analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://dl.memuplay.com/download/MEmu-setup-abroad-sdk.exe

Full analysis: https://app.any.run/tasks/fb14df21-dfd3-4a3d-945c-6c8ca9c86235
Verdict: Malicious activity
Analysis date: December 15, 2021, 17:25:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

66A6DCE19AA2645BC254EC4B3B521B97

SHA1:

C960C76A3BEBD640A2BE24FC6A3A17BBB37D5D4F

SHA256:

1FE75282E5003BFBB27F7219406BBEBAEB83124BF965F935423E5F349B1025F5

SSDEEP:

3:N8RfVHZ38L9tIWpV5EACn:2hRZMRttVan

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MEmu-setup-abroad-sdk.exe (PID: 1384)
      • MEmu-setup-abroad-sdk.exe (PID: 2400)
      • dismhost.exe (PID: 3476)
    • Drops executable file immediately after starts

      • MEmu-setup-abroad-sdk.exe (PID: 1384)
      • Dism.exe (PID: 1528)
    • Loads dropped or rewritten executable

      • MEmu-setup-abroad-sdk.exe (PID: 1384)
      • TrustedInstaller.exe (PID: 3060)
      • Dism.exe (PID: 1528)
      • dismhost.exe (PID: 3476)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3732)
      • MEmu-setup-abroad-sdk.exe (PID: 1384)
      • Dism.exe (PID: 1528)
    • Reads the computer name

      • MEmu-setup-abroad-sdk.exe (PID: 1384)
      • dismhost.exe (PID: 3476)
      • TrustedInstaller.exe (PID: 3060)
    • Drops a file with too old compile date

      • MEmu-setup-abroad-sdk.exe (PID: 1384)
      • Dism.exe (PID: 1528)
    • Checks supported languages

      • MEmu-setup-abroad-sdk.exe (PID: 1384)
      • dismhost.exe (PID: 3476)
      • TrustedInstaller.exe (PID: 3060)
    • Reads Environment values

      • MEmu-setup-abroad-sdk.exe (PID: 1384)
    • Drops a file that was compiled in debug mode

      • MEmu-setup-abroad-sdk.exe (PID: 1384)
      • Dism.exe (PID: 1528)
    • Creates files in the Windows directory

      • TrustedInstaller.exe (PID: 3060)
    • Removes files from Windows directory

      • TrustedInstaller.exe (PID: 3060)
  • INFO

    • Checks supported languages

      • chrome.exe (PID: 3732)
      • chrome.exe (PID: 1040)
      • chrome.exe (PID: 488)
      • chrome.exe (PID: 2940)
      • chrome.exe (PID: 1292)
      • chrome.exe (PID: 2000)
      • chrome.exe (PID: 3988)
      • chrome.exe (PID: 3800)
      • chrome.exe (PID: 576)
      • chrome.exe (PID: 3820)
      • chrome.exe (PID: 2992)
      • chrome.exe (PID: 2608)
      • chrome.exe (PID: 2628)
      • chrome.exe (PID: 2180)
      • chrome.exe (PID: 984)
      • Dism.exe (PID: 1528)
      • chrome.exe (PID: 3968)
      • chrome.exe (PID: 4088)
    • Reads the computer name

      • chrome.exe (PID: 488)
      • chrome.exe (PID: 1040)
      • chrome.exe (PID: 3732)
      • chrome.exe (PID: 3988)
      • chrome.exe (PID: 2992)
      • chrome.exe (PID: 2180)
      • chrome.exe (PID: 984)
      • Dism.exe (PID: 1528)
      • chrome.exe (PID: 3968)
      • chrome.exe (PID: 4088)
    • Reads the hosts file

      • chrome.exe (PID: 1040)
      • chrome.exe (PID: 3732)
    • Application launched itself

      • chrome.exe (PID: 3732)
    • Reads settings of System Certificates

      • chrome.exe (PID: 1040)
      • chrome.exe (PID: 3732)
      • MEmu-setup-abroad-sdk.exe (PID: 1384)
      • TrustedInstaller.exe (PID: 3060)
    • Checks Windows Trust Settings

      • chrome.exe (PID: 3732)
      • TrustedInstaller.exe (PID: 3060)
    • Reads the date of Windows installation

      • chrome.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
22
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs memu-setup-abroad-sdk.exe no specs memu-setup-abroad-sdk.exe dism.exe dismhost.exe trustedinstaller.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3732"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking "https://dl.memuplay.com/download/MEmu-setup-abroad-sdk.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
Explorer.EXE
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
2940"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6ed8d988,0x6ed8d998,0x6ed8d9a4C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
488"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1072,16510787205302147161,6534255135655193401,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1076 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
1040"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1072,16510787205302147161,6534255135655193401,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1256 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
2000"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,16510787205302147161,6534255135655193401,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1264 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
86.0.4240.198
1292"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,16510787205302147161,6534255135655193401,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
86.0.4240.198
576"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1072,16510787205302147161,6534255135655193401,131072 --enable-features=PasswordImport --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
3988"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1072,16510787205302147161,6534255135655193401,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2700 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
86.0.4240.198
3820"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1072,16510787205302147161,6534255135655193401,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2900 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
3800"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1072,16510787205302147161,6534255135655193401,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2920 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Total events
31 913
Read events
31 712
Write events
0
Delete events
0

Modification events

No data
Executable files
37
Suspicious files
18
Text files
71
Unknown types
3

Dropped files

PID
Process
Filename
Type
3732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61BA24F6-E94.pma
MD5:
SHA256:
3732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\92a0e731-15df-4818-a9b3-33be65fc30a1.tmptext
MD5:D9941D465FFB71CF7CA7C12DD00062CD
SHA256:C977A8C2EEE597CE3625F801BF05A15FC7628EA3B2BB9A93CD21C8632640F284
3732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferencestext
MD5:D9941D465FFB71CF7CA7C12DD00062CD
SHA256:C977A8C2EEE597CE3625F801BF05A15FC7628EA3B2BB9A93CD21C8632640F284
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pmabinary
MD5:03C4F648043A88675A920425D824E1B3
SHA256:F91DBB7C64B4582F529C968C480D2DCE1C8727390482F31E4355A27BB3D9B450
3732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:00046F773EFDD3C8F8F6D0F87A2B93DC
SHA256:593EDE11D17AF7F016828068BCA2E93CF240417563FB06DC8A579110AEF81731
3732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:5BD3C311F2136A7A88D3E197E55CF902
SHA256:FA331915E1797E59979A3E4BCC2BD0D3DEAA039B94D4DB992BE251FD02A224B9
3732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\275a75e4-7867-4858-a40b-a1fb268108a0.tmpbinary
MD5:5058F1AF8388633F609CADB75A75DC9D
SHA256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
3732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF1935db.TMPtext
MD5:8304B8F42465198890090F52D3F80A4C
SHA256:80C32AC2585E7E81200104B1630F19560A156C4ABF51B5888B0FBF07323FAB34
3732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\MANIFEST-000001binary
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
3732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RF193b98.TMPtext
MD5:65F7BEE92771101B63D90E31DB82105A
SHA256:A0B0D20056D7798BA6CF228F8BC1D7B7FC894DDB01343158368F80ADA145E622
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
18
DNS requests
9
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1040
chrome.exe
142.250.185.163:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1040
chrome.exe
142.250.185.237:443
accounts.google.com
Google Inc.
US
suspicious
1384
MEmu-setup-abroad-sdk.exe
18.66.242.220:443
d1xj8c1wowfhpd.cloudfront.net
Massachusetts Institute of Technology
US
unknown
1040
chrome.exe
172.217.16.142:443
clients2.google.com
Google Inc.
US
whitelisted
1040
chrome.exe
142.250.185.142:443
sb-ssl.google.com
Google Inc.
US
whitelisted
1384
MEmu-setup-abroad-sdk.exe
108.156.253.53:443
dvmc8t0c8zd8y.cloudfront.net
US
unknown
172.217.16.142:443
clients2.google.com
Google Inc.
US
whitelisted
1040
chrome.exe
142.250.185.227:443
update.googleapis.com
Google Inc.
US
whitelisted
1040
chrome.exe
45.192.128.17:443
dl.memuplay.com
MacroLAN
ZA
suspicious

DNS requests

Domain
IP
Reputation
accounts.google.com
  • 142.250.185.237
shared
dl.memuplay.com
  • 45.192.128.17
  • 45.192.128.14
  • 107.155.19.195
  • 45.192.128.16
  • 45.192.128.15
suspicious
clients2.google.com
  • 172.217.16.142
whitelisted
ssl.gstatic.com
  • 142.250.185.163
whitelisted
sb-ssl.google.com
  • 142.250.185.142
whitelisted
d1xj8c1wowfhpd.cloudfront.net
  • 18.66.242.220
  • 18.66.242.204
  • 18.66.242.87
  • 18.66.242.148
whitelisted
dvmc8t0c8zd8y.cloudfront.net
  • 108.156.253.53
  • 108.156.253.129
  • 108.156.253.183
  • 108.156.253.108
whitelisted
update.googleapis.com
  • 142.250.185.227
whitelisted
clients1.google.com
  • 172.217.16.142
whitelisted

Threats

No threats detected
Process
Message
MEmu-setup-abroad-sdk.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 21x14+320+106 on QWidgetWindow/'QCheckBoxClassWindow'. Resulting geometry: 104x14+320+106 (frame: 4, 23, 4, 4, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
MEmu-setup-abroad-sdk.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 55x14+320+106 on QWidgetWindow/'QLabelClassWindow'. Resulting geometry: 104x14+320+106 (frame: 4, 23, 4, 4, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
Dism.exe
PID=1528 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=1528 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=1528 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=1528 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=1528 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=1528 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
Dism.exe
PID=1528 Getting Provider OSServices - CDISMProviderStore::GetProvider
Dism.exe
PID=1528 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)