Malware analysis MEmu-setup-abroad-sdk.exe Malicious activity

Add for printing

File name:	MEmu-setup-abroad-sdk.exe
Full analysis:	https://app.any.run/tasks/bf91bff0-0be1-45ea-bafd-dc768b8c3e55
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	June 04, 2025, 21:40:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	upx loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:	6CC9A78E4778F77343CA22CB09CC8BE5
SHA1:	7763DB92A19E2480328C1F92EA49BC68EB536BEE
SHA256:	DCBD77AD65145AB5AA64B8C08608991A6CC23DAABF02CF0695F2261DA3EC5B7D
SSDEEP:	98304:01EX9pZDV1wd5tm0WS+77NNiM6+wLQH4AfV8C1Dj3HYIU6+tgepPlzBLaYhB8PgM:awiPIdCbuyNryzZjXgjUt2g04xYNgH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - MEmuDrvInst.exe (PID: 456)
  - MemuService.exe (PID: 7980)
- Registers / Runs the DLL via REGSVR32.EXE
  - Setup.exe (PID: 7896)
SUSPICIOUS
- Process drops legitimate windows executable
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - MEmu-setup-abroad-sdk.exe (PID: 7820)
  - Setup.exe (PID: 7896)
  - 7za.exe (PID: 5760)
  - 7za.exe (PID: 3796)
  - 7za.exe (PID: 5036)
- Drops 7-zip archiver for unpacking
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - MEmu-setup-abroad-sdk.exe (PID: 7820)
  - Setup.exe (PID: 7896)
  - 7za.exe (PID: 5760)
- Executable content was dropped or overwritten
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - Dism.exe (PID: 6368)
  - MEmu-setup-abroad-sdk.exe (PID: 7820)
  - Setup.exe (PID: 7896)
  - 7za.exe (PID: 5760)
  - 7za.exe (PID: 3796)
  - 7za.exe (PID: 5036)
  - MEmuDrvInst.exe (PID: 456)
- The process creates files with name similar to system file names
  - Dism.exe (PID: 6368)
  - 7za.exe (PID: 3796)
- Starts a Microsoft application from unusual location
  - DismHost.exe (PID: 4756)
- Potential Corporate Privacy Violation
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
- Process requests binary or script from the Internet
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
- Windows service management via SC.EXE
  - sc.exe (PID: 5956)
  - sc.exe (PID: 2772)
  - sc.exe (PID: 1196)
  - sc.exe (PID: 3304)
  - sc.exe (PID: 540)
  - sc.exe (PID: 7380)
  - sc.exe (PID: 3132)
  - sc.exe (PID: 2892)
  - sc.exe (PID: 5640)
  - sc.exe (PID: 2660)
  - sc.exe (PID: 6892)
  - sc.exe (PID: 2692)
  - sc.exe (PID: 7676)
  - sc.exe (PID: 2800)
  - sc.exe (PID: 1276)
  - sc.exe (PID: 7172)
  - sc.exe (PID: 3272)
  - sc.exe (PID: 1760)
  - sc.exe (PID: 5164)
  - sc.exe (PID: 7484)
  - sc.exe (PID: 4020)
  - sc.exe (PID: 6192)
  - sc.exe (PID: 7376)
  - sc.exe (PID: 132)
  - sc.exe (PID: 7520)
  - sc.exe (PID: 4560)
- The process drops C-runtime libraries
  - 7za.exe (PID: 5760)
  - 7za.exe (PID: 5036)
  - 7za.exe (PID: 3796)
- Drops a system driver (possible attempt to evade defenses)
  - 7za.exe (PID: 3796)
  - MEmuDrvInst.exe (PID: 456)
- There is functionality for taking screenshot (YARA)
  - Setup.exe (PID: 7896)
- Creates files in the driver directory
  - MEmuDrvInst.exe (PID: 456)
- Reads security settings of Internet Explorer
  - MEmuDrvInst.exe (PID: 456)
- Creates/Modifies COM task schedule object
  - MEmuManage.exe (PID: 6584)
  - regsvr32.exe (PID: 7976)
  - regsvr32.exe (PID: 5996)
- Executes as Windows Service
  - MemuService.exe (PID: 7980)
- Creates a software uninstall entry
  - Setup.exe (PID: 7896)
- Searches for installed software
  - MEmuConsole.exe (PID: 5772)
- Starts CMD.EXE for commands execution
  - MEmu.exe (PID: 2980)
- Starts application with an unusual extension
  - cmd.exe (PID: 1040)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 7992)
INFO
- The sample compiled with english language support
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - Dism.exe (PID: 6368)
  - MEmu-setup-abroad-sdk.exe (PID: 7820)
  - Setup.exe (PID: 7896)
  - 7za.exe (PID: 5760)
  - 7za.exe (PID: 3796)
  - 7za.exe (PID: 5036)
  - MEmuDrvInst.exe (PID: 456)
- Checks supported languages
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - DismHost.exe (PID: 4756)
  - MEmu-setup-abroad-sdk.exe (PID: 7820)
  - Setup.exe (PID: 7896)
  - 7za.exe (PID: 5760)
  - 7za.exe (PID: 3796)
  - MEmuDrvInst.exe (PID: 456)
  - 7za.exe (PID: 5036)
  - MEmuManage.exe (PID: 6584)
  - MEmuSVC.exe (PID: 7228)
  - MEmuSVC.exe (PID: 4540)
  - MEmuSVC.exe (PID: 2216)
  - MEmuSVC.exe (PID: 5180)
  - MemuService.exe (PID: 7980)
  - MEmuSVC.exe (PID: 6480)
  - MEmuRepair.exe (PID: 2088)
  - MEmuManage.exe (PID: 864)
  - MEmuManage.exe (PID: 7324)
  - MEmuConsole.exe (PID: 5772)
  - memuc.exe (PID: 3896)
  - MEmuSVC.exe (PID: 6272)
  - MEmuManage.exe (PID: 6560)
  - MEmu.exe (PID: 8112)
  - MEmuSVC.exe (PID: 4748)
  - MEmuManage.exe (PID: 5892)
  - screenrecord.exe (PID: 7828)
  - MEmuSVC.exe (PID: 928)
  - MEmu.exe (PID: 4208)
  - MEmuManage.exe (PID: 3804)
- Create files in a temporary directory
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - Dism.exe (PID: 6368)
  - MEmu-setup-abroad-sdk.exe (PID: 7820)
- Reads the software policy settings
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - slui.exe (PID: 4224)
  - MEmuDrvInst.exe (PID: 456)
- Checks proxy server information
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - slui.exe (PID: 4224)
  - MEmuConsole.exe (PID: 5772)
- Reads the computer name
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - DismHost.exe (PID: 4756)
  - MEmu-setup-abroad-sdk.exe (PID: 7820)
  - Setup.exe (PID: 7896)
  - 7za.exe (PID: 3796)
  - 7za.exe (PID: 5760)
  - 7za.exe (PID: 5036)
  - MEmuDrvInst.exe (PID: 456)
  - MEmuManage.exe (PID: 6584)
  - MEmuSVC.exe (PID: 7228)
  - MEmuSVC.exe (PID: 5180)
  - MemuService.exe (PID: 7980)
  - MEmuSVC.exe (PID: 6480)
  - MEmuRepair.exe (PID: 2088)
  - MEmuManage.exe (PID: 864)
  - MEmuConsole.exe (PID: 5772)
  - MEmuManage.exe (PID: 7324)
  - MEmuSVC.exe (PID: 6272)
  - MEmuManage.exe (PID: 6560)
  - MEmu.exe (PID: 8112)
  - MEmuManage.exe (PID: 5892)
  - MEmuSVC.exe (PID: 4748)
  - MEmuManage.exe (PID: 3804)
  - MEmuSVC.exe (PID: 928)
  - MEmu.exe (PID: 4208)
- Reads the machine GUID from the registry
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - MEmuDrvInst.exe (PID: 456)
  - MEmuConsole.exe (PID: 5772)
- Disables trace logs
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
- Creates files or folders in the user directory
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - Setup.exe (PID: 7896)
- Reads Environment values
  - DismHost.exe (PID: 4756)
- Creates files in the program directory
  - Setup.exe (PID: 7896)
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
  - 7za.exe (PID: 5760)
  - 7za.exe (PID: 3796)
  - 7za.exe (PID: 5036)
  - MemuService.exe (PID: 7980)
  - MEmuSVC.exe (PID: 6272)
  - MEmuSVC.exe (PID: 4748)
  - MEmuConsole.exe (PID: 5772)
- Manual execution by a user
  - MEmu-setup-abroad-sdk.exe (PID: 7820)
- Reads CPU info
  - Setup.exe (PID: 7896)
  - MEmuRepair.exe (PID: 2088)
  - MEmuConsole.exe (PID: 5772)
- UPX packer has been detected
  - MEmu-setup-abroad-sdk.exe (PID: 6392)
- Application launched itself
  - msedge.exe (PID: 5304)
  - msedge.exe (PID: 2216)
- Changes the display of characters in the console
  - cmd.exe (PID: 1040)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (30.7)
.exe	\|	UPX compressed Win32 Executable (30.1)
.exe	\|	Win32 EXE Yoda's Crypter (29.5)
.exe	\|	Win32 Executable (generic) (5)
.exe	\|	Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:15 03:55:39+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	13860864
InitializedDataSize:	188416
UninitializedDataSize:	6393856
EntryPoint:	0x1351c80
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	7.0.0.0
ProductVersionNumber:	7.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
CompanyName:	Microvirt Software Technology Co. Ltd.
FileDescription:	MEmu Installer
FileVersion:	7.0.0.0
InternalName:	MEmuSetup.exe
LegalCopyright:	Copyright (C) 2020 Microvirt Software Technology Co. Ltd. All rights reserved
OriginalFileName:	MEmuSetup.exe
ProductName:	MEmu Installer
ProductVersion:	7.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

300

Monitored processes

158

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

132

C:\WINDOWS\System32\sc query MEmuSVC

C:\Windows\SysWOW64\sc.exe

—

Setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

208

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2700 --field-trial-handle=2328,i,3047819493237898522,9921066956784947944,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

456

"C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe" driver install "C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.inf"

C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe

Setup.exe

User:

admin

Company:

Maiwei Corporation

Integrity Level:

HIGH

Description:

MemuHyperv Driver Installer

Exit code:

Version:

5.1.34.121010

Modules

Images
c:\program files\microvirt\memuhyperv\memudrvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

540

C:\WINDOWS\System32\sc query MEmuNetAdp

C:\Windows\SysWOW64\sc.exe

—

Setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

1060

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

680

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

864

"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe

—

Setup.exe

User:

admin

Company:

Maiwei Corporation

Integrity Level:

HIGH

Description:

MemuHyperv Command Line Tool

Exit code:

Version:

5.1.34.121010

Modules

Images
c:\program files\microvirt\memuhyperv\memumanage.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\program files\microvirt\memuhyperv\msvcp100.dll
c:\program files\microvirt\memuhyperv\msvcr100.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

864

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5248 --field-trial-handle=2260,i,6010052654513803307,3266606570755528023,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

868

chcp 65001

C:\Windows\SysWOW64\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll

872

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5404 --field-trial-handle=2328,i,3047819493237898522,9921066956784947944,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

928

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

—

svchost.exe

User:

admin

Company:

Maiwei Corporation

Integrity Level:

MEDIUM

Description:

MemuHyperv Interface

Exit code:

Version:

5.1.34.121010

Modules

Images
c:\program files\microvirt\memuhyperv\memusvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\program files\microvirt\memuhyperv\msvcp100.dll

Add for printing

Total events

25 866

Read events

24 642

Write events

389

Delete events

835

Modification events


(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6392) MEmu-setup-abroad-sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

228

Suspicious files

294

Text files

2 113

Unknown types

138

Dropped files

PID	Process	Filename		Type
6368	Dism.exe	C:\Users\admin\AppData\Local\Temp\A7670A4F-AC96-4B11-9E7F-AFB696282A94\AppxProvider.dll		executable
		MD5:396C483D62FEA5FA0FD442C8DC99D4EF	SHA256:36F2AF43F10FD76FEEF65BF574D79D3E27FD40DAF61249880511543C1F17AD91
6368	Dism.exe	C:\Users\admin\AppData\Local\Temp\A7670A4F-AC96-4B11-9E7F-AFB696282A94\AssocProvider.dll		executable
		MD5:B7DB592706D3EEFBCF0D5A166D462E56	SHA256:DE21321272862E7C332E1724DC315F06F3ABE7A0340E61D351CAB208D6BBF059
6392	MEmu-setup-abroad-sdk.exe	C:\Users\admin\AppData\Local\Temp\MEmuSetup\7za.exe		executable
		MD5:B9425918E9F7B8AFFB9952ED02E01285	SHA256:8A5E4CCE83CA7C08945348BFB13395109656079E99BC6445B62C4DAAE16FAA5D
6368	Dism.exe	C:\Users\admin\AppData\Local\Temp\A7670A4F-AC96-4B11-9E7F-AFB696282A94\DismHost.exe		executable
		MD5:97CB1E2FCAB378421C4B91DF0C9F8310	SHA256:E36BCF02BC11F560761E943D0FAD37417078F6CBB473F85C72FCBC89E2600C58
6368	Dism.exe	C:\Users\admin\AppData\Local\Temp\A7670A4F-AC96-4B11-9E7F-AFB696282A94\CbsProvider.dll		executable
		MD5:14932441A96E254B3D29D452CE1263A0	SHA256:8FFF21CB7C88A0DD8C8E7B386604001F2974E75D229369A87BEE0BA18DA575F3
6368	Dism.exe	C:\Users\admin\AppData\Local\Temp\A7670A4F-AC96-4B11-9E7F-AFB696282A94\DismCorePS.dll		executable
		MD5:35A07968EC37231249F3F072AE555E3A	SHA256:E5F25E5A170CB3D165C3D143EAE967B96AB80F88FB09176DA8591B0B68C77E00
6368	Dism.exe	C:\Users\admin\AppData\Local\Temp\A7670A4F-AC96-4B11-9E7F-AFB696282A94\en-US\AppxProvider.dll.mui		executable
		MD5:BD0DD9C5A602CB0AD7EABC16B3C1ABFC	SHA256:8AF0073F8A023F55866E48BF3B902DFA7F41C51B0E8B0FE06F8C496D41F9A7B3
6392	MEmu-setup-abroad-sdk.exe	C:\Users\admin\AppData\Local\Microvirt\setup\MEmuSetup.log		text
		MD5:DAB7CDB4C0C69BCF95C8D4C5BD03B30C	SHA256:2836ED8BB056E06BF8E4DF507753FFA4F37F28B72D9FE2ED60B478264AE81577
6368	Dism.exe	C:\Users\admin\AppData\Local\Temp\A7670A4F-AC96-4B11-9E7F-AFB696282A94\DmiProvider.dll		executable
		MD5:0C2E5696F987350B0AE36E692D10FFB2	SHA256:52FD26A88D386B906CD1034DF69618195E98A3A2743FE4AA185C461B24D5EBA3
6368	Dism.exe	C:\Users\admin\AppData\Local\Temp\A7670A4F-AC96-4B11-9E7F-AFB696282A94\en-US\AssocProvider.dll.mui		executable
		MD5:8833761572F0964BDC1BEA6E1667F458	SHA256:B18C6CE1558C9EF6942A3BCE246A46557C2A7D12AEC6C4A07E4FA84DD5C422F5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

110

DNS requests

106

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2516	svchost.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2516	svchost.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6392	MEmu-setup-abroad-sdk.exe	GET	200	118.253.168.146:80	http://www.xyaz.cn/install.php?op_name=showDot&from=7.0.0.0-abroad-online-sdk	unknown	—	—	whitelisted
7840	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7840	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6392	MEmu-setup-abroad-sdk.exe	GET	200	118.253.168.146:80	http://www.xyaz.cn/install.php?op_name=declineDot&from=7.0.0.0-abroad-online-sdk	unknown	—	—	whitelisted
6392	MEmu-setup-abroad-sdk.exe	GET	200	154.85.69.57:80	http://www.microvirt.com/new_market/service.php?action=getrelease&abroad=1	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7292	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
2516	svchost.exe	2.16.168.124:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
5496	MoUsoCoreWorker.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
2516	svchost.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2516	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6392	MEmu-setup-abroad-sdk.exe	3.161.75.39:443	d1xj8c1wowfhpd.cloudfront.net	—	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.174	whitelisted
crl.microsoft.com	2.16.168.124 2.16.168.114	whitelisted
www.microsoft.com	23.219.150.101 2.23.181.156	whitelisted
d1xj8c1wowfhpd.cloudfront.net	3.161.75.39 3.161.75.82 3.161.75.162 3.161.75.175	whitelisted
d1q9vw401wbm4c.cloudfront.net	18.172.111.53 18.172.111.22 18.172.111.209 18.172.111.104	whitelisted
login.live.com	20.190.160.67 40.126.32.140 20.190.160.128 40.126.32.134 40.126.32.76 40.126.32.133 20.190.160.4 20.190.160.131	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
www.xyaz.cn	118.253.168.146 118.253.168.150 118.253.168.149 118.253.168.219 118.253.168.218 118.253.168.147 118.253.168.215 118.253.168.216 118.253.168.148 118.253.168.217	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted

Threats

PID	Process	Class	Message
6392	MEmu-setup-abroad-sdk.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6392	MEmu-setup-abroad-sdk.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6392	MEmu-setup-abroad-sdk.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6392	MEmu-setup-abroad-sdk.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6392	MEmu-setup-abroad-sdk.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6392	MEmu-setup-abroad-sdk.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6392	MEmu-setup-abroad-sdk.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7896	Setup.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7896	Setup.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7896	Setup.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)

Add for printing

No debug info

General Info

MEmu-setup-abroad-sdk.exe

6CC9A78E4778F77343CA22CB09CC8BE5

7763DB92A19E2480328C1F92EA49BC68EB536BEE

DCBD77AD65145AB5AA64B8C08608991A6CC23DAABF02CF0695F2261DA3EC5B7D

98304:01EX9pZDV1wd5tm0WS+77NNiM6+wLQH4AfV8C1Dj3HYIU6+tgepPlzBLaYhB8PgM:awiPIdCbuyNryzZjXgjUt2g04xYNgH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Process drops legitimate windows executable

Drops 7-zip archiver for unpacking

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Starts a Microsoft application from unusual location

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Windows service management via SC.EXE

The process drops C-runtime libraries

Drops a system driver (possible attempt to evade defenses)

There is functionality for taking screenshot (YARA)

Creates files in the driver directory

Reads security settings of Internet Explorer

Creates/Modifies COM task schedule object

Executes as Windows Service

Creates a software uninstall entry

Searches for installed software

Starts CMD.EXE for commands execution

Starts application with an unusual extension

Process uses IPCONFIG to clear DNS cache

INFO

The sample compiled with english language support

Checks supported languages

Create files in a temporary directory

Reads the software policy settings

Checks proxy server information

Reads the computer name

Reads the machine GUID from the registry

Disables trace logs

Creates files or folders in the user directory

Reads Environment values

Creates files in the program directory

Manual execution by a user

Reads CPU info

UPX packer has been detected

Application launched itself

Changes the display of characters in the console

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules