f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593

Resubmissions

31-08-2024 00:54

240831-a9edaawcre 6

Analysis

max time kernel
39s
max time network
40s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-08-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Size

5.3MB
MD5

fbd9ad001bb2719f574c0705c5de05fb
SHA1

d07e77a490ad677935ac8213b88237e94440e791
SHA256

f0031f9d7f25d4d29581879f62565a5a565995899adc60213f9e218147c78593
SHA512

5724e3f858ae7ea92ba4ce325f3f8f4b90ecc6d7c19476e2888c4b09f0913463191b977f71314300918cceb0a6ae0b80e29d3c70891e8aeb9314da233a929e96
SSDEEP

98304:oeZOuRuvqAgef1ndGaX6tJJQv2FKA75OpVclc02vDRZTEB:1ZOPNdo3u0jc02vVZoB

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Drops file in Program Files directory 1 IoCs

Processes:

nemu-downloader.exe

description ioc process

File created C:\Program Files\Netease\MuMuPlayerGlobal-12.0\1.txt nemu-downloader.exe

description	ioc	process
File created	C:\Program Files\Netease\MuMuPlayerGlobal-12.0\1.txt	nemu-downloader.exe

Executes dropped EXE 7 IoCs

Processes:

nemu-downloader.exeColaBoxChecker.exeHyperVChecker.exeHyperVChecker.exeHyperVChecker.exeMuMuDownloader.exe7z.exe

pid	process
2876	nemu-downloader.exe
2604	ColaBoxChecker.exe
1720	HyperVChecker.exe
1520	HyperVChecker.exe
2648	HyperVChecker.exe
2880	MuMuDownloader.exe
1032	7z.exe

Loads dropped DLL 25 IoCs

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exenemu-downloader.exeColaBoxChecker.exeMuMuDownloader.exe7z.exe

pid	process
2652	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
2876	nemu-downloader.exe
2876	nemu-downloader.exe
2876	nemu-downloader.exe
2876	nemu-downloader.exe
2876	nemu-downloader.exe
2604	ColaBoxChecker.exe
2604	ColaBoxChecker.exe
2876	nemu-downloader.exe
2080
2876	nemu-downloader.exe
2892
2876	nemu-downloader.exe
2772
2876	nemu-downloader.exe
2876	nemu-downloader.exe
2880	MuMuDownloader.exe
2880	MuMuDownloader.exe
2876	nemu-downloader.exe
2876	nemu-downloader.exe
2876	nemu-downloader.exe
2876	nemu-downloader.exe
1032	7z.exe
1032	7z.exe
1032	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXE7z.exeMuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exenemu-downloader.exeColaBoxChecker.exeMuMuDownloader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nemu-downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColaBoxChecker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuMuDownloader.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA3FDDC1-6733-11EF-B254-46D787DB8171} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

nemu-downloader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	nemu-downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	nemu-downloader.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

nemu-downloader.exe

pid process

2876 nemu-downloader.exe
2876 nemu-downloader.exe
2876 nemu-downloader.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

476
476
476
476
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7z.exe

description pid process

Token: SeRestorePrivilege 1032 7z.exe
Token: 35 1032 7z.exe
Token: SeSecurityPrivilege 1032 7z.exe
Token: SeSecurityPrivilege 1032 7z.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1808 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1808 iexplore.exe
1808 iexplore.exe
2976 IEXPLORE.EXE
2976 IEXPLORE.EXE

pid	process
476
476
476
476

description	pid	process
Token: SeRestorePrivilege	1032	7z.exe
Token: 35	1032	7z.exe
Token: SeSecurityPrivilege	1032	7z.exe
Token: SeSecurityPrivilege	1032	7z.exe

pid	process
1808	iexplore.exe

pid	process
1808	iexplore.exe
1808	iexplore.exe
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exenemu-downloader.exeiexplore.exe

description	pid	process	target process
PID 2652 wrote to memory of 2876	2652	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2652 wrote to memory of 2876	2652	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2652 wrote to memory of 2876	2652	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2652 wrote to memory of 2876	2652	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2652 wrote to memory of 2876	2652	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2652 wrote to memory of 2876	2652	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2652 wrote to memory of 2876	2652	MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe	nemu-downloader.exe
PID 2876 wrote to memory of 2604	2876	nemu-downloader.exe	ColaBoxChecker.exe
PID 2876 wrote to memory of 2604	2876	nemu-downloader.exe	ColaBoxChecker.exe
PID 2876 wrote to memory of 2604	2876	nemu-downloader.exe	ColaBoxChecker.exe
PID 2876 wrote to memory of 2604	2876	nemu-downloader.exe	ColaBoxChecker.exe
PID 2876 wrote to memory of 2604	2876	nemu-downloader.exe	ColaBoxChecker.exe
PID 2876 wrote to memory of 2604	2876	nemu-downloader.exe	ColaBoxChecker.exe
PID 2876 wrote to memory of 2604	2876	nemu-downloader.exe	ColaBoxChecker.exe
PID 2876 wrote to memory of 1720	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 1720	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 1720	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 1720	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 1520	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 1520	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 1520	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 1520	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 2648	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 2648	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 2648	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 2648	2876	nemu-downloader.exe	HyperVChecker.exe
PID 2876 wrote to memory of 2880	2876	nemu-downloader.exe	MuMuDownloader.exe
PID 2876 wrote to memory of 2880	2876	nemu-downloader.exe	MuMuDownloader.exe
PID 2876 wrote to memory of 2880	2876	nemu-downloader.exe	MuMuDownloader.exe
PID 2876 wrote to memory of 2880	2876	nemu-downloader.exe	MuMuDownloader.exe
PID 2876 wrote to memory of 2880	2876	nemu-downloader.exe	MuMuDownloader.exe
PID 2876 wrote to memory of 2880	2876	nemu-downloader.exe	MuMuDownloader.exe
PID 2876 wrote to memory of 2880	2876	nemu-downloader.exe	MuMuDownloader.exe
PID 2876 wrote to memory of 1808	2876	nemu-downloader.exe	iexplore.exe
PID 2876 wrote to memory of 1808	2876	nemu-downloader.exe	iexplore.exe
PID 2876 wrote to memory of 1808	2876	nemu-downloader.exe	iexplore.exe
PID 2876 wrote to memory of 1808	2876	nemu-downloader.exe	iexplore.exe
PID 2876 wrote to memory of 1032	2876	nemu-downloader.exe	7z.exe
PID 2876 wrote to memory of 1032	2876	nemu-downloader.exe	7z.exe
PID 2876 wrote to memory of 1032	2876	nemu-downloader.exe	7z.exe
PID 2876 wrote to memory of 1032	2876	nemu-downloader.exe	7z.exe
PID 2876 wrote to memory of 1032	2876	nemu-downloader.exe	7z.exe
PID 2876 wrote to memory of 1032	2876	nemu-downloader.exe	7z.exe
PID 2876 wrote to memory of 1032	2876	nemu-downloader.exe	7z.exe
PID 1808 wrote to memory of 2976	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 2976	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 2976	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 2976	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 2976	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 2976	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 2976	1808	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.7.0_gw-overseas12_all_1712735105.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\nemu-downloader.exe
C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\nemu-downloader.exe
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\ColaBoxChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\ColaBoxChecker.exe" checker /baseboard
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2604

C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:1520

C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:2648

C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\MuMuDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\MuMuDownloader.exe" --log="C:\Users\Admin\AppData\Local\Temp\nemu-downloader-aria.log" --log-level=notice --check-certificate=false --enable-rpc=true --rpc-listen-port=49278 --continue --max-concurrent-downloads=10 --max-connection-per-server=5 --async-dns=false --file-allocation=prealloc --enable-mmap=true --connect-timeout=5 --rpc-max-request-size=1024M --stop-with-process=2876
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mumuglobal.com/problem/q58/?lang=en
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\7z.exe" a -tzip "C:\Users\Admin\AppData\Local\Temp\nemux.zip" "C:\Users\Admin\AppData\Local\Temp\nemux"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\7z.exe
Filesize
292KB

MD5
97b382235264f18a53eff8e891997920

SHA1
cc0f3ad9411f54f70a2b1a1705e24048b06ea65c

SHA256
bf42783c293279c65b00e4f8b72be39e1cb0fcbe14d6679151b0d5e27fd8572d

SHA512
1e780698dbc0963ccbd73976da6898b3c0dc4b4e655a80563585518abd37a1a5561a980d035123011213a83c76320de6c08541caa71bfd6582eb93ff57672a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\ColaBoxChecker.exe
Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\baseboard
Filesize
113B

MD5
083dda75c6e57a51c3268c8aa39a5806

SHA1
d61bdf948af5b71ac2023be1d5fda8ce436a0258

SHA256
eeaf2c852e3a4ec6019cd9255bc875dd59f481aec15e3f715c1ab7d7614b10ed

SHA512
b7947ae0be1c6a4b1bfad748db352a9a541a41641f0a224e4d358cc17528af329814834c1b5d52318d7ec5c8b1f647396950e792266d44cee32fb4b190ac4e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\config.ini
Filesize
346B

MD5
d00fb4c61a255b58ff09886c6c72461b

SHA1
4e4f7d7ae36f67a4d6fc8479f8400b3eb769e978

SHA256
77dec4d79e1e844a2156f101defc0fc81c138a989e8ba1c722c58feb91b3cd4a

SHA512
8494ab9fe0594f3ff7b0893ca3e25d6d0a706e546e92c5b662aa864affcefe5f9721a6a95f37f40cdacf39d27a23e2b3cd5dbca4d7b8909cd7c186209d4b46db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z66B67A5C\skin.zip
Filesize
509KB

MD5
ecb43530caf9566c1b76d5af8d2097f1

SHA1
34562ada66cd1501fcb7411a1e1d86729fd7fdc0

SHA256
a12381f97aee2d91568f44b23e866ccc99f0ae5e5961f318ed24b72f4f5da80a

SHA512
4a243c0bc4dbaf892bee91ea7eff9e6a7732d3aa2df5bebd9a4bea2859a30a8511945ce3bb823f7ef921f2e1a98906fb676fce85f25fd5908646b3a2f5d02563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemux.zip
Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
\Users\Admin\AppData\Local\Temp\7z66B67A5C\7z.dll
Filesize
1.1MB

MD5
0ffa2bff9e56e6122aec80d3c1119d83

SHA1
09b7eb124b8c83469ae7de6447d1b8a7f5c98c61

SHA256
609cba3a8704aa6f5e2623858402bc048de7198a3567a53183bf97de091a3e48

SHA512
42522bf850156577de397e527b8515b1bf0bdeceb170efae71d87c39a25c72c155a2fec6a88b5c3ae443752046f8840cd8afac9c42ed7bcf67aeb9e78aeb5f2e

Download Submit
\Users\Admin\AppData\Local\Temp\7z66B67A5C\HyperVChecker.exe
Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
\Users\Admin\AppData\Local\Temp\7z66B67A5C\MuMuDownloader.exe
Filesize
5.7MB

MD5
2f3d77b4f587f956e9987598b0a218eb

SHA1
c067432f3282438b367a10f6b0bc0466319e34e9

SHA256
2f980c56d81f42ba47dc871a04406976dc490ded522131ce9a2e35c40ca8616e

SHA512
a63afc6d708e3b974f147a2d27d90689d8743acd53d60ad0f81a3ab54dfa851d73bcb869d1e476035abc5e234479812730285c0826a2c3da62f39715e315f221

Download Submit
\Users\Admin\AppData\Local\Temp\7z66B67A5C\nemu-downloader.exe
Filesize
3.2MB

MD5
cdf8047ceae80d9cd9eb798a57bf6084

SHA1
8e7971401fada3099aed61849745fda37e1c0d32

SHA256
1f01a9abac64fae72e0a253ad9ffe2d62cd2967c1c2bc90fb956ac446fe2b11e

SHA512
ac366f38f39b935110192d1355147392ced5a21966cc22386804356dce24b2da7971a6a60d675689f93d74014d961bfb3b0c13cf06809b9f9feef580045e20dc

Download Submit
memory/2880-91-0x0000000000DE0000-0x0000000001395000-memory.dmp

Filesize
5.7MB

Download
memory/2880-96-0x0000000000DE0000-0x0000000001395000-memory.dmp

Filesize
5.7MB

Download