URL:

https://www.memuplay.com/download-roblox-mod-menu-on-pc.html

Full analysis: https://app.any.run/tasks/4663c7a4-7287-4f51-8e32-767f8d7d0a60
Verdict: Malicious activity
Threats:

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 21:51:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
arch-exec
netreactor
emmenhtal
inno
installer
metastealer
icedid
Indicators:
MD5:

8A05904013182FDB0806E96576E5D783

SHA1:

9E58A06E5F57187B0BC9E80EA6B1FBAC9BAC7A0A

SHA256:

9C084817B95F0A7F582DFCAD9E1BDBDFF4FAC3897A1D9B2A36FBAEB8F35FE932

SSDEEP:

3:N8DSLdZ38JXm3gK8qNGn:2OLdZM8TQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • MEmuDrvInst.exe (PID: 1332)
      • MemuService.exe (PID: 10040)

    • Registers / Runs the DLL via REGSVR32.EXE

      • Setup.exe (PID: 7724)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 5652)

    • EMMENHTAL has been detected (YARA)

      • rsEngineSvc.exe (PID: 6896)

    • METASTEALER has been detected (YARA)

      • rsEngineSvc.exe (PID: 6896)

    • ICEDID has been detected (YARA)

      • servicehost.exe (PID: 7052)
      • uihost.exe (PID: 7908)

    • Scans artifacts that could help determine the target

      • rsEDRSvc.exe (PID: 8532)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • rsStubActivator.exe (PID: 6104)
      • saBSI.exe (PID: 2716)
      • UnifiedStub-installer.exe (PID: 5480)
      • pcran05d.exe (PID: 8052)
      • saBSI.exe (PID: 3944)
      • installer.exe (PID: 2604)
      • installer.exe (PID: 6472)
      • Setup.exe (PID: 7724)
      • 7za.exe (PID: 6140)
      • 7za.exe (PID: 8432)
      • 7za.exe (PID: 8256)
      • MEmuDrvInst.exe (PID: 1332)

    • There is functionality for taking screenshot (YARA)

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • Setup.exe (PID: 7724)
      • uihost.exe (PID: 7908)

    • Reads security settings of Internet Explorer

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • saBSI.exe (PID: 2716)
      • rsStubActivator.exe (PID: 6104)
      • saBSI.exe (PID: 3944)
      • installer.exe (PID: 6472)
      • UnifiedStub-installer.exe (PID: 5480)
      • rsWSC.exe (PID: 6836)
      • rsEngineSvc.exe (PID: 3736)
      • uihost.exe (PID: 7908)
      • rsEDRSvc.exe (PID: 7296)
      • MEmuDrvInst.exe (PID: 1332)
      • rsVPNSvc.exe (PID: 6304)
      • rsDNSSvc.exe (PID: 10008)
      • rsDNSSvc.exe (PID: 10096)

    • Potential Corporate Privacy Violation

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)

    • Process requests binary or script from the Internet

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)

    • Reads the date of Windows installation

      • rsStubActivator.exe (PID: 6104)
      • rsEDRSvc.exe (PID: 8532)
      • rsEngineSvc.exe (PID: 6896)

    • Process drops legitimate windows executable

      • pcran05d.exe (PID: 8052)
      • UnifiedStub-installer.exe (PID: 5480)
      • installer.exe (PID: 6472)
      • Setup.exe (PID: 7724)
      • 7za.exe (PID: 6140)
      • 7za.exe (PID: 8432)
      • 7za.exe (PID: 8256)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 2716)
      • UnifiedStub-installer.exe (PID: 5480)
      • servicehost.exe (PID: 7052)
      • rsEngineSvc.exe (PID: 6896)

    • Creates a software uninstall entry

      • UnifiedStub-installer.exe (PID: 5480)
      • installer.exe (PID: 6472)
      • servicehost.exe (PID: 7052)
      • Setup.exe (PID: 7724)

    • Searches for installed software

      • UnifiedStub-installer.exe (PID: 5480)
      • updater.exe (PID: 7784)
      • rsEDRSvc.exe (PID: 8532)
      • rsVPNSvc.exe (PID: 8624)
      • rsEngineSvc.exe (PID: 6896)
      • MEmuConsole.exe (PID: 9968)
      • rsDNSSvc.exe (PID: 10096)
      • MEmu.exe (PID: 5008)

    • Executes as Windows Service

      • rsSyncSvc.exe (PID: 1216)
      • rsWSC.exe (PID: 3564)
      • rsEngineSvc.exe (PID: 6896)
      • rsClientSvc.exe (PID: 7204)
      • servicehost.exe (PID: 7052)
      • rsEDRSvc.exe (PID: 8532)
      • rsVPNClientSvc.exe (PID: 1212)
      • rsVPNSvc.exe (PID: 8624)
      • WmiApSrv.exe (PID: 8284)
      • MemuService.exe (PID: 10040)
      • rsDNSResolver.exe (PID: 9924)
      • rsDNSSvc.exe (PID: 10096)
      • rsDNSClientSvc.exe (PID: 7892)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 3944)
      • installer.exe (PID: 2604)
      • installer.exe (PID: 6472)
      • servicehost.exe (PID: 7052)
      • uihost.exe (PID: 7908)
      • rsEngineSvc.exe (PID: 6896)
      • cmd.exe (PID: 8304)
      • cmd.exe (PID: 8404)
      • updater.exe (PID: 7784)
      • rsVPNSvc.exe (PID: 8624)
      • rsDNSSvc.exe (PID: 10096)
      • rsEDRSvc.exe (PID: 8532)

    • The process creates files with name similar to system file names

      • installer.exe (PID: 6472)
      • UnifiedStub-installer.exe (PID: 5480)
      • 7za.exe (PID: 8432)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 6472)
      • MEmuManage.exe (PID: 8028)
      • regsvr32.exe (PID: 9576)
      • regsvr32.exe (PID: 9628)

    • The process drops C-runtime libraries

      • UnifiedStub-installer.exe (PID: 5480)
      • 7za.exe (PID: 6140)
      • 7za.exe (PID: 8432)
      • 7za.exe (PID: 8256)

    • Drops a system driver (possible attempt to evade defenses)

      • UnifiedStub-installer.exe (PID: 5480)
      • 7za.exe (PID: 8432)
      • MEmuDrvInst.exe (PID: 1332)

    • Drops 7-zip archiver for unpacking

      • UnifiedStub-installer.exe (PID: 5480)
      • Setup.exe (PID: 7724)
      • 7za.exe (PID: 6140)

    • Creates or modifies Windows services

      • UnifiedStub-installer.exe (PID: 5480)

    • Creates files in the driver directory

      • UnifiedStub-installer.exe (PID: 5480)
      • MEmuDrvInst.exe (PID: 1332)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • UnifiedStub-installer.exe (PID: 5480)

    • Creates file in the systems drive root

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)

    • Reads Mozilla Firefox installation path

      • servicehost.exe (PID: 7052)
      • uihost.exe (PID: 7908)

    • Windows service management via SC.EXE

      • sc.exe (PID: 8332)
      • sc.exe (PID: 8264)
      • sc.exe (PID: 8448)
      • sc.exe (PID: 8392)
      • sc.exe (PID: 8572)
      • sc.exe (PID: 8508)
      • sc.exe (PID: 8636)
      • sc.exe (PID: 8700)
      • sc.exe (PID: 8760)
      • sc.exe (PID: 8816)
      • sc.exe (PID: 8880)
      • sc.exe (PID: 8940)
      • sc.exe (PID: 6192)
      • sc.exe (PID: 9056)
      • sc.exe (PID: 9000)
      • sc.exe (PID: 9116)
      • sc.exe (PID: 9176)
      • sc.exe (PID: 7996)
      • sc.exe (PID: 9060)
      • sc.exe (PID: 7956)
      • sc.exe (PID: 7536)
      • sc.exe (PID: 9800)
      • sc.exe (PID: 9928)
      • sc.exe (PID: 9864)
      • sc.exe (PID: 9988)
      • sc.exe (PID: 10092)

    • Starts CMD.EXE for commands execution

      • updater.exe (PID: 7784)
      • rsDNSSvc.exe (PID: 10096)
      • MEmu.exe (PID: 5008)

    • Reads the BIOS version

      • rsEDRSvc.exe (PID: 8532)
      • rsEngineSvc.exe (PID: 6896)

    • Process checks is Powershell's Script Block Logging on

      • rsEDRSvc.exe (PID: 8532)

    • The process checks if it is being run in the virtual environment

      • rsVPNSvc.exe (PID: 8624)

    • Application launched itself

      • rsAppUI.exe (PID: 8268)
      • rsAppUI.exe (PID: 8428)
      • rsAppUI.exe (PID: 5444)

    • Uses RUNDLL32.EXE to load library

      • UnifiedStub-installer.exe (PID: 5480)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 10388)
      • cmd.exe (PID: 6104)

    • There is functionality for communication over UDP network (YARA)

      • rsEngineSvc.exe (PID: 6896)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6868)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 2040)
      • msedge.exe (PID: 8100)
      • msedge.exe (PID: 11192)

    • Reads the computer name

      • identity_helper.exe (PID: 7796)
      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • rsStubActivator.exe (PID: 6104)
      • identity_helper.exe (PID: 2632)
      • saBSI.exe (PID: 2716)
      • saBSI.exe (PID: 3944)
      • UnifiedStub-installer.exe (PID: 5480)
      • rsSyncSvc.exe (PID: 2388)
      • rsSyncSvc.exe (PID: 1216)
      • installer.exe (PID: 6472)
      • rsWSC.exe (PID: 6836)
      • rsWSC.exe (PID: 3564)
      • rsClientSvc.exe (PID: 5368)
      • rsClientSvc.exe (PID: 7204)
      • rsEngineSvc.exe (PID: 3736)
      • servicehost.exe (PID: 7052)
      • uihost.exe (PID: 7908)
      • Setup.exe (PID: 7724)
      • rsEngineSvc.exe (PID: 6896)
      • rsEDRSvc.exe (PID: 7296)
      • 7za.exe (PID: 6140)
      • rsEDRSvc.exe (PID: 8532)
      • updater.exe (PID: 7784)
      • rsHelper.exe (PID: 9000)
      • 7za.exe (PID: 8432)
      • 7za.exe (PID: 8256)
      • MEmuDrvInst.exe (PID: 1332)
      • MEmuSVC.exe (PID: 1208)
      • rsVPNClientSvc.exe (PID: 2512)
      • rsVPNClientSvc.exe (PID: 1212)
      • rsVPNSvc.exe (PID: 6304)
      • rsVPNSvc.exe (PID: 8624)
      • MEmuManage.exe (PID: 8028)
      • rsAppUI.exe (PID: 8268)
      • rsAppUI.exe (PID: 8336)
      • rsAppUI.exe (PID: 3052)
      • rsAppUI.exe (PID: 8428)
      • rsAppUI.exe (PID: 7600)
      • rsAppUI.exe (PID: 7884)
      • MEmuSVC.exe (PID: 9676)
      • MemuService.exe (PID: 10040)
      • MEmuManage.exe (PID: 10152)
      • MEmuSVC.exe (PID: 9220)
      • MEmuManage.exe (PID: 9696)
      • MEmuConsole.exe (PID: 9968)
      • MEmuManage.exe (PID: 9392)
      • MEmuSVC.exe (PID: 10012)
      • MEmu.exe (PID: 7852)
      • MEmuRepair.exe (PID: 9496)
      • MEmuSVC.exe (PID: 9568)
      • MEmuManage.exe (PID: 9760)
      • MEmuManage.exe (PID: 9812)
      • rsDNSClientSvc.exe (PID: 9396)
      • rsDNSClientSvc.exe (PID: 7892)
      • rsDNSResolver.exe (PID: 10156)
      • rsDNSResolver.exe (PID: 9924)
      • rsDNSSvc.exe (PID: 10008)
      • rsDNSSvc.exe (PID: 10096)
      • MEmuSVC.exe (PID: 8308)
      • MEmu.exe (PID: 3388)
      • rsAppUI.exe (PID: 5444)
      • MEmuRepair.exe (PID: 10184)
      • MEmu.exe (PID: 5008)
      • rsAppUI.exe (PID: 10228)
      • rsAppUI.exe (PID: 9760)
      • MEmuSVC.exe (PID: 9176)
      • identity_helper.exe (PID: 8144)
      • MEmuHeadless.exe (PID: 3944)
      • rsAppUI.exe (PID: 9908)
      • rsAppUI.exe (PID: 8620)
      • rsAppUI.exe (PID: 9564)

    • Checks supported languages

      • identity_helper.exe (PID: 7796)
      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • rsStubActivator.exe (PID: 6104)
      • identity_helper.exe (PID: 2632)
      • saBSI.exe (PID: 2716)
      • pcran05d.exe (PID: 8052)
      • UnifiedStub-installer.exe (PID: 5480)
      • saBSI.exe (PID: 3944)
      • rsSyncSvc.exe (PID: 2388)
      • rsSyncSvc.exe (PID: 1216)
      • installer.exe (PID: 2604)
      • installer.exe (PID: 6472)
      • rsWSC.exe (PID: 6836)
      • rsWSC.exe (PID: 3564)
      • rsEngineSvc.exe (PID: 3736)
      • rsClientSvc.exe (PID: 5368)
      • rsClientSvc.exe (PID: 7204)
      • Setup.exe (PID: 7724)
      • servicehost.exe (PID: 7052)
      • uihost.exe (PID: 7908)
      • rsEngineSvc.exe (PID: 6896)
      • 7za.exe (PID: 6140)
      • rsEDRSvc.exe (PID: 7296)
      • updater.exe (PID: 7784)
      • rsEDRSvc.exe (PID: 8532)
      • rsHelper.exe (PID: 9000)
      • 7za.exe (PID: 8432)
      • 7za.exe (PID: 8256)
      • rsLitmus.A.exe (PID: 8224)
      • MEmuDrvInst.exe (PID: 1332)
      • MEmuManage.exe (PID: 8028)
      • MEmuSVC.exe (PID: 1208)
      • rsVPNClientSvc.exe (PID: 1212)
      • MEmuSVC.exe (PID: 3488)
      • rsVPNClientSvc.exe (PID: 2512)
      • rsVPNSvc.exe (PID: 6304)
      • rsVPNSvc.exe (PID: 8624)
      • VPN.exe (PID: 1700)
      • rsAppUI.exe (PID: 8268)
      • rsAppUI.exe (PID: 3052)
      • rsAppUI.exe (PID: 8064)
      • EPP.exe (PID: 7808)
      • rsAppUI.exe (PID: 8428)
      • rsAppUI.exe (PID: 8344)
      • rsAppUI.exe (PID: 8336)
      • rsAppUI.exe (PID: 7600)
      • rsAppUI.exe (PID: 7884)
      • rsAppUI.exe (PID: 9276)
      • MEmuSVC.exe (PID: 9500)
      • MEmuSVC.exe (PID: 9676)
      • MemuService.exe (PID: 10040)
      • MEmuSVC.exe (PID: 9220)
      • MEmuManage.exe (PID: 10152)
      • MEmuManage.exe (PID: 9696)
      • MEmuManage.exe (PID: 9392)
      • memuc.exe (PID: 9868)
      • MEmuConsole.exe (PID: 9968)
      • MEmuSVC.exe (PID: 10012)
      • MEmu.exe (PID: 7852)
      • MEmuRepair.exe (PID: 9496)
      • MEmuSVC.exe (PID: 9568)
      • MEmuManage.exe (PID: 9812)
      • MEmuSVC.exe (PID: 8308)
      • rsDNSClientSvc.exe (PID: 9396)
      • rsDNSClientSvc.exe (PID: 7892)
      • MEmuManage.exe (PID: 9760)
      • rsDNSResolver.exe (PID: 9924)
      • rsDNSSvc.exe (PID: 10008)
      • rsDNSSvc.exe (PID: 10096)
      • rsDNSResolver.exe (PID: 10156)
      • screenrecord.exe (PID: 416)
      • MEmu.exe (PID: 3388)
      • rsAppUI.exe (PID: 5444)
      • rsAppUI.exe (PID: 9760)
      • rsAppUI.exe (PID: 10228)
      • MEmuRepair.exe (PID: 10184)
      • DNS.exe (PID: 3540)
      • rsAppUI.exe (PID: 6344)
      • MEmu.exe (PID: 5008)
      • identity_helper.exe (PID: 8144)
      • MEmuHeadless.exe (PID: 3944)
      • MEmuSVC.exe (PID: 9176)
      • rsAppUI.exe (PID: 9908)
      • rsAppUI.exe (PID: 8620)
      • rsAppUI.exe (PID: 9564)
      • chcp.com (PID: 11004)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 2040)

    • Checks proxy server information

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • saBSI.exe (PID: 2716)
      • rsStubActivator.exe (PID: 6104)
      • UnifiedStub-installer.exe (PID: 5480)
      • saBSI.exe (PID: 3944)
      • rsWSC.exe (PID: 6836)
      • slui.exe (PID: 4512)
      • rsAppUI.exe (PID: 8268)
      • rsAppUI.exe (PID: 8428)
      • MEmuConsole.exe (PID: 9968)
      • rsDNSSvc.exe (PID: 10096)
      • rsAppUI.exe (PID: 5444)
      • MEmu.exe (PID: 5008)

    • Reads Environment values

      • identity_helper.exe (PID: 7796)
      • identity_helper.exe (PID: 2632)
      • rsStubActivator.exe (PID: 6104)
      • UnifiedStub-installer.exe (PID: 5480)
      • rsEngineSvc.exe (PID: 6896)
      • rsEDRSvc.exe (PID: 8532)
      • rsVPNSvc.exe (PID: 8624)
      • rsAppUI.exe (PID: 8268)
      • rsAppUI.exe (PID: 8428)
      • rsDNSSvc.exe (PID: 10096)
      • identity_helper.exe (PID: 8144)

    • Creates files or folders in the user directory

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • UnifiedStub-installer.exe (PID: 5480)
      • rsWSC.exe (PID: 6836)
      • rsEngineSvc.exe (PID: 6896)
      • rsVPNSvc.exe (PID: 8624)
      • rsAppUI.exe (PID: 3052)
      • rsAppUI.exe (PID: 8268)
      • rsAppUI.exe (PID: 7884)
      • rsAppUI.exe (PID: 8428)
      • Setup.exe (PID: 7724)
      • rsDNSSvc.exe (PID: 10096)
      • rsAppUI.exe (PID: 5444)
      • MEmu.exe (PID: 5008)
      • rsAppUI.exe (PID: 10228)
      • rsAppUI.exe (PID: 9908)

    • Reads the machine GUID from the registry

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • rsStubActivator.exe (PID: 6104)
      • saBSI.exe (PID: 2716)
      • UnifiedStub-installer.exe (PID: 5480)
      • saBSI.exe (PID: 3944)
      • installer.exe (PID: 6472)
      • rsWSC.exe (PID: 6836)
      • rsWSC.exe (PID: 3564)
      • rsEngineSvc.exe (PID: 3736)
      • rsEngineSvc.exe (PID: 6896)
      • uihost.exe (PID: 7908)
      • servicehost.exe (PID: 7052)
      • rsEDRSvc.exe (PID: 7296)
      • updater.exe (PID: 7784)
      • rsEDRSvc.exe (PID: 8532)
      • rsHelper.exe (PID: 9000)
      • MEmuDrvInst.exe (PID: 1332)
      • rsVPNSvc.exe (PID: 6304)
      • rsAppUI.exe (PID: 8268)
      • rsVPNSvc.exe (PID: 8624)
      • rsAppUI.exe (PID: 8428)
      • MEmuConsole.exe (PID: 9968)
      • rsDNSSvc.exe (PID: 10008)
      • rsDNSSvc.exe (PID: 10096)
      • rsAppUI.exe (PID: 5444)
      • MEmu.exe (PID: 5008)
      • rsAppUI.exe (PID: 9908)
      • rsAppUI.exe (PID: 9564)
      • rsAppUI.exe (PID: 8620)

    • Reads CPU info

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • Setup.exe (PID: 7724)
      • rsEngineSvc.exe (PID: 6896)
      • rsEDRSvc.exe (PID: 8532)
      • rsVPNSvc.exe (PID: 8624)
      • MEmuConsole.exe (PID: 9968)
      • MEmuRepair.exe (PID: 9496)
      • MEmu.exe (PID: 3388)
      • MEmuRepair.exe (PID: 10184)
      • MEmu.exe (PID: 5008)

    • Create files in a temporary directory

      • rsStubActivator.exe (PID: 6104)
      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • pcran05d.exe (PID: 8052)
      • saBSI.exe (PID: 3944)
      • UnifiedStub-installer.exe (PID: 5480)
      • installer.exe (PID: 6472)
      • rsAppUI.exe (PID: 8268)
      • rsAppUI.exe (PID: 8428)
      • rsAppUI.exe (PID: 5444)

    • Reads the software policy settings

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • saBSI.exe (PID: 2716)
      • rsStubActivator.exe (PID: 6104)
      • UnifiedStub-installer.exe (PID: 5480)
      • saBSI.exe (PID: 3944)
      • installer.exe (PID: 6472)
      • rsWSC.exe (PID: 6836)
      • servicehost.exe (PID: 7052)
      • uihost.exe (PID: 7908)
      • rsEngineSvc.exe (PID: 6896)
      • updater.exe (PID: 7784)
      • rsEDRSvc.exe (PID: 7296)
      • rsWSC.exe (PID: 3564)
      • rsEDRSvc.exe (PID: 8532)
      • slui.exe (PID: 4512)
      • MEmuDrvInst.exe (PID: 1332)
      • rsVPNSvc.exe (PID: 6304)
      • rsVPNSvc.exe (PID: 8624)
      • rsDNSSvc.exe (PID: 10008)
      • rsDNSSvc.exe (PID: 10096)

    • Disables trace logs

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • rsStubActivator.exe (PID: 6104)
      • UnifiedStub-installer.exe (PID: 5480)
      • rsEngineSvc.exe (PID: 6896)
      • rsEDRSvc.exe (PID: 8532)
      • rsVPNSvc.exe (PID: 8624)
      • rsDNSSvc.exe (PID: 10096)

    • Creates files in the program directory

      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • saBSI.exe (PID: 2716)
      • UnifiedStub-installer.exe (PID: 5480)
      • saBSI.exe (PID: 3944)
      • installer.exe (PID: 2604)
      • installer.exe (PID: 6472)
      • rsWSC.exe (PID: 6836)
      • rsEngineSvc.exe (PID: 3736)
      • Setup.exe (PID: 7724)
      • servicehost.exe (PID: 7052)
      • rsEngineSvc.exe (PID: 6896)
      • uihost.exe (PID: 7908)
      • 7za.exe (PID: 6140)
      • rsEDRSvc.exe (PID: 7296)
      • rsEDRSvc.exe (PID: 8532)
      • 7za.exe (PID: 8432)
      • 7za.exe (PID: 8256)
      • rsVPNSvc.exe (PID: 6304)
      • rsVPNSvc.exe (PID: 8624)
      • MemuService.exe (PID: 10040)
      • MEmuConsole.exe (PID: 9968)
      • MEmuSVC.exe (PID: 10012)
      • MEmuSVC.exe (PID: 9568)
      • rsDNSResolver.exe (PID: 10156)
      • rsDNSResolver.exe (PID: 9924)
      • rsDNSSvc.exe (PID: 10008)
      • rsDNSSvc.exe (PID: 10096)
      • MEmuHeadless.exe (PID: 3944)
      • MEmu.exe (PID: 5008)

    • The sample compiled with english language support

      • rsStubActivator.exe (PID: 6104)
      • MEmu-setup-abroad-02bf66ec.exe (PID: 7744)
      • pcran05d.exe (PID: 8052)
      • saBSI.exe (PID: 2716)
      • UnifiedStub-installer.exe (PID: 5480)
      • installer.exe (PID: 2604)
      • installer.exe (PID: 6472)
      • Setup.exe (PID: 7724)
      • 7za.exe (PID: 6140)
      • 7za.exe (PID: 8432)
      • 7za.exe (PID: 8256)
      • MEmuDrvInst.exe (PID: 1332)

    • Process checks computer location settings

      • rsStubActivator.exe (PID: 6104)
      • servicehost.exe (PID: 7052)
      • rsVPNSvc.exe (PID: 8624)
      • rsAppUI.exe (PID: 8268)
      • rsAppUI.exe (PID: 8064)
      • rsAppUI.exe (PID: 9276)
      • rsAppUI.exe (PID: 8344)
      • rsAppUI.exe (PID: 8428)
      • rsAppUI.exe (PID: 5444)
      • rsAppUI.exe (PID: 6344)

    • SQLite executable

      • UnifiedStub-installer.exe (PID: 5480)

    • Reads product name

      • rsEDRSvc.exe (PID: 8532)
      • rsEngineSvc.exe (PID: 6896)
      • rsAppUI.exe (PID: 8268)
      • rsAppUI.exe (PID: 8428)

    • Reads the time zone

      • rsEngineSvc.exe (PID: 6896)
      • rsEDRSvc.exe (PID: 8532)
      • rsVPNSvc.exe (PID: 8624)
      • runonce.exe (PID: 3900)

    • .NET Reactor protector has been detected

      • UnifiedStub-installer.exe (PID: 5480)
      • rsWSC.exe (PID: 3564)
      • rsEngineSvc.exe (PID: 6896)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 3900)
      • explorer.exe (PID: 9240)
      • explorer.exe (PID: 10152)

    • Launching a file from a Registry key

      • rundll32.exe (PID: 5652)

    • Process checks whether UAC notifications are on

      • rsEDRSvc.exe (PID: 8532)

    • Detects InnoSetup installer (YARA)

      • rsEngineSvc.exe (PID: 6896)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • rsEDRSvc.exe (PID: 8532)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
413
Monitored processes
250
Malicious processes
21
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs memu-setup-abroad-02bf66ec.exe no specs memu-setup-abroad-02bf66ec.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs rsstubactivator.exe sabsi.exe pcran05d.exe unifiedstub-installer.exe sabsi.exe rssyncsvc.exe no specs conhost.exe no specs rssyncsvc.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs installer.exe installer.exe wevtutil.exe no specs conhost.exe no specs rswsc.exe rswsc.exe no specs setup.exe rsclientsvc.exe no specs conhost.exe no specs rsclientsvc.exe no specs rsenginesvc.exe #EMMENHTAL rsenginesvc.exe #ICEDID servicehost.exe #ICEDID uihost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs msedge.exe no specs rsedrsvc.exe no specs updater.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs rsedrsvc.exe rshelper.exe no specs rslitmus.a.exe no specs conhost.exe no specs msedge.exe no specs 7za.exe conhost.exe no specs 7za.exe conhost.exe no specs sc.exe no specs conhost.exe no specs memudrvinst.exe conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs memumanage.exe no specs conhost.exe no specs memusvc.exe no specs memusvc.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs rsvpnclientsvc.exe no specs conhost.exe no specs rsvpnclientsvc.exe no specs rsvpnsvc.exe no specs rsvpnsvc.exe vpn.exe no specs rsappui.exe no specs wmiapsrv.exe no specs rsappui.exe no specs rsappui.exe rsappui.exe no specs epp.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe no specs msedge.exe no specs memusvc.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs memusvc.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs memuservice.exe no specs sc.exe no specs conhost.exe no specs memumanage.exe no specs conhost.exe no specs memusvc.exe no specs msedge.exe no specs memurepair.exe memumanage.exe no specs conhost.exe no specs memumanage.exe no specs conhost.exe no specs memuc.exe no specs conhost.exe no specs memuconsole.exe memusvc.exe no specs memu.exe no specs memusvc.exe no specs memumanage.exe no specs conhost.exe no specs memumanage.exe no specs conhost.exe no specs memusvc.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs rsdnsclientsvc.exe no specs conhost.exe no specs rsdnsclientsvc.exe no specs rsdnsresolver.exe no specs conhost.exe no specs rsdnsresolver.exe no specs rsdnssvc.exe no specs rsdnssvc.exe screenrecord.exe no specs memu.exe explorer.exe no specs explorer.exe no specs msedge.exe no specs memurepair.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dns.exe no specs rsappui.exe no specs rsappui.exe no specs rsappui.exe rsappui.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs memu.exe memusvc.exe no specs identity_helper.exe no specs identity_helper.exe no specs memuheadless.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rsappui.exe no specs rsappui.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rsappui.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
416"C:\Program Files\Microvirt\MEmu\screenrecord.exe"C:\Program Files\Microvirt\MEmu\screenrecord.exeSetup.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\program files\microvirt\memu\screenrecord.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
420"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=4208,i,632543674651880002,1740148177192917257,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040"C:\WINDOWS\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"C:\Windows\SysWOW64\regsvr32.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1208"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -EmbeddingC:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exesvchost.exe
User:
admin
Company:
Maiwei Corporation
Integrity Level:
HIGH
Description:
MemuHyperv Interface
Exit code:
0
Version:
5.1.34.121010
Modules
Images
c:\program files\microvirt\memuhyperv\memusvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
1212"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exeservices.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
Reason Client Service
Version:
4.5.1.0
Modules
Images
c:\program files\reasonlabs\vpn\rsvpnclientsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\bcrypt.dll
1216"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeservices.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
Reason Security Synchronize Service
Version:
1.8.5.0
Modules
Images
c:\program files\reasonlabs\common\rssyncsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1332"C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe" driver install "C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.inf"C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe
Setup.exe
User:
admin
Company:
Maiwei Corporation
Integrity Level:
HIGH
Description:
MemuHyperv Driver Installer
Exit code:
0
Version:
5.1.34.121010
Modules
Images
c:\program files\microvirt\memuhyperv\memudrvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1352"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5316,i,10790480124074873322,6722199518932875117,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1644\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewevtutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1700"c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-runC:\Program Files\ReasonLabs\VPN\ui\VPN.exersVPNSvc.exe
User:
admin
Company:
Reason Cybersecurity Ltd.
Integrity Level:
MEDIUM
Description:
RAV VPN Client
Exit code:
0
Version:
2.20.0
Modules
Images
c:\program files\reasonlabs\vpn\ui\vpn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
156 810
Read events
154 810
Write events
956
Delete events
1 044

Modification events

(PID) Process:(2040) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2040) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2040) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2040) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(2040) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D24DB343B2962F00
(PID) Process:(2040) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459640
Operation:writeName:WindowTabManagerFileMappingId
Value:
{9E0D8001-92F3-44AD-B05A-07731A677FBE}
(PID) Process:(2040) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459640
Operation:writeName:WindowTabManagerFileMappingId
Value:
{564B4BA6-0541-41E2-9691-B04D56E8FB63}
(PID) Process:(2040) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459640
Operation:writeName:WindowTabManagerFileMappingId
Value:
{AC40A3B3-ED48-4287-A79C-1062840EAB7A}
(PID) Process:(2040) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459640
Operation:writeName:WindowTabManagerFileMappingId
Value:
{070F314F-E28C-4AFF-95FA-1BC92D624BE0}
(PID) Process:(2040) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459640
Operation:writeName:WindowTabManagerFileMappingId
Value:
{ECCF8BEF-0C3F-4636-992F-D0C11218639B}
Executable files
1 088
Suspicious files
1 248
Text files
1 580
Unknown types
8

Dropped files

PID
Process
Filename
Type
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF17688d.TMP
MD5:
SHA256:
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF17688d.TMP
MD5:
SHA256:
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF17688d.TMP
MD5:
SHA256:
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF17688d.TMP
MD5:
SHA256:
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF17689d.TMP
MD5:
SHA256:
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
2040msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF17687e.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
174
TCP/UDP connections
1 052
DNS requests
300
Threats
37

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6336
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:KO-jSFl6tD2JwatbiVHUe6pHFjngQVnnKKcrRAyxUA4&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
2552
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.38:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7744
MEmu-setup-abroad-02bf66ec.exe
GET
200
154.85.69.55:80
http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-02bf66ec&insMode=ins&version=1.0.1.0&channel=cd5e1e00&silence=0&currPage=ShowWelcomePage&lifeCycle=0&exitCode=0&mac=9E:F0:EB:3D:A9:51&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1
unknown
unknown
7744
MEmu-setup-abroad-02bf66ec.exe
GET
200
99.86.1.77:80
http://d1s13cf1vqydcj.cloudfront.net/installer/394543/624398141519
unknown
whitelisted
7744
MEmu-setup-abroad-02bf66ec.exe
GET
200
154.85.69.55:80
http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-02bf66ec&insMode=ins&version=1.0.1.0&channel=cd5e1e00&silence=0&currPage=StepStart&lifeCycle=0&exitCode=0&mac=9E:F0:EB:3D:A9:51&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1
unknown
unknown
7744
MEmu-setup-abroad-02bf66ec.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
whitelisted
7744
MEmu-setup-abroad-02bf66ec.exe
GET
200
154.85.69.55:80
http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-02bf66ec&insMode=ins&version=1.0.1.0&channel=cd5e1e00&silence=0&currPage=ClickInstallBtn&lifeCycle=0&exitCode=0&mac=9E:F0:EB:3D:A9:51&error=&initTime=2562&initTime=2562&acceptCount=-1&declineCount=-1&installOffers=-1
unknown
unknown
7744
MEmu-setup-abroad-02bf66ec.exe
GET
200
154.85.69.55:80
http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-02bf66ec&insMode=ins&version=1.0.1.0&channel=cd5e1e00&silence=0&currPage=ShowAd_1&lifeCycle=0&exitCode=0&mac=9E:F0:EB:3D:A9:51&error=&initTime=2562&initTime=2562&acceptCount=0&declineCount=0&installOffers=-1
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5708
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6336
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6336
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6336
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6336
msedge.exe
104.126.37.136:443
copilot.microsoft.com
Akamai International B.V.
DE
whitelisted
6336
msedge.exe
18.66.122.33:443
www.memuplay.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.memuplay.com
  • 18.66.122.33
  • 18.66.122.8
  • 18.66.122.98
  • 18.66.122.58
whitelisted
copilot.microsoft.com
  • 104.126.37.136
  • 104.126.37.169
whitelisted
www.bing.com
  • 104.126.37.139
  • 104.126.37.129
  • 104.126.37.153
  • 104.126.37.154
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.144
  • 104.126.37.137
  • 104.126.37.130
  • 104.126.37.123
  • 104.126.37.171
  • 104.126.37.176
  • 104.126.37.162
  • 104.126.37.185
  • 2.23.227.208
  • 2.23.227.215
  • 2.16.241.201
  • 2.16.241.218
whitelisted
dl.memuplay.com
  • 18.245.31.108
  • 18.245.31.52
  • 18.245.31.17
  • 18.245.31.49
whitelisted
www.googletagmanager.com
  • 172.217.16.200
whitelisted
securepubads.g.doubleclick.net
  • 142.250.181.226
  • 142.250.185.194
whitelisted

Threats

PID
Process
Class
Message
6336
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6336
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6336
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6336
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7744
MEmu-setup-abroad-02bf66ec.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7744
MEmu-setup-abroad-02bf66ec.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7744
MEmu-setup-abroad-02bf66ec.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7744
MEmu-setup-abroad-02bf66ec.exe
Misc activity
ET INFO EXE - Served Attached HTTP
7744
MEmu-setup-abroad-02bf66ec.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7744
MEmu-setup-abroad-02bf66ec.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Process
Message
MEmu-setup-abroad-02bf66ec.exe
Qt: Untested Windows version 10.0 detected!
MEmu-setup-abroad-02bf66ec.exe
QObject::connect: No such signal QNetworkReplyHttpImpl::error()
MEmu-setup-abroad-02bf66ec.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 21x14+320+100 on QWidgetWindow/'QCheckBoxClassWindow'. Resulting geometry: 120x14+320+100 (frame: 8, 31, 8, 8, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
MEmu-setup-abroad-02bf66ec.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 55x14+320+100 on QWidgetWindow/'QLabelClassWindow'. Resulting geometry: 120x14+320+100 (frame: 8, 31, 8, 8, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
MEmu-setup-abroad-02bf66ec.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 21x14+320+100 on QWidgetWindow/'QCheckBoxClassWindow'. Resulting geometry: 120x14+320+100 (frame: 8, 31, 8, 8, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
MEmu-setup-abroad-02bf66ec.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 66x14+320+100 on QWidgetWindow/'QLabelClassWindow'. Resulting geometry: 120x14+320+100 (frame: 8, 31, 8, 8, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
MEmu-setup-abroad-02bf66ec.exe
QObject::connect: No such signal QNetworkReplyHttpImpl::error()
MEmu-setup-abroad-02bf66ec.exe
QObject::connect: No such signal QNetworkReplyHttpImpl::error()
MEmu-setup-abroad-02bf66ec.exe
QObject::killTimer: Timers cannot be stopped from another thread
MEmu-setup-abroad-02bf66ec.exe
QObject::~QObject: Timers cannot be stopped from another thread
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.memuplay.com/download-roblox-mod-menu-on-pc.html