File name:

MEmu-setup-abroad-sdk.exe

Full analysis: https://app.any.run/tasks/f4739de3-9296-429b-a1c9-19fefce69d65
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 21, 2025, 10:04:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
upx
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

6CC9A78E4778F77343CA22CB09CC8BE5

SHA1:

7763DB92A19E2480328C1F92EA49BC68EB536BEE

SHA256:

DCBD77AD65145AB5AA64B8C08608991A6CC23DAABF02CF0695F2261DA3EC5B7D

SSDEEP:

98304:01EX9pZDV1wd5tm0WS+77NNiM6+wLQH4AfV8C1Dj3HYIU6+tgepPlzBLaYhB8PgM:awiPIdCbuyNryzZjXgjUt2g04xYNgH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Executable content was dropped or overwritten

      • MEmu-setup-abroad-sdk.exe (PID: 2272)
      • Dism.exe (PID: 3168)
      • avg_antivirus_free_online_setup.exe (PID: 3072)
      • icarus.exe (PID: 3632)
      • icarus.exe (PID: 2792)
      • icarus.exe (PID: 3352)
      • icarus.exe (PID: 2996)

    • Reads settings of System Certificates

      • MEmu-setup-abroad-sdk.exe (PID: 2272)
      • avg_antivirus_free_online_setup.exe (PID: 3072)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 3064)

    • The process creates files with name similar to system file names

      • Dism.exe (PID: 3168)
      • icarus.exe (PID: 2996)

    • Reads the Internet Settings

      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Reads security settings of Internet Explorer

      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Potential Corporate Privacy Violation

      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Process requests binary or script from the Internet

      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Starts itself from another location

      • icarus.exe (PID: 3632)
      • icarus.exe (PID: 3352)

    • Process drops legitimate windows executable

      • icarus.exe (PID: 2792)
      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • The process drops C-runtime libraries

      • icarus.exe (PID: 2792)

    • The process verifies whether the antivirus software is installed

      • icarus.exe (PID: 2792)
      • icarus.exe (PID: 2996)

  • INFO

    • The sample compiled with english language support

      • MEmu-setup-abroad-sdk.exe (PID: 2272)
      • Dism.exe (PID: 3168)
      • avg_antivirus_free_online_setup.exe (PID: 3072)
      • icarus.exe (PID: 3632)
      • icarus.exe (PID: 2792)
      • icarus.exe (PID: 3352)
      • icarus.exe (PID: 2996)

    • Checks supported languages

      • MEmu-setup-abroad-sdk.exe (PID: 2272)
      • DismHost.exe (PID: 3064)
      • avg_antivirus_free_online_setup.exe (PID: 3072)
      • icarus.exe (PID: 3632)
      • icarus.exe (PID: 2792)
      • icarus.exe (PID: 3152)

    • Create files in a temporary directory

      • MEmu-setup-abroad-sdk.exe (PID: 2272)
      • Dism.exe (PID: 3168)

    • Creates files or folders in the user directory

      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Reads the computer name

      • DismHost.exe (PID: 3064)
      • avg_antivirus_free_online_setup.exe (PID: 3072)
      • icarus.exe (PID: 3632)
      • icarus.exe (PID: 2792)
      • icarus.exe (PID: 3352)
      • icarus.exe (PID: 3152)
      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Reads the machine GUID from the registry

      • DismHost.exe (PID: 3064)
      • avg_antivirus_free_online_setup.exe (PID: 3072)
      • icarus.exe (PID: 3352)
      • icarus.exe (PID: 2996)
      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • UPX packer has been detected

      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Creates files in the program directory

      • avg_antivirus_free_online_setup.exe (PID: 3072)
      • icarus.exe (PID: 3632)
      • icarus.exe (PID: 2792)
      • icarus.exe (PID: 3352)
      • icarus.exe (PID: 2996)

    • Reads CPU info

      • icarus.exe (PID: 2792)
      • icarus.exe (PID: 3352)

    • Reads Environment values

      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Reads the software policy settings

      • MEmu-setup-abroad-sdk.exe (PID: 2272)

    • Disables trace logs

      • MEmu-setup-abroad-sdk.exe (PID: 2272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (30.7)
.exe | UPX compressed Win32 Executable (30.1)
.exe | Win32 EXE Yoda's Crypter (29.5)
.exe | Win32 Executable (generic) (5)
.exe | Generic Win/DOS Executable (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:15 03:55:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 13860864
InitializedDataSize: 188416
UninitializedDataSize: 6393856
EntryPoint: 0x1351c80
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.0.0.0
ProductVersionNumber: 7.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: Microvirt Software Technology Co. Ltd.
FileDescription: MEmu Installer
FileVersion: 7.0.0.0
InternalName: MEmuSetup.exe
LegalCopyright: Copyright (C) 2020 Microvirt Software Technology Co. Ltd. All rights reserved
OriginalFileName: MEmuSetup.exe
ProductName: MEmu Installer
ProductVersion: 7.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
10
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start memu-setup-abroad-sdk.exe dism.exe dismhost.exe avg_antivirus_free_online_setup.exe icarus.exe icarus.exe icarus.exe icarus.exe no specs icarus.exe memu-setup-abroad-sdk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1224"C:\Users\admin\AppData\Local\Temp\MEmu-setup-abroad-sdk.exe" C:\Users\admin\AppData\Local\Temp\MEmu-setup-abroad-sdk.exeexplorer.exe
User:
admin
Company:
Microvirt Software Technology Co. Ltd.
Integrity Level:
MEDIUM
Description:
MEmu Installer
Exit code:
3221226540
Version:
7.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\memu-setup-abroad-sdk.exe
c:\windows\system32\ntdll.dll
2272"C:\Users\admin\AppData\Local\Temp\MEmu-setup-abroad-sdk.exe" C:\Users\admin\AppData\Local\Temp\MEmu-setup-abroad-sdk.exe
explorer.exe
User:
admin
Company:
Microvirt Software Technology Co. Ltd.
Integrity Level:
HIGH
Description:
MEmu Installer
Version:
7.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\memu-setup-abroad-sdk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2792C:\Windows\Temp\asw-9780a92e-6b64-42ba-9aa2-d806f738cad5\avast-vpn\icarus.exe /silent /er_master:master_ep_915b8506-ab0e-4017-986e-7eae21891318 /er_ui:ui_ep_299f26bf-1f01-4541-8a26-d46c537b26c8 /er_slave:avast-vpn_slave_ep_e8363108-9b1c-4dc8-8c15-6eed9d6aae75 /slave:avast-vpnC:\Windows\Temp\asw-9780a92e-6b64-42ba-9aa2-d806f738cad5\avast-vpn\icarus.exe
icarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Installer
Version:
24.11.8270.0
Modules
Images
c:\windows\temp\asw-9780a92e-6b64-42ba-9aa2-d806f738cad5\avast-vpn\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2996C:\Windows\Temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\avg-av\icarus.exe /silent /ws /psh:M75Abi94LGIn0XdYasWihTyGJ2YCsKy2dq84U7NJ3ynY7P6Bfiw5ljgbu53WR2y6T92VGscjmPGCT6qsx7PFzY8 /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.9fe135f5eff53b8a /track-guid:53f86a69-5f6f-44f8-afed-91ccc28bb052 /er_master:master_ep_e3ed54d0-1ed7-4f3a-8950-f93c9534c26e /er_ui:ui_ep_a419d574-6daa-4e0c-9ea0-94a343050027 /er_slave:avg-av_slave_ep_3d62a31d-e165-48a1-9441-5a793be189b3 /slave:avg-avC:\Windows\Temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\avg-av\icarus.exe
icarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Installer
Version:
25.2.8714.0
Modules
Images
c:\windows\temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\avg-av\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3064C:\Users\admin\AppData\Local\Temp\3812B6E0-92B7-4A18-A78B-7F90300DADEC\dismhost.exe {C529BA9D-28ED-4A6C-85A4-936E21906A12}C:\Users\admin\AppData\Local\Temp\3812B6E0-92B7-4A18-A78B-7F90300DADEC\DismHost.exe
Dism.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Dism Host Servicing Process
Exit code:
0
Version:
6.1.7601.24499 (win7sp1_ldr.190612-0600)
Modules
Images
c:\users\admin\appdata\local\temp\3812b6e0-92b7-4a18-a78b-7f90300dadec\dismhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3072"C:\Windows\Temp\asw.9fe135f5eff53b8a\avg_antivirus_free_online_setup.exe" /silent /ws /psh:M75Abi94LGIn0XdYasWihTyGJ2YCsKy2dq84U7NJ3ynY7P6Bfiw5ljgbu53WR2y6T92VGscjmPGCT6qsx7PFzY8 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:53f86a69-5f6f-44f8-afed-91ccc28bb052 /edat_dir:C:\Windows\Temp\asw.9fe135f5eff53b8aC:\Windows\Temp\asw.9fe135f5eff53b8a\avg_antivirus_free_online_setup.exe
avg_antivirus_free_setup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Self-Extract Package
Version:
25.2.8714.0
Modules
Images
c:\windows\temp\asw.9fe135f5eff53b8a\avg_antivirus_free_online_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3152C:\Windows\Temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\avg-av-vps\icarus.exe /silent /ws /psh:M75Abi94LGIn0XdYasWihTyGJ2YCsKy2dq84U7NJ3ynY7P6Bfiw5ljgbu53WR2y6T92VGscjmPGCT6qsx7PFzY8 /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.9fe135f5eff53b8a /track-guid:53f86a69-5f6f-44f8-afed-91ccc28bb052 /er_master:master_ep_e3ed54d0-1ed7-4f3a-8950-f93c9534c26e /er_ui:ui_ep_a419d574-6daa-4e0c-9ea0-94a343050027 /er_slave:avg-av-vps_slave_ep_7399e917-9275-48f7-a9fc-098f60e7f03b /slave:avg-av-vpsC:\Windows\Temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\avg-av-vps\icarus.exeicarus.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Installer
Version:
25.2.8714.0
Modules
Images
c:\windows\temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\avg-av-vps\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3168C:\Windows\system32\Dism.exe /Online /English /Get-Featureinfo /Featurename:Microsoft-Hyper-V-AllC:\Windows\System32\Dism.exe
MEmu-setup-abroad-sdk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Dism Image Servicing Utility
Exit code:
2148468748
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dism.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3352C:\Windows\Temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\icarus-info.xml /install /silent /ws /psh:M75Abi94LGIn0XdYasWihTyGJ2YCsKy2dq84U7NJ3ynY7P6Bfiw5ljgbu53WR2y6T92VGscjmPGCT6qsx7PFzY8 /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.9fe135f5eff53b8a /track-guid:53f86a69-5f6f-44f8-afed-91ccc28bb052C:\Windows\Temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\common\icarus.exe
avg_antivirus_free_online_setup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
AVG Installer
Version:
25.2.8714.0
Modules
Images
c:\windows\temp\asw-f9846fbb-f3ff-4f8e-aa99-3f46a7853f37\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3632C:\Windows\Temp\asw-9780a92e-6b64-42ba-9aa2-d806f738cad5\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-9780a92e-6b64-42ba-9aa2-d806f738cad5\icarus-info.xml /install /silentC:\Windows\Temp\asw-9780a92e-6b64-42ba-9aa2-d806f738cad5\common\icarus.exe
avast_vpn_online_setup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Installer
Version:
24.11.8270.0
Modules
Images
c:\windows\temp\asw-9780a92e-6b64-42ba-9aa2-d806f738cad5\common\icarus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
10 389
Read events
10 336
Write events
51
Delete events
2

Modification events

(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASMANCS
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2272) MEmu-setup-abroad-sdk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MEmu-setup-abroad-sdk_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
143
Suspicious files
80
Text files
620
Unknown types
0

Dropped files

PID
Process
Filename
Type
2272MEmu-setup-abroad-sdk.exeC:\Users\admin\AppData\Local\Microvirt\setup\MEmuSetup.logtext
MD5:888E5C19A0F33009BF5B70C61D9398EB
SHA256:0B2F562422063ABD42127EF1C1ED59690B3CE897D0483B7537624559C6D5F717
3168Dism.exeC:\Windows\Logs\DISM\dism.logcsv
MD5:2B074FA339B4A058613D87F1ADE5C9FC
SHA256:82F3C0FD096F8FE02DA22C53E09B9AE7AC6F6A51D5361C9A60B9703059428F5E
3168Dism.exeC:\Users\admin\AppData\Local\Temp\3812B6E0-92B7-4A18-A78B-7F90300DADEC\en-US\CompatProvider.dll.muiexecutable
MD5:F973A8BF397FBF00D3EC68E7C4013A38
SHA256:089ACBD4D336323B084906836FC709915AE53E270BA59C2D0021B57394E30D07
3168Dism.exeC:\Users\admin\AppData\Local\Temp\3812B6E0-92B7-4A18-A78B-7F90300DADEC\CompatProvider.dllexecutable
MD5:AA34ED1CEF804818B0C4BDAA5DF1A3E2
SHA256:67CAF507F943FDC69FEC6C153B38EE765D571C50900A8986CEE2DE566941D1EB
3168Dism.exeC:\Users\admin\AppData\Local\Temp\3812B6E0-92B7-4A18-A78B-7F90300DADEC\CbsProvider.dllexecutable
MD5:C5681F8A63C9544D2A6D93D5448606F5
SHA256:0FB263E9A01773710C2491CBBFD4A02848457030FEDC0023EAC6BACAB828D1EA
3168Dism.exeC:\Users\admin\AppData\Local\Temp\3812B6E0-92B7-4A18-A78B-7F90300DADEC\en-US\CbsProvider.dll.muiexecutable
MD5:3D3835F95630A5F46DEA1F7FD823E6A5
SHA256:D32B28B184439673E3AC94070453FAF69434DF29A064558015D2A3FCE2956CA4
2272MEmu-setup-abroad-sdk.exeC:\Users\admin\AppData\Local\Temp\DotSetupSDK\DotSetupSDK.dllexecutable
MD5:FE67FEF5F0AFCC973A5DAA40F1DF14C5
SHA256:E8590980E8F3D57E8B2FE107EF2FBCE0020A2EAC018A64A007817888EBF04C54
3168Dism.exeC:\Users\admin\AppData\Local\Temp\3812B6E0-92B7-4A18-A78B-7F90300DADEC\DismCorePS.dllexecutable
MD5:9733B1D4E0EFCC3E11A133238B55F10F
SHA256:E07766D4908BAA9790D0C843E7A6E5CEE45DD17A84860B2CF0477D276392C97B
3168Dism.exeC:\Users\admin\AppData\Local\Temp\3812B6E0-92B7-4A18-A78B-7F90300DADEC\DismHost.exeexecutable
MD5:5E2E337F6F942B63428DB19355D6742B
SHA256:F60406C5D01B22F95C7F7298498475F0930550CBBF6BB31EB01E1E565FA175AE
3168Dism.exeC:\Users\admin\AppData\Local\Temp\3812B6E0-92B7-4A18-A78B-7F90300DADEC\en-US\IntlProvider.dll.muiexecutable
MD5:187359D54BE36B9A20B14EA0A54CDDB8
SHA256:B283A7CFA81342638FCC5EDE1E96499E70E90A72ECDC22110CC11BE593F9BAAD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
52
DNS requests
47
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2272
MEmu-setup-abroad-sdk.exe
GET
113.219.142.35:80
http://www.xyaz.cn/install.php?op_name=showDot&from=7.0.0.0-abroad-online-sdk
unknown
whitelisted
2272
MEmu-setup-abroad-sdk.exe
GET
113.219.142.35:80
http://www.xyaz.cn/install.php?op_name=acceptDot&from=7.0.0.0-abroad-online-sdk
unknown
whitelisted
2272
MEmu-setup-abroad-sdk.exe
GET
113.219.142.35:80
http://www.xyaz.cn/install.php?op_name=acceptDot&from=7.0.0.0-abroad-online-sdk
unknown
whitelisted
2272
MEmu-setup-abroad-sdk.exe
GET
113.219.142.35:80
http://www.xyaz.cn/install.php?op_name=insDot&from=7.0.0.0-abroad-online-sdk
unknown
whitelisted
2272
MEmu-setup-abroad-sdk.exe
HEAD
200
18.245.31.49:80
http://dl.memuplay.com/download/Memu-Setup.exe
unknown
whitelisted
948
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
2272
MEmu-setup-abroad-sdk.exe
GET
503
154.85.69.58:80
http://www.microvirt.com/new_market/service.php?action=getrelease&abroad=1
unknown
unknown
2272
MEmu-setup-abroad-sdk.exe
GET
18.245.31.49:80
http://dl.memuplay.com/download/Memu-Setup.exe
unknown
whitelisted
948
avg_antivirus_free_setup.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
whitelisted
948
avg_antivirus_free_setup.exe
POST
200
142.250.184.142:80
http://www.google-analytics.com/collect
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
2272
MEmu-setup-abroad-sdk.exe
3.161.75.162:443
d1xj8c1wowfhpd.cloudfront.net
US
whitelisted
2272
MEmu-setup-abroad-sdk.exe
18.172.111.209:443
d1q9vw401wbm4c.cloudfront.net
US
whitelisted
2272
MEmu-setup-abroad-sdk.exe
18.245.86.105:443
api.playanext.com
US
whitelisted
2272
MEmu-setup-abroad-sdk.exe
113.219.142.35:80
www.xyaz.cn
Hengyang
CN
whitelisted
2272
MEmu-setup-abroad-sdk.exe
154.85.69.58:80
www.microvirt.com
Galaxy Broadband
PK
suspicious
2356
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
d1xj8c1wowfhpd.cloudfront.net
  • 3.161.75.162
  • 3.161.75.82
  • 3.161.75.175
  • 3.161.75.39
whitelisted
d1q9vw401wbm4c.cloudfront.net
  • 18.172.111.209
  • 18.172.111.104
  • 18.172.111.22
  • 18.172.111.53
whitelisted
api.playanext.com
  • 18.245.86.105
  • 18.245.86.26
  • 18.245.86.79
  • 18.245.86.84
whitelisted
www.xyaz.cn
  • 113.219.142.35
whitelisted
www.microvirt.com
  • 154.85.69.58
  • 154.85.69.55
  • 154.85.69.60
  • 154.85.69.57
unknown
dl.memuplay.com
  • 18.245.31.49
  • 18.245.31.108
  • 18.245.31.52
  • 18.245.31.17
whitelisted
www.google-analytics.com
  • 142.250.184.142
whitelisted
honzik.avcdn.net
  • 2.18.161.23
  • 2a02:26f0:2780:788::240d
  • 2a02:26f0:2780:798::240d
whitelisted
v7event.stats.avast.com
  • 34.117.223.223
whitelisted

Threats

PID
Process
Class
Message
2272
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
2272
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
2272
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
2272
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
2272
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
2272
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
2272
MEmu-setup-abroad-sdk.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2272
MEmu-setup-abroad-sdk.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Process
Message
MEmu-setup-abroad-sdk.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 21x14+320+106 on QWidgetWindow/'QCheckBoxClassWindow'. Resulting geometry: 104x14+320+106 (frame: 4, 23, 4, 4, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
MEmu-setup-abroad-sdk.exe
QWindowsWindow::setGeometryDp: Unable to set geometry 55x14+320+106 on QWidgetWindow/'QLabelClassWindow'. Resulting geometry: 104x14+320+106 (frame: 4, 23, 4, 4, custom margin: 0, 0, 0, 0, minimum size: 0x0, maximum size: 16777215x16777215).
Dism.exe
PID=3168 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
Dism.exe
PID=3168 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)
Dism.exe
PID=3168 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=3168 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=3168 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=3168 Getting Provider OSServices - CDISMProviderStore::GetProvider
Dism.exe
PID=3168 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)
Dism.exe
PID=3168 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MEmu-setup-abroad-sdk.exe