118.114:80 a11.gdl.netease.com tcp
GB 104.77.118.114:80 a11.gdl.netease.com tcp
GB 104.77.118.114:80 a11.gdl.netease.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
GB 104.77.118.114:80 a11.gdl.netease.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 104.77.118.114:80 a11.gdl.netease.com tcp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 200.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\nemu-downloader.exe

MD5 b311535e3673c225b4095f77ca7ea4f5
SHA1 4206e1cbe58428fdbc9b319b8919373646807583
SHA256 7662f1e4e1b4a52cce2fb8c57ffdd4ec8654f3bd1a830814845e75fdcd3f1735
SHA512 57d9d6e592a6cdc3a8ffd514ad21729de15fcdd8b4fd321ce013c9541e08ad6cf3a11bf1479464b5b0fff771552c19ccad2720239779fcd25290c436a287b6c2

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\skin.zip

MD5 d59a09fb475ed8cd967e1a5366d7884d
SHA1 8636b3f7d18482ce940607af9d0e51232d8491d4
SHA256 45a97dba97f3613ec8f357d9a36fe336c2795ead0f32081856b9b2dad4620ce1
SHA512 39a667a970f66ba6c28351a038c23bb4f4427e1b584a2cabf962711c64ad7540f09a00b2771c01c965d59f69b5b707e9659349aaf68b6f675695e9e83cf40e58

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\config.ini

MD5 048404eeb7f19ff7aea3e0e282b2668f
SHA1 4ee3a5f86c9cc6a0f2fd597e41264249d49d7e30
SHA256 536276708fd9e141dc5036a7feb791a2467c667bb16d7ce90bf2917a68a772a2
SHA512 6fe975bfc6994edb1fddab0fa635a6d34d5624836fa7f77f6029c13ff633ee0af49fe513f1bb24d7c3cc90e83fcba837d82c8e593ca6e68e8101d4f44cf43b2c

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\ColaBoxChecker.exe

MD5 839708e3f96cf055436fa08d6205263c
SHA1 a4579f8cb6b80fe3fd50099794f63eb51be3292f
SHA256 1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752
SHA512 ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\baseboard

MD5 98d610b225da8e61272e2f55255461b5
SHA1 a37d062662784a54e1e661d379d7a12271430f8e
SHA256 fd4a09fe954e689bc17fb03996595da562e899c1b480a795d80995fadebd243d
SHA512 960b0037d1f93117d346886233d063fe656870e27ce35b1e21cbae8c964982d79c7773ebe3a5bce4b7becb690da161baf6309cf38bb87fc72cf9cb632c9be61b

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\HyperVChecker.exe

MD5 dbd84c6083e4badf4741d95ba3c9b5f8
SHA1 4a555adf8e0459bfd1145d9bd8d91b3fff94aad0
SHA256 9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39
SHA512 fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

C:\Users\Admin\AppData\Local\Temp\7z74B513F8\MuMuDownloader.exe

MD5 2f3d77b4f587f956e9987598b0a218eb
SHA1 c067432f3282438b367a10f6b0bc0466319e34e9
SHA256 2f980c56d81f42ba47dc871a04406976dc490ded522131ce9a2e35c40ca8616e
SHA512 a63afc6d708e3b974f147a2d27d90689d8743acd53d60ad0f81a3ab54dfa851d73bcb869d1e476035abc5e234479812730285c0826a2c3da62f39715e315f221

memory/3892-79-0x0000000000A60000-0x0000000001015000-memory.dmp

memory/908-81-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

memory/908-82-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

memory/908-83-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

memory/908-87-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

memory/908-89-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

memory/908-90-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

memory/908-88-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

memory/908-91-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

memory/908-92-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

memory/908-93-0x0000021AD8500000-0x0000021AD8501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MuMuNG-setup-V3.8.3.2696-overseas-0221213808.exe

MD5 0f81941effd3bcdd3d198e0fbfdacb9a
SHA1 e1763e8a5c40411b60cbe1c21b771d69fa28ed5a
SHA256 51f2f8ddb8b6c1954e17a351558c82937042f0915ae5a180a9d664909a7e9e4d
SHA512 5a7b384be8ca367b930da4886565f424d5f30f2287697621b13dfb47de7643a1ac996c6b143b6f9fbe8a1f4f1721ccdaaf65fbf665fa36fa60fdc4570f221da9

C:\Users\Admin\AppData\Local\Temp\nsm4A05.tmp\LogEx.dll

MD5 6eba32325d2db645c958c551f0aa2e31
SHA1 b116cc9ff0369af681ebf805a1a3befedd9ab868
SHA256 cf7b45a69a13551db95dcdefc8bfdd4128e1c1db67198347b43469b69c36b844
SHA512 6c48038341bb16ce50b01c99f8ebfc919adfce61008d9718c06d55e92e54625ed2ab6ac850592e847bca61d7d57809dd531afeea4f0fb0c8310cfe1710f37927

C:\Users\Admin\AppData\Local\Temp\nsm4A05.tmp\System.dll

MD5 283555de06751c261b66243bbb1558da
SHA1 4532ed4e255ad0163494a02081b45e893ad666f9
SHA256 b6298637fea88a44e4de3f6b7fe254fb73857c08f1dcd8bd1af6f9eb5e6e7e3c
SHA512 469dbb4b7cc0d4f59d903415fbb7ea6417323f0daa2aeb2945a9744668f3d9fa95eb34a9d64a647835b563c74c3484c6d4b823a75119599aa5f975dbe471d3ab

C:\Users\Admin\AppData\Local\Temp\nsm4A05.tmp\UAC.dll

MD5 b7e1d609915cf0b3f9dfee488a92fc91
SHA1 d9c873b39e3cac648742568378fe788b2cae6e84
SHA256 fa3bb333f615689691ff98527dc3341e3b8ffee4bf97c6128820bf0d303930e7
SHA512 ae4a00659f522996600bd0754b2f2706e297939ea616ada66e590409c6c2f28ed7ed39b67a078ae72e9b472a97291c7f3da42339051ef1a3d1941b0368b2e775

C:\Users\Admin\AppData\Local\Temp\nsm4A05.tmp\UserInfo.dll

MD5 cb310d97bd72a6ae8fc6e44c88ef9e8c
SHA1 ed935c8f17340fecb7021dddd9dc7de0e23bf487
SHA256 d6fae2e57c84b25b73fe942fb7ba725158b21ec81c9d989845b64ba1ee337c27
SHA512 8351004d0bf86c5577940613cee26803d797b2375038726ce31827d66038664aaf74399d7d5e11c6487012942fb4f147b7021d6e887ac09c39f541991f594f9f

C:\Users\Admin\AppData\Local\Temp\nsm4A05.tmp\AccessControl.dll

MD5 bb0f26c7a18434ee1d648c7e6743d1fe
SHA1 f7503b348aa7c7691668fbb64ccd541e247f87e5
SHA256 1b4d25f2f544f520c20493ee1e9ac7b3043aab88e4ff87953390d357de4c2096
SHA512 4311e960a4f8f441b25c5ec9a82d64112016ff9c4510dfb082a0c1bcce2d03cb2871912dcaafc5d00f07ed9ac4d6d7998cdcea2bfc84f7180b2f62a2cf24e08d

C:\Users\Admin\AppData\Local\Temp\nsm4A05.tmp\nsProcess.dll

MD5 b6cd62358973125f52d756d6d3aee8b2
SHA1 7c9fcfa85a88c507517a659f778355b56cef921f
SHA256 44c14f1edfe7deef518264675e3e4edb6991d5ea0d50f0f6b18a819dc31bbcba
SHA512 a5b756e3e1a31ad7ad9026bc492de2ef8983385e7c920a2e3eea363df3c6d112cea2a0373cd9bd8be1fb3536ee9623c6844b3c7a92d8cf6ee050aeec7cee76bb

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\load.cmd

MD5 cc59f91feffd99c115c0a903cff28168
SHA1 e83df545f5d390d0b7210f7aac0d4ef37e00f0f2
SHA256 25bd2bd5472fb2097f2e79e66ffc3bb6aa3d2f974bf9b43d08045f09928a2efc
SHA512 46369b7866fd4215620806a7c12938865bf7416447ccd3fc15cfc6f3905bc4ac07a162b015586183e3c35ff17b607ba963f6ade3de81f15401e2d6d3418756d8

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\comregister.cmd

MD5 4c0c8a2aee978f63ff9c9bb91eaa98ef
SHA1 784043ee7acbedfa92ede9c6aface266e6ab0606
SHA256 dcddc8c892e73bdb7e3a05d3d7e5ff8cf193ec1e27497a3c0bf5641dc542ccbc
SHA512 cb22df98ec3e32d315e19bb139e08354c30fd64bb7ae11fd86633c042e9128dea0be1af275a9438f90114d1013d6e662327c3add7ef60797aacfd0e22c83bc62

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\libAccelerator.dll

MD5 8041ed0f7b41a89d6aa0fae432ba9316
SHA1 4c30b8a9647cd06a7c3c6d883e1dd9ccbd7f716d
SHA256 5a5f25c1d17557c9cd8740967f2c8de8b23d1caff2011043cf61e4b59cabb9ee
SHA512 3b3295605cd2d043ea6ebb0e0489f2225d85e2915a1f15e1f8b5424fd7140828f3e342a65c42aa5ca243ba3f10e1e27ecb5e16865484e407fcfce9aa8b96485f

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMAuthSimple.dll

MD5 eec5ef10b8c04c423dbbead8aa49e425
SHA1 161e6404d2dd0e0d631a4d45eab5a223a87ae759
SHA256 26e6a6e90259dbbc45e1976e06b6255a7fae98d543cd2cb43e7ab689644f75db
SHA512 30fb4b8967951548c17bf14620c4acb74bdc8180f355da2c9cc465265d59cf258aef34458c24be9812c8238dba65bf470bd3f4b099e1a7bf0eff6080c28cf7f4

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMAuth.dll

MD5 c76d97c177552c5322fe66e81b03708e
SHA1 8f0ceb1a082c364cb7e20cf9d10a533d883603fc
SHA256 5dfb7db56dedcd86beab5164e7f61ae51a78d9e917778c89cc2a3fed49f83e0a
SHA512 8d6bb1dc4dfb894a8d16db6f2ba1575a1b08aacfbd17be8c189a1f53a82adf06c89779854ea827f0934c6f92945bdbb2c778c334da12544e6fa9615913da5576

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\msvcr100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\msvcp100.dll

MD5 4f096d96285e06cd51aef7d2d3de04da
SHA1 c90ef0eb5b1a0b1b85ad6792291747fb6307dcdb
SHA256 5bb420fbe28315f2117376052bb8488ce84a3398dda65005b8ae1f792017e9a8
SHA512 80f558c50a71ad9c4930b3838b481e4fb453c38d57c91f7f70c1f86e4043b9a4fbcec27d7c025285504cbf3bde7c50b4770f18121d7818ac58e2ee9c2071f97c

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\loadall.cmd

MD5 571b20f2505a377eea3b6a2bcb2a31f9
SHA1 6240b4fb57d2844fc7a5bade5096f096617a86b7
SHA256 13f7090c7200549b7853e929931ccff1ba29e3497286d37866c14232f1048c8d
SHA512 930b966ce36d21014bfce9e117af38718ad0a0ea1b49bc1fedc6136ff71b043107cb07d8a879e3588dd64f45c2181fa7db6261363d80f5bb31144fda673d34d2

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMCAPI.dll

MD5 427fddb46782651cd2045cd1d234a5df
SHA1 abc1db27aad566591c358d2acecca75e7eafe5f5
SHA256 f1b4e191ae72dae0501921e7ee5378a4fb078a17d6acf69067374580841f0a9a
SHA512 597b77da475146afc15ffa3c43f5ef7d3a2b71d0650b791b681bdba5b811d5aaa3f15baec2acf04fae28bdf77d873ad3eb43b8f4e0ec0b606303c2bdfd9ac0a7

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDD.dll

MD5 135d833c6108431d59f4f4176708741f
SHA1 16fd9c89d643a7734e2a4c978ffb2a14c7efcb4d
SHA256 4086e855233a1e088719449a3dc2959a2cb558aba1b4bdbc51f6d383dbbef5ba
SHA512 f517de5216c3fd55176eb3811a5aa678af72aee4f1ae0b5c569167da242778bc4005530437577e8914af90afbd23b1bd42854dd8dfafd68fcdf53080c7f15911

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMC.dll

MD5 71bb3cf6146eba75becdde1ba57d227f
SHA1 753462e7d4b3b44a9f70bacd4af3928c40699185
SHA256 223ee0f0c6554ee3205d449ebd5a51881f42d33a4c2732b13e843a0bf025e694
SHA512 ec4bcaada20079e6b77557419a4f47defec5db5d41dd81f74a89c6044a87b71289fa34bff872221951a5fbdcd506801881b9a72f6282e7313ea0c6a1664b5c62

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDD2.dll

MD5 7a19b57bf5b054006dc7fe0cc4564380
SHA1 ebef67d5258806dbd733df8a21a2949a7e0b62e6
SHA256 0a953aa5ef60c8dd793945308b84c8d55903c8278f91e1ef61c3df6d83c0bb29
SHA512 2ca4ca7b4c11dc9990f1b211027a069a96e2aa9df487ab4f7d3f787d228e4810b826cff031ec1b1195df209bf0280b242719ab0237cbd08c9d69673897dfd35c

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMBalloonCtrl.exe

MD5 325f51e48792f68be2fb1e7105b48e6f
SHA1 e412689069cefdab7c2b6236da1a648d5d655099
SHA256 652ea2923bc4064566cc771cd526f23bcce4b1a3719eb6120cd5e7481f64f625
SHA512 caf3e8579f9fafe6f1617876fda384eebb7528a91f546ac81beb6e33da8110025a1fd3e3e428f2e4669faf379e68049af1cb1259904560d453ff80b7d49ea9de

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDragAndDropSvc.dll

MD5 fd6eb2f0557d3ada91ef5141e50bd3ac
SHA1 60efbe3f9734fe46fdb496c72c3cac0a68a590a4
SHA256 4be0d9221a5a5265294715b70240fb6361c57e97072e010d06805e20cbfb53d7
SHA512 c6aa5064d11b32b4535a54362169720cb3318b720ce0d667e4fa5066d84d82e0d0b6542e18640a6e1a6dcc73ce87895cdf72d5fec6a5041a32b8ef486c2f1e71

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDrv.inf

MD5 423a9e754c1d0067686b7dc1aeffa6b4
SHA1 a57450653e5d9c3126cebe754a1b7e4204044d06
SHA256 586128bd5dc9f67aa56f6b91d133e295c2a2cf3d3eab52672db8bba7cadf3ac2
SHA512 b31f468dfb55de5894962610b09218f49ad4be1148ea8aca9e5e3b5ca4592f0a0ce25d92464e9059e8b52354d3c7befed3db3e57428937b898a8eb492485b580

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDrv.cat

MD5 4d215ca4b7e3cccedc021955f3d8e0dc
SHA1 34281419e17cec26a26a39d74408d80c3a7dce6e
SHA256 67635e38e615cc70f6f6754ecc2d7485914a73b80685e057590eb4f72c1b5441
SHA512 13cdc1f631fad080f4539a65a59d050c7e42fad545f3c190bee5a2ea1b3526df0790f3c8f423b73ca5ab3e71ccb40c603174ce31aee77d24702c77dee8ca1865

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMProxyStub.dll

MD5 d5cd39948b825a16d8ebdc08f3d1efb1
SHA1 71ad1fa5a30b3229d2e720761c78cc86b52509d9
SHA256 0752616900c6ad425582b7873c3257c94b01057d62e8c7478de5293e496690bc
SHA512 bae53223aed5f39e91900d52862c44d3c85e52c087bd62e56a2a5e43d2e2005955c0dfa0678c36bc0b79302187615c6659fa084575f9688cc64a6d97dc4a284e

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMRes.dll

MD5 bb9efe3929c3c97dfb99216a38177998
SHA1 e41970119b8399e8d8abd3e348e010870ee7d9cd
SHA256 ef46be3486221b3d4ad86138bafb12f8c77277345e182926cc259171ef36371e
SHA512 81b4f9b66e3658e4111c0d4ceb142c2a37d82ebcb7706c9372a38be00362dc9609ba922bcb5e73dff5a6146abf6fe530ac45b00ad7c00c0c01c1d6f1f0e69498

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.94.0\VAddressDevice.dll

MD5 d1b49099704f416236c17d028c2a601c
SHA1 b7b04f381dab7838e7d42d5716652debe287ade7
SHA256 1baa6c717e0b402a75872210e878749d021e6b354d21cb94e59012d2f19a9b32
SHA512 c98a3b8e4294240f556603bfb79fc06a92a436629c84284b7beed0999296469e4315ddab04ea0e76cca22a40641272dd53a88d5d0f2570aedd11c0dbb589dae6

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.92.0\VAddressDevice.dll

MD5 c452f408b06cf88692c03ba5c534bd76
SHA1 8b3c315e115ba8ffbeecc7878a3034cefe65b5a3
SHA256 bc2f9fa16c1899e8d92a5d3a3f7dfbdbb9a1fc124e252259f2d86f207c2b09d4
SHA512 3ba6e6ffe15a3db3c9a5531a6572de75e428f0608a8b8abbea8e1c3e84bd6a278524b818e9b2351d2cf10094d881696e8051272ad0bd741c893efe31b62f6ae2

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.69.0\VAddressDevice.dll

MD5 5396238bbc8c218e819f6715b20e6031
SHA1 55ab28093742e28424688799729bc46d60a95a4c
SHA256 33236aa3dcaa4714e0e663799a3fac83593c8afb6e164c1c1c2fa3176a95b15f
SHA512 54df0b2dc50a26c1597932e2362c7c3c92afe83c262a8fea7221c15a3f77caa55897d34c675370eb9b7b955cf2398d26c1bfec4d3e0484b0606b57a4cf0f9c1b

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.63.0\VAddressDevice.dll

MD5 8c7fa231e13b7b380f8d2b456bfbedb8
SHA1 66e153f427c44c90ef1e59e92723e95a99f75e8b
SHA256 310e5d67c32429145f05e82848fec26176fd1c50d01418a784669c32eb0288c5
SHA512 a62156e2f6db5b5efcaaa17d30233c167bf6b062d6410636d99e56fd0361d936ff3fcb8b80726165dda7bac0f7eb3b178dd604614a380addd1ba7be508e2e4dd

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\tools\vcruntime140_1.dll

MD5 3b22b2ec303b0721827dd768c87df6ed
SHA1 86f8af095cf7368ccbff2d0fd6d33586145acd2b
SHA256 3b792da47040c3b3e0804cdc5153eef4e802b6975963029d8dc360cb824a7b62
SHA512 79db774980ee132797f7e7dbc0e055b724d8fbf0e4917523b285f918730adfff81022cc6f5e15469b011d55501fd7b085bc070e9ecdfb75c05f4d6622a7f2475

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\tools\vcruntime140.dll

MD5 0c583614eb8ffb4c8c2d9e9880220f1d
SHA1 0b7fca03a971a0d3b0776698b51f62bca5043e4d
SHA256 6cadb4fef773c23b511acc8b715a084815c6e41dd8c694bc70090a97b3b03fb9
SHA512 79bbf50e38e358e492f24fe0923824d02f4b831336dae9572540af1ae7df162457d08de13e720f180309d537667bc1b108bdd782af84356562cca44d3e9e3b64

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\tools\ucrtbase.dll

MD5 aeea6662f0f7819a077b99441c36178c
SHA1 c3a2ec7fd791235b8b1f2371e94f25a1670f7d00
SHA256 cd48756e96740f84a2aacd6c308997a4a36a953cd77f50cb54c27915a5c5c302
SHA512 b4b3c42e716fffe98f1c65bd2b0f522725ab8b43a7739c0a925b850fc0601e77cdc1e2071813229477d129caa73813ef6eb5c4c806d1c48c90332c429365d639

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\tools\my_upload_md5.exe

MD5 ece6882c94aaeab536fc8a168d744e04
SHA1 9ac8a75b32c9f846231994ef43b2bc8e7bad44d9
SHA256 ab96dd5cc65c4bb1b827561496af5712722441cfd9fb3418847e274e7c114798
SHA512 b6b1a8bb1e3877e2280e9ef6164626da2b580e1e9471294898a1bf27e231560fd3540ce8821759a0dcc7b6680eca81500152d666492c1ff7fc9cdc8bd33080ae

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\SUPUninstall.exe

MD5 6fb9b37528231b848753836ea6200a55
SHA1 98e0d6d846dde6237bb590a5f36bf4cc19d24deb
SHA256 3127af241f3da9f849307f6003ce5e74b697fd3154b4a14e77d890b8c18a49d5
SHA512 bb412940b1d65d9c1433fe6733f752e4f8c9a46e11ca9e2b34265bb677a61864c99cbbe55d5a3b338ee3dd5b17a78e476a9521435deea5097c292b1da1208adc

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\SUPInstall.exe

MD5 b093803b81ce1264243649451f5f088d
SHA1 c8373dffa0f7fb9e5bffc051ea600ff63e9e4180
SHA256 af7144e202f0d5c626fc7971fa4ff96cfccecc0a7ba7c3f6c2a9261ec2d152e0
SHA512 2f4ed566df781b30f7a8ecb5b556f1afd52e9497ee363923e0170d35b117aea24203b861e1ce60fd6365ca52493741d79fddb05eb2b2b1a1703c639cc8f48fc1

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMProxyStubLegacy.dll

MD5 6e2701e30ac34b79a200b2ca17194462
SHA1 b0aa2e2695e35fa84cffbecaca0b417c335fe3a5
SHA256 236c54b06fe8f110a37cae01c26fdc3f6eeb237660ac579f6e370150de3494b8
SHA512 bb844e8fbc202f22e8c95a83d0fcab1b145b52a10a22397d6497c933ad1f95e3e01512bc4753486e56d1fa678839fef2f12d13680719f2479c55b9aa85ab8827

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMVMMR0.r0

MD5 3fba4bc28fcf269cae647d13a3b4cbe3
SHA1 47eb1f7dfbbee99200ac47bc9d5cce17fdd78e62
SHA256 d33aa386475bd529f8c3c9edf9449e9b51b71d8a84515390e405bb246bd57807
SHA512 5ac2042ae175938754ec9918014ea546bd70cea8ee2b9670360b9e4043982bfb103d3fcc6d5c811076fa52205532d5b00e3e6e8923144e4bfb37bb852e8bd041

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetLwf.inf

MD5 eeb987061c0c9fe0d0dc49532bc1d3d5
SHA1 ce2a9f432e29a78ddfdd20806cb5724d9e056c58
SHA256 bf673efdb64b7e81069eca5b0c50dfb7e6dbb3bb3295f5d034089cd16b528fef
SHA512 8703585843a33021f4bec2bf674702ca7f48a2fb6f8961539e256212c628660ac75edbf2fe9dae37f3d9267d1ab9451ba0e756307d6133f0875fa4f3898c0803

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFltM.inf

MD5 e87981c99ff763113ca116a3ad696027
SHA1 f8ad4145189c6afc08fbf5429a6da96aa1d34840
SHA256 4364c725e14a761776b123c92cc492c0404393cfa7960ffa173a54961774cdce
SHA512 4566c22c9c759cc5acd69846fc910760b68faf5aa4573d3f01c328d2bcd24d3cf735215682737752c22e3ebe11e6ff5e49ef8504fc72b1523bf995ac223cd8f5

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFlt.sys

MD5 0ac3c5231442f711d34748bc5d3144e3
SHA1 afcb04e915cbae553d82ae58d54c2531d144e395
SHA256 2457a0c4a3176277e7db80e406f1ddd46c669e01f3f741c6cf3403da31e2ad07
SHA512 7f94a88ceabd9ace0cd65cd49297b482f040ad31b5bbd34955b25f6aafce315cb6fac28fa0a1d61614d3eeae7cdf3bd63e4191d59f2d17267870294ad8a861fa

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFlt.cat

MD5 91bab7bfdb03f17ef945f26ba626fd47
SHA1 79d5b9f174562756ce4649148bf9ee4bd2829dad
SHA256 5fab6bfc10c7feb4ab015373ad1368a7b5e2391c3b971341481a995f72fc07cb
SHA512 e53cecbb9670ea918e1946419c40ef2fa3ebea1e067e66fc244a701721bdad108a102d6d7978d9741afc144d4a4540e1142f865ac9932709fe49b3e31419701d

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp6.sys

MD5 4310bfff02dedf0d13d0b763300bdce2
SHA1 50aa2fbd794eba7a6018141eee510c139408d83f
SHA256 5150461b359ab6bd3be49edd77cd8ff429fb02d4e704155d794989f9b485aae9
SHA512 b181b835006ead6ddffe577a1089cef3b3f56475644433285d7274c6fd9e2bb4d2dd9e3bbced63a4e7778213aebeba5499ecb4aaf4dfc1751d895b862f4fa2f4

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp6.inf

MD5 a8cf4a14790dcc315d764fa481adb5ea
SHA1 98d562c329fdbbcae881a4ea7148e6b15544d753
SHA256 94bff036fd5caac9be2ce2b60695f5b881e06211d8fa3ac771a82974c6cbef79
SHA512 05e08c8293f9faff2cb65aa0b5172324ae0adc1c73469fef4c42ad252ca4ce068f564bdfffaf134f1f72f6671ed4acf27d44d0dae17f354ef1c9e6c7373e37b6

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp6.cat

MD5 5b06844dd324d3429d14220f8e03b100
SHA1 d3c29644571053595da3eb84543fb2965fde125a
SHA256 821841dbd1549bf444e8f5082da3feb75fee3f4feabf117b131058d252e5f68d
SHA512 a73a271ad633da89ffd112a9db387e9705edf30e03b18123abbc82671ea471c072be8a9ba81d1e4a7fd853138f64e265f1f01264a25b24a7118d7758b11d8db8

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp.sys

MD5 e38eaf43e944f9c03104283f105f5363
SHA1 166df8ae9d5e2d3039a5b9a96725c98e43c268c4
SHA256 e7c6793ec48fd075d74eed04933cd256720e4bc4609baa12eb201ef6c89b8108
SHA512 39170fa2c6649106202a45f4dba9800efe0c9e93035df7a59ded989f746cd2d1de971069ef6aae60d34dfbcc7c33b14756a619b430c0289c54439970cc454e7f

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp.inf

MD5 92a337482c3995c561139ea8bd7c405b
SHA1 a164ab90cd6e1abedba0c54a96a450d94be4c93b
SHA256 898574b40ca3ab0ce278899e4e585d653eb5dc3a2ac7da57c904a0bf4b0cc014
SHA512 d46f8d7abdf445697303567845390b52a31f3c0e45e8aa357802e667bd4a0816555b3d841f19672adf69c2c31e3dd62e7e6d788d50d95172ac81f5781403a102

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetAdp.cat

MD5 4c8e27b491df706887eedcf71be13759
SHA1 e5e11388cd871f54c8c5602deab7ef8392843064
SHA256 8d106e9f8e78d6890161ab12be359ca0e357ce6ad46d9bdc5d80af3448eb94f7
SHA512 e4ed33bd3adc12e62718d93e5d8c8c4fcb61079ff64d50df77014b6730ea2aac15fbca2abb664e19b84bc9d6bde5025a8f71274b7dd7f3e2e66ef07dd5ecc76f

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMManage.exe

MD5 e4f7442113454d1c39f43a4451841547
SHA1 ed54d46b704aa8129eef1a6331d4484406a6778b
SHA256 5608f4c624d8873f757cc3dd17c17885e505962e7825cfbdff75913d791b584d
SHA512 affbe534f61906b3f9c509341d568e47c4249952e0a0bbb17c068564f37dcace54868e048735956626b3827d7f6d5731a739867bfb9bb37360749f80773368fb

C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMInstallHelper.dll

MD5 2da95955c1f8ffdfd429e3875a0b085b
SHA1 f9141d5e6d918cdb6819ca4b25f78a1b4fdf93ba
SHA256 b6544564eeb1cd98adb0c7fd5a3b92e430a6d9fd295ef9d50eb064c5f9686473
SHA512 f3eb903b7bfc4169033a1c977b68ba3cb6d1e3db54ac397618604b623b5f494340a5bcb35b28e576a11a5f9c7180bf7f6d9edd5dc81494aaeef89ebe4626d7a0

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMHeadless.exe

MD5 0ba088cd5bcf0f555b6aa4199995a8c1
SHA1 76d8842527bac0860c69792149e8fb111764dba9
SHA256 81f5b48ee08814225b77eb2d072892157ce06721fcfa4a79376442ccaa6e1de6
SHA512 b8de38002d260ec7d7caa1637eb8ca7863c68d5ee0f5a62cddb6090c5b3376288de2a3995143559b0ae7818355c49b51cb8abd5ed5b9bf390fef3bfee42f7e91

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMGuestControlSvc.dll

MD5 386ef591b74853d5a855024392fcbf24
SHA1 5a9fc4a420d3018fa2913f3748e7874bd632be18
SHA256 c0756c2c11bc2cefc84d90fc3f916306611291a18d1ed41f2576f3382ae3e1ed
SHA512 3437cccc1199ab36192ce113968ac5f7a0bb260a30161e8f212c23e75971c88a4c6e62dec7e9218e3112aaa7c33013dafb60c78659ad35905511a4a31c54af9c

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDTrace.exe

MD5 d1d6d03bd9d929d758a2ce3c001311e9
SHA1 90419ab8079ab823c71b29b83f8e69365ad0f22d
SHA256 90083a7a5b800c8dd78b16ad06a487b09c6c42c0d0ccb373e52819e6fefd8063
SHA512 578090df58177c32337b6b702804b7b227f1fa5dd871538f396882ad62cd12b8f8f97892f62667555e0f0ddc1efd1bd7f69a00b0cb572c0f65b31d7683618b36

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDrv.sys

MD5 14e93c14b6d5d5d9db26275dfc987015
SHA1 0585447d1400fcd57b86280453915799de24c7c3
SHA256 cfb29a2e7e938f7f2ec0443d5cf25261468e54c616eb74272c43924bb32e806e
SHA512 41da4d14075c3b47c4228cf1ad964b7a943b59c8e851bd2c264d88e37a7a3f525c9ad15683e5b0f512854eb1088c1d398fef8217a7c420d239c5de12c940639e

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetLwf.sys

MD5 6c000ac4c46fd78b6599f8e45cc0ce7f
SHA1 c1d7e2809834e62326af0a46cf78f14eaac9dd2e
SHA256 05adb854983e9da8821eff5e50cca5a59ad0fa501966c269bd6e937f29d971da
SHA512 9d590138e97f72307fcf431a273f5af80409c9f2eb848b86b889cd1bab4f6a154719588b85093f244ca912d256584b65d7440dec900aab1160f5cd478435eb68

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetLwf.cat

MD5 e1712d82f582f98c3a0e78e0d4651c2c
SHA1 6dd1fdf141151ec19916cbb52b6489589bc8d584
SHA256 7ef2dd59e21ca4845a9e09fb64b827cbf6e438e13091fc48ec649ae5fa69fb52
SHA512 0c780fc05b95dea9d1f542e842481f3d18d153a87121ad4cf026d001c8520251641005df7b93c8f17a512cee28cca95afa9ca0ebfa66808e11e19c2ea18c04c5

C:\Program Files\MuMuVMMVbox\Hypervisor\MuMuVMMNetFltNobj.dll

MD5 f2fe8b22ff6c0e52a87e7ccad7e67469
SHA1 8cc8c1141d22691b085190f2c33b3f88d3a6f189
SHA256 5e32e9f41572efe6b9e0ed512ada09fbd2ec569d5f8682bd3f1e7f04989704a6
SHA512 bd66c062da6db3fff0502f1a5f1c62ad6581514eae35d542f71dde72d7a14836c882f580ee61e0f5c2b332477b1ce5454b695079cda1d5e0c769130509783591

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMNetFlt.inf

MD5 e61b659c79361ee58dc58998e4cb6373
SHA1 d6e00c2002b23b7c4414319ebc435bbd404d3397
SHA256 1a15705f3aa1cbbf47c1b7fac1ea8a3e00e17958e6ad6b674be2bd7389a0dfbe
SHA512 6d7eec93f8dd10184707c2d0c343eca5caf9f0467bd7efc2b1e1bacd2b36389ebe062e3b8f6d5bea479f7fd0b1f27458923c6866cf6e322dd928473b1c72f669

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMHostChannel.dll

MD5 b4473ce7adb11f0936286eec29ac8dcd
SHA1 718c23296734f1bfc8327bc7cd9e84e9c753bb91
SHA256 24ae775e6debfa67b02b1d2ff6902f22d3ab6f93f0cdf44ee775f4bfac4cffa9
SHA512 a7ac0ef0d663fd7332f8e870168ffdd95ad4f5fcb5fd020fca369bc30c630d11547c82791af5f2f899d74ed54ae81d90b8d63a702611103ea2314de8a84d8d1c

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMGuestPropSvc.dll

MD5 71a3134a8a546b4f4b78442637c8c428
SHA1 6465b85fe2167c86606440d46ff0e91a4912aae2
SHA256 b6f68860d69ecdc558b881ee14627a9e24707baf171b1de43c691710a2d07c75
SHA512 3cb5bc398821d5dd7b4b3f6304bd3d8b597d42ddb6b045d5390e898c042e5f1ade233056338b0eafe176563e3b07ae18fa266615f381f7531a89025b090d8a88

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDDU.dll

MD5 89f4fc11f483b8275624d1dc4193810f
SHA1 9538c21f71fed32644487a1c51a805a16b50d49b
SHA256 8be4ec229c1491c7f1d5ee4f3332a626192894c60f41eb65d6f75507fe2fafd4
SHA512 31b5e2501e03fd725aac2c14e0ea39b2bb78c175d2be6aa4fd731f6cfc2450443a21558cff0ccad406e60e9145738e09501cff39972d356748ba8a635bb91958

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMDDR0.r0

MD5 106dae22290adf78a229d6d3ced17d92
SHA1 816485b26e9624174fa4cecebdcbd0a46d38f8e6
SHA256 d6d4b05170c02ce95c536ae1a2cdd7d3b7a5b54aa14a2a4c4aeed599f92dbb32
SHA512 a2c870bbb13a1bc9c133e3613d84d108d8a5b940bf416f7c82398125f5661102e8a9f41c9e3aa7b4ac11d7bb9beca2d3c101139b962bb5d77a502f2bc9f16957

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vaddress\0.0.86.0\VAddressDevice.dll

MD5 e618cb77d4bb5f61a88fdb91303a2c1e
SHA1 df3f87309db42eb084b46ac963e1c7d69eba8a78
SHA256 55fd58e38c0a9e2f60b5c03750d45ecf0b1b7b873b84a531c224e4bcaa4bd064
SHA512 5acd329ead414008cc670303f404ddfa68abb67dc6f4211d932bd74f7ccbf36e138caaef1ea35b783be5eb11d2efe2c33fb0088aff8036c3fa738db9f5c62020

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetLwfUninstall.exe

MD5 df68847694d9190adc4f0d8a756b138b
SHA1 78866898b148b7a0a428cd70477ffdde1899900c
SHA256 85c5b93d85e99b447f5b86974727db645cab66fdcb60365f832c060c59105c24
SHA512 fc2c396ab39d01b3e7d8282dd861958439b57cc92ffcb0a0f79fa6173263ef4f995b4c848bf481c0f6226539aca2c138f6ddc8328568fb2c7d85470efe905682

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetLwfInstall.exe

MD5 a590bb38f5a02772d7b0cdc1efceddc0
SHA1 f69d3931aa9691f5aa4c5b53fd4cb0b439d2ae1a
SHA256 1ce235659ea80fc1262f5ce08ac2e761a3f50a841af299e8894aedfd077f23ea
SHA512 dc5b28b151ff457b7117a0c3375698a931a0276c3ee11dee9b94b51b912ad9ace4ea3b74be0a6ceea60c60058451c1fd8545044a8ec171f7f69795be8d7644a6

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetFltUninstall.exe

MD5 a398ee2341f5e67ac074c58669b4a422
SHA1 c40e753c781631e2c06d62292946d32b312d2265
SHA256 248cbd6724f4389b5b6ab27b283d3cc40d014657240c67e4bd7c21e0ff455c9c
SHA512 ea5c33c89c2e1fa4b62275279cc5d78fb712dff330ac6f4798dc9e590298a6df16d5aa8627141cc5f866b72c874c01c5cf003b617a291b277a093ed249eab5fa

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetFltInstall.exe

MD5 1c5d45adf21fcf448fd2f4270f08d965
SHA1 1d086240e9619c4304fb2452f7c74dc98f9c2982
SHA256 356b6f2cbe804061e608f779e1d56545c1075d510eaae6ef0bfff59848b2bf12
SHA512 5e19b9583f739f9355a41368a0d4d348a8bbc5f7afd0cd32122198323fdec3caa35d93933aed2e2ed3173ba15d6201ceda3e78e6031acaacb4fb2eb0c41fe01e

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetAdpUninstall.exe

MD5 970570f96eb9b8f7949654a281e9a203
SHA1 c4ed5b561939e245c3098cd4550d4c69e598d0e9
SHA256 e0a4024c4287d3c92e80e72548fc0e8d9034689e58aa8f847bb9a7282f1f8a38
SHA512 97f5bb508c8eb5925ab664f5c4a28a6853c90abfcb933ef553561532da276407f43117b340c05a0387cc954dc1e46b4c24944c7fdb7ee12709cd595876be91df

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetAdpInstall.exe

MD5 355afc25415cc3c09203a444f4bb9db7
SHA1 98a0a16b97329d80e1c3f91a98ac967093b59244
SHA256 656e5816670f80ba8d7689b308a98dd13d6e81a34b75b2b90a563e9ee7c79538
SHA512 dd8ee4482b67b2c9c1dd86fa7e04e9f85438ed2d0afa26e8adfa87feb3c40e955c84ed760316fc2d39fd3480eec89d6cfbcba25bf39db20940802296192cdffa

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetAdp6Uninstall.exe

MD5 21d48087b37d52165fa953dd09ecfce9
SHA1 4611c63b9adaca5d42b2b88df17348f58c4d0935
SHA256 42cd5212575e0740698b32266c7aa51f461df1554786cbd59b2d68c192fc17fb
SHA512 23cfe6d47c265aabfff2d90446e07b5c699ba2bd486f7ee47aa9a504ff5ff95a65f680d90456836d668d5e0ad5eb17766deb843e08ec2bb0c09d80bd97ece646

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\NetAdp6Install.exe

MD5 379552c81cfcbc30ab13adabd4a271a3
SHA1 f333b93734ff5888918482d22ba1f3e256ddc31d
SHA256 859ea2b1a71333c32292d1df371b75557ec92d804ef6442c8dfa8756a94a343d
SHA512 b7351e25011a7aa491a716be82c75d541339bdf72c24ede231d1e9f64f4d63a13f37f86483c0e3b54d04a84f287e2df713fcfbbf71db458246765894eedb16c2

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMVMMR0.inf

MD5 9ef94bd0428340d94cec3ed921cc2eb4
SHA1 dd94165626d95ab1d351298843f77e9ca0ce0801
SHA256 023cf519b63b84224cb092be487568cac6a75e5da2acb394873dcd48d8747954
SHA512 161b31d7870f06b6fd6648f3106e9582825ab81d2279794ea08eef4ec947740b7c4b8a7b4f21e74dff0e2a654cdfcc9f1f1b5727a8c1abb952e31de3b796bc0e

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\mumuvmmvmmr0.cat

MD5 d554aec99709b5e977ac72b2e4cf31d8
SHA1 d12dc22ad13349970effd971c77f9d5a165ce2eb
SHA256 6f0ce3c8c3f125d56e6f6c19afc88d38c4679475c720afc1224ab29b8cfb451f
SHA512 4a441d764792e23d8749b2eec563a66d2a4fdb6c61e195fd76095aefde1b1806f7b5699080c0539df4081f0d15c53e8dd5eba76171abb9661b85a7004bb47038

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMVMM.dll

MD5 0af96e6275200cbda4b64a52014279dc
SHA1 18de34b557a5bf8399b34a43a5738c82546adcb0
SHA256 2f5d2cdb8caeb20ec2840f5a48fea34c97c09032562726c6b2f866906ac895e1
SHA512 66c9195c9ee343c7e9ed1e3c1c56207473a173197b3fa460745547a767199051f97efd899f7b094080042f0b85cb8618a530db6cb966f4c1e2e2715ea43671c9

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSVGA3D.dll

MD5 eff20cc41f771c23dcb7a920a4e8832c
SHA1 9994522cf077cdd76ebc1214a7e03d2e8a2cef7d
SHA256 4186e3b37ceebd30fa09cd7afcb96fddc8f368fdcf1005f29c905eba28ced5bf
SHA512 ffcc111625b2a4703c5250822f41a42a4d5f99b03ce8d84d21f0e37c0d19a585d8b5dec1b9882301cc4263b15a6e3631d6e5fda1c36fb74ccb8fbe953d516d85

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSVC.exe

MD5 016c47a4cf8847c5fd182213ddae50f9
SHA1 84eaf59dd6e02264c420f437cb3ba722839d583e
SHA256 f689448368014009b19c73bfee54ed68581acc1ce6396cf46cefc04d59b68900
SHA512 298c399bed21fc8d5c7d104f7dac285dac9d2e3d22448a26836486bad4138537fb032558dddaf66cba42ac7ad9379888b0dd8c6272304521c0ffcc829c7064a6

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSupLib.dll

MD5 0f4bcf2ec0b57c99844f2a809564a227
SHA1 8f4285e68b9b4abe976054c8a664095535f5d29e
SHA256 7e1de6728d222e48274f9526d858178540cf38abf5db9169d7164cd46f29e9e3
SHA512 5b9cf0665333aed5b322d0e56acc12e7707bfd046730a70872ebd3f731831a93bb841945b51933cf2a5243eeb3a8f28dd1c833ce28a38f244a54f78b13595557

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSharedFolders.dll

MD5 3ed04e945c2195901ab9809a88879728
SHA1 d71af40616c11d3cc33bdc1d35960db1b760e056
SHA256 ff8ff653813ad72785e247f4a3e381b2e08ea0cb1e7b3f3ddf687bb24b221301
SHA512 8b4f73af65942d33b2437a0b8f56f628432da1000b033e920c085d2f08aace283676d0912185158a4830553e7a6ead928d9b06a029b969710a7436891ce1243a

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMSharedClipboard.dll

MD5 b1bee656eac17d44ddd4f141cc0ff511
SHA1 76a8318031d9a7b3b1821d719d6a0ede6d9cfced
SHA256 39aa5ff58708df119ae680f3bbf7a24458cc1230468823ab1e45fe8c757c43f3
SHA512 e3799184855124e2e412c70e01b0af3876baaf7eb5401692846536be188c5e4a896d8591e4d1d7cc8f9540c8d5afd191f51f6d011de6bb6346c4617043007f8d

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\MuMuVMMRT.dll

MD5 e64b52f601c5a67f0149ac0fba3c459c
SHA1 74f8b261fa66976b52c428396d3eeafebe56eaef
SHA256 c8e5dea553284cb8fa4cc3968c46c4aed343c83cc1df05f50603b5c93e72e798
SHA512 1cf986c1fce409f0cfd54d9a0c78add76c1f27c37d676bac3225674dc1def3ccf2abaf6f120a9f3e37876f6a7dbd422b947c4ff598b2e7d22ae4fb0ee0e15cec

C:\Users\Admin\AppData\Local\Temp\nsm4A05.tmp\ExecDos.dll

MD5 e2716246ee731417abee9ea26cec1d56
SHA1 6687e5d8b0b705fcdd9a4020215891d5b7723084
SHA256 691ffd34264d1813827c35083367a08aec974e9f79fb585b7d2d367c83760fbd
SHA512 355bb040570a1ba64a03463a9e6695015c2ffda5f30b7ce801c39ab1a7ba36134bb8fa9b5a1ffd102f6d71091b77133f8d68d305d5c1949ccad2e8eab0258505

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMVMMR0.r0

MD5 a5c0e348e7cc0e4cc570aacf9ffcaf29
SHA1 446506fde338687fcc91b176361b51b0a8133045
SHA256 3ae59d3eacd1f837d3163817731820b93139846021aa8aa7220060d174d6cecd
SHA512 966f4100f17bb3a89f650c30f979f15023105f1db2f840a03b31bf53ba5188ff5994baf110e489060b858296b49d620551111695127da8d0ff34360a58c65822

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMVMMR0.inf

MD5 3a31f44dff80797d944dc1c76abc306c
SHA1 02a336a7614ec019a65a90c971c648c34c814e66
SHA256 f39e3b98a17d4d946879284466a27ec946a07bf869f59ffecbb38451d81337d1
SHA512 1e3382d8bb6f99d96ac9272d9aaac5012fcb31e83a072d22cb4b8965c8c636ccefd31f61e51ac6b8fa79b7fd70038fc259dd45d22b9bbb267f8f17c9b66472cc

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\mumuvmmvmmr0.cat

MD5 2e23d6718ce96dbfc1be7382fead6ced
SHA1 09b89d917222114b82ac1c3476ee31e01c33842d
SHA256 0885d7ea48192a21d5f37597315c961f6f6a569a4c79080c3229e3c443239efa
SHA512 54f8737e7d3139b654860ae0aed9ec28d5c2049b1e76bff244f8524196c4516023a7cf69b03e4151106eba7145f7c8ad5ae5c2cd62d96cf959e97071aa1b85d9

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetLwf.sys

MD5 a8071a473dcf9147820fa684fe725ac9
SHA1 33bffd62c5555692d3d314ba211b40414f5f580a
SHA256 f377895a45410c5585c27ffb7a44b68b1002985f0c03f562b4b21ff6399f8eca
SHA512 436af1b9bef2cadfd1ece3215cae1662217f4f2e5a299f4773db6748c6e26a78c3957a2e314c4faa22b930b08b811210b25e176f3a985ec0d9322d66077d4250

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetLwf.inf

MD5 d284b3ebd57e803451aee5aa7d07d496
SHA1 4cf6e3f2984fadbd2fe71c6a0d403b2e5c2cc759
SHA256 f2eb223b9f3eb6383bbbfea0b195f3672e8492041d8bfe89505f2f3cc7d462bc
SHA512 c11de75732b67fa2bbb695e60c0c7f75a52cabad86c58d72a05b4f6fca56bb886bf9451f6ef5abcb91c3e65f195176c45eff15846ccc60e7f782fe725685b5ee

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\mumuvmmnetlwf.cat

MD5 6744dc4f16200c37a96cc3a0e5556285
SHA1 e338196e4af4d5a19b42a2a03cb98447625673d2
SHA256 5aa222dfd3ab9f7316c1c39441946973ab801c00763375a90cf7532b592c4086
SHA512 ba89277be0f910184f0a72a1b0f1d7aae2e540775e86d48f42ab9074e58b7ff6c3b2cf4c717d3d1923f7ff10886a76bf926ebd6189872c6c3fca799fb74b0213

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetAdp6.sys

MD5 565d6d7e77d6fd5be5ef21fa8188a652
SHA1 02bbb60161ac4da75ced5257633b52462baeb908
SHA256 8517e15ed543bc12a940b03ac5da50c63af1173813640bb1569ec62e45073584
SHA512 7f4763249278e8c89559d0b32646ced82107b440a9819cf9ba967a0cc749114f02f45ce393ab89a07bdc89d6febe047304d5d2e85fa8ebf48cacde814e3dd2f1

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMNetAdp6.inf

MD5 127d117df95f3a294b254f65ca929340
SHA1 49f365425911dcfb17ce8f08aa156a66878f0e4b
SHA256 6421fe11bfd94be2a659b4a39483dd71d0c983de9d26caeb22ce92d0d224f39f
SHA512 13e9ee1496af276ae37e8dc236a48109e06b0b044fe05d88415939d3a1db0076a0c95cd7c88e715ac4df01603dd3808a6bf21ccf1ab19895b782b2f91f32f08f

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\mumuvmmnetadp6.cat

MD5 cab436e5abe7f446f8848dea729679e1
SHA1 6c6175df099341fdd9a67cce631e2fe55fb1dc2c
SHA256 ff9525380df941cb1bd07fd72f27882db4b96699d9b785e4c3078b3cbd6ae618
SHA512 15b3c72e20e3c1dd1f184e6bd6b8541efc798e7d57878bcab44bcd46f8d30593faf83596d5d1e0862558cfd316d5f1967be912056efd0582521548e9c963a9bb

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMDrv.sys

MD5 55879de9dca1782537ae1064b2760007
SHA1 f5ad275c3ed5bd8baa829edfe008b626e49f42b4
SHA256 a9bb3be7ce97d0f4ecb78788ffbff7379ab0f7548715049b59a587ded1e8dfb7
SHA512 d8efac11593638fb2baadc7d173113601d3da3aa30efa0af3d295e8f814642bfe81cee7bbece2426ccccda48ecf1969f9de04fb54b44f185ff2f9f740178eb98

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMDrv.inf

MD5 2741226667bdcd9e759f536756f56eda
SHA1 cf437c8a63ce26b0e2a573409c976fa1f7c629c1
SHA256 82606488633ca10859a8a80d00be705a08509b35a9c02aef8b3dc70335bdaa93
SHA512 774699f466a423eb24c1d3b5ed45f49e2eac8f931fc7ca825d14a10a19402e3fd95ebdb5c7c2cfee6a4aa6219ffc157c09a222512fb7b3cef888756c1c12c810

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\mumuvmmdrv.cat

MD5 838ca6cdba04a33267a12f9af842154c
SHA1 a85f476eec0f129676a5552e8984fe9ace437118
SHA256 f10c1616e67f2f9d4ccc15e59ee3df8e6413129f6905db6aa84d9ffe7e7fe662
SHA512 3c522db4d5e835d8fd342ce65f0ec876b3e20dff1c9fd7044b04cf1a0f7fa9c7b8766bbbc8ca71a25c64a7e3ffdbc8a04c7b110494ec440806961439b5b9ae34

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\win7\MuMuVMMDDR0.r0

MD5 f4ed8c30dd14afd80baf61af4f8aef5c
SHA1 e3d6f1480131e932c1473c6b1d4bec6ec6c2aaf1
SHA256 c65929b0e12123e079114fc67e6052e03de5934fb65429d637b6242fb021c5b3
SHA512 922862e372048f29d4eb39c0a2e5fc921e6643e454825f476cfb98780b3d02181b91a9b6f5590d5f4206d7de391aeb6e5e3b72a8a9ca321b77bfc10d9040a3e8

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\VBoxEFI32.fd

MD5 26b623e43df7cae3bd321164407c3e35
SHA1 64ec6d9498e488d85a9161dda25ddcad7fe61e9d
SHA256 0ebd5e6f19f87499719bfdd5827444667eba1a43b35a584052886bca72ef99dc
SHA512 c8e586c0bb46ba3fad49e57da85d0228f716094e31e216b82d3ef94a438f3254227466c0beb2903e51ff5c3a3cbbc9551f0f7097e2b1d2845f34988d76fac16d

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\hypervisor\vbox-img.exe

MD5 258a8fdbfd2097c1eaf174544c40b193
SHA1 80c0565244c49b9c2ac69e72e72e2bb23e625fb8
SHA256 730ce3b17a58e26bdccafc9a929738e2f204bdc57281918d62cd9845531391a0
SHA512 c7e98caf9e0b5db6364a20bf6b518172524e4edaaaf3041ed00399cf57ac4474d95c0094596bc8b0447d88cc27c6c4d1995f2dc034535717fd86d755a0bf1f24

C:\Users\Admin\AppData\Local\Temp\nemux\MuMuPlayerGlobal-12.0\nemux-scQueryMuMuVMMDrvBeforeScStart.log

MD5 0649d4c069fb3136de50d9ebe44b7cac
SHA1 a58bf5d93120eb91eab5ad7af282c99c0e36c4ba
SHA256 aba93de5e732f49ecdd398b49f44752478a6ba279222bfce8b622a37124fbcf5
SHA512 829daae9029c6741c06374f2b7f642e88d3f5707d7eb9ef45692a16d1a05f8d6f66305ddf51a222a8748157317f76c5115cbf1bcce0cbbb4b0c4e56a50813854

C:\Users\Admin\AppData\Local\Temp\nemux\MuMuPlayerGlobal-12.0\nemux-HypervisorDriverUninstall.log

MD5 abdafce361b743ce2b265c8fa2b9c1ae
SHA1 dad27f32a35288ec4dd75115e2b73932968c0241
SHA256 54aa3c35d1230b46f7b3db82936b288312f7b1ce654a77252d170c5f38aa9124
SHA512 fcb6f7c029dd38cee4d83af4af4a0942c94af053c2e69f32566ab214febb413509876c79cf0450d7a0f81b167994aa15f2d861c3d55ebcafdabef2fb9315a939

C:\Users\Admin\AppData\Local\Temp\nemux\MuMuPlayerGlobal-12.0\nemux-scQueryMuMuVMMDrvBeginUninstall.log

MD5 6bbcfd360c0797e6650f0d3cb1c36109
SHA1 e22b5f6a4654134d687a3908464e67faa23d84ff
SHA256 df023ca139e8dcb21f0d4a603b34af95f980c1e388c97e4735dd698d0329113c
SHA512 0281c1cc1b104c73f130068a905e37b75f3c3a40884d3e2cc421aeaf6a3c6b938393894fe750fa7de44b9d0a25f9b3c11bb386fd133b3d710a549632ed9ea604

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\RadioDelegateSpecifics.qml

MD5 5435f060331a523b9e5db9c9957756aa
SHA1 e0f07b59a0ac83b7cea1716cdae4a59aeafa396b
SHA256 91d7772e4a193e91a093d59451508cdb89448eaffb4febda26789777afbacf3d
SHA512 536e731672c1348222490d39099712c7bbcbf8d0c6be5d0f3517c10feb1b47d7942c18703e18c28f36774546a41f18d61fa8096e022a82947d43b11a2641d187

C:\Program Files\Netease\MuMuPlayerGlobal-12.0\temp\shell\Shell\qml\QtQuick\Controls.2\designer\TabButtonSpecifics.qml

MD5 e6dd3db4f8a582e30f07b77e801428f0
SHA1 d207e34278440fc9b47c6480a47fef13870ffff6
SHA256 a3fff66cd7217029792e7fce403cc658b0ea03b2d3a2860f57479c8ea6bc1372
SHA512 f58e27d7f36e05cb1d6277629ee2e3cc239b2ba73a75d1399a048191e4443dbb1360922b2cc0d36c3a19b04fcdb64f5dbbd0a838736dca658b9caf856031c5ea

C:\Users\Admin\AppData\Local\Temp\nemux-downloader-31784948-a9e8-4c4e-8333-62d6645025d8.log

MD5 74459184c4723f9762e3c07884d06cb8
SHA1 ed970cf1b5fa51daead9baa5106fbf8109597188
SHA256 75618fa4adae1f93b009a99f1736a022a39490a65090cdd5a2a7c7574e4c01b6
SHA512 1a416fb2027075483100c675b32b0d6dfccc5a6b0622c71eca2b2a3184add0c0b41bbe6240150bd72822cbd3aa7af198a769aa1809e99e8cd49c5fabd09b4884

memory/3892-3835-0x0000000000A60000-0x0000000001015000-memory.dmp