Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

MEmu-setup...22.exe

windows7-x64

6

MEmu-setup...22.exe

windows10-2004-x64

6

Resubmissions

21/04/2024, 09:00 UTC

240421-kycqesga2z 6

22/03/2024, 09:35 UTC

240322-lkjggscg8w 10

Analysis

  • max time kernel
    653s
  • max time network
    1165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 09:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEmu-setup-abroad-sdk-20240322.exe

  • Size

    23.0MB

  • MD5

    f9ce897d93d4f77bca3cca8541a8addb

  • SHA1

    4ac5a68266c842fb997fd755c9d10d1975baa71f

  • SHA256

    89174acde0ea21562e6186847ba7d12aacd9b2b2132f456dd8335680daadd9a9

  • SHA512

    57ad25f1a3b1514e579fd9f61102d0e6ea42e32bb9371fa447ab6e8c4403a018ee5b1959f3038dd591c930ecc4b535abe6851693334a67542acb7877152b0a6a

  • SSDEEP

    393216:w95Rjktqn778Sd3o+83Jsv6tWKFdu9CwvUiPbKv647n+YlmYz:MRjkG7Iq3oOD2vegm0

Score
6/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Loads dropped DLL 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MEmu-setup-abroad-sdk-20240322.exe
    "C:\Users\Admin\AppData\Local\Temp\MEmu-setup-abroad-sdk-20240322.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:5072
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:3864
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2340

    Network

    • flag-us
      DNS
      stat.microvirt.com
      MEmu-setup-abroad-sdk-20240322.exe
      Remote address:
      8.8.8.8:53
      Request
      stat.microvirt.com
      IN A
      Response
      stat.microvirt.com
      IN CNAME
      stat.microvirt.com.bsclink.cn
      stat.microvirt.com.bsclink.cn
      IN CNAME
      uz95.v.bsclink.cn
      uz95.v.bsclink.cn
      IN A
      104.166.160.228
      uz95.v.bsclink.cn
      IN A
      104.166.160.229
    • flag-us
      DNS
      www.microvirt.com
      MEmu-setup-abroad-sdk-20240322.exe
      Remote address:
      8.8.8.8:53
      Request
      www.microvirt.com
      IN A
      Response
      www.microvirt.com
      IN CNAME
      www.microvirt.com.bsclink.cn
      www.microvirt.com.bsclink.cn
      IN CNAME
      uz95.v.bsclink.cn
      uz95.v.bsclink.cn
      IN A
      104.166.160.229
      uz95.v.bsclink.cn
      IN A
      104.166.160.228
    • flag-gb
      GET
      http://www.microvirt.com/new_market/service.php?action=getassetbundle&channel=cd5e1e2&ver=1.0.0
      MEmu-setup-abroad-sdk-20240322.exe
      Remote address:
      104.166.160.229:80
      Request
      GET /new_market/service.php?action=getassetbundle&channel=cd5e1e2&ver=1.0.0 HTTP/1.1
      Connection: Keep-Alive
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,*
      User-Agent: Mozilla/5.0
      Host: www.microvirt.com
      Response
      HTTP/1.1 200 OK
      Date: Sun, 21 Apr 2024 09:20:27 GMT
      Content-Type: text/html;charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Server: nginx/1.10.3 (Ubuntu)
      Access-Control-Allow-Methods: POST,GET
      Content-Encoding: gzip
      Vary: Accept-Encoding
      X-Ser: BC167_dx-lt-yd-zhejiang-jinhua-5-cache-6, BC194_lt-obgp-fujian-xiamen-33-cache-1, BC130_IT-Lombardia-Milan-1-cache-1, BC229_GB-london-london-3-cache-2
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      0.205.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.205.248.87.in-addr.arpa
      IN PTR
      Response
      0.205.248.87.in-addr.arpa
      IN PTR
      https-87-248-205-0lgwllnwnet
    • flag-us
      DNS
      0.205.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.205.248.87.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      0.205.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.205.248.87.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
    • flag-gb
      GET
      http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-sdk-20240322&insMode=ins&version=1.0.0.7&channel=cd5e1e00&silence=0&currPage=ShowWelcomePage&lifeCycle=0&exitCode=0&mac=7A:A8:D8:E1:C8:DE&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1
      MEmu-setup-abroad-sdk-20240322.exe
      Remote address:
      104.166.160.228:80
      Request
      GET /new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-sdk-20240322&insMode=ins&version=1.0.0.7&channel=cd5e1e00&silence=0&currPage=ShowWelcomePage&lifeCycle=0&exitCode=0&mac=7A:A8:D8:E1:C8:DE&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1 HTTP/1.1
      Connection: Keep-Alive
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,*
      User-Agent: Mozilla/5.0
      Host: stat.microvirt.com
      Response
      HTTP/1.1 200 OK
      Date: Sun, 21 Apr 2024 09:20:27 GMT
      Content-Type: text/html;charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Server: nginx/1.10.3 (Ubuntu)
      Access-Control-Allow-Methods: POST,GET
      Content-Encoding: gzip
      Vary: Accept-Encoding
      X-Ser: BC148_dx-lt-yd-zhejiang-wenzhou-11-cache-7, BC196_lt-obgp-fujian-xiamen-33-cache-1, BC130_IT-Lombardia-Milan-1-cache-1, BC229_GB-london-london-3-cache-2
    • flag-gb
      GET
      http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-sdk-20240322&insMode=ins&version=1.0.0.7&channel=cd5e1e00&silence=0&currPage=StepStart&lifeCycle=0&exitCode=0&mac=7A:A8:D8:E1:C8:DE&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1
      MEmu-setup-abroad-sdk-20240322.exe
      Remote address:
      104.166.160.228:80
      Request
      GET /new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-sdk-20240322&insMode=ins&version=1.0.0.7&channel=cd5e1e00&silence=0&currPage=StepStart&lifeCycle=0&exitCode=0&mac=7A:A8:D8:E1:C8:DE&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1 HTTP/1.1
      Connection: Keep-Alive
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,*
      User-Agent: Mozilla/5.0
      Host: stat.microvirt.com
      Response
      HTTP/1.1 200 OK
      Date: Sun, 21 Apr 2024 09:20:27 GMT
      Content-Type: text/html;charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Server: nginx/1.10.3 (Ubuntu)
      Access-Control-Allow-Methods: POST,GET
      Content-Encoding: gzip
      Vary: Accept-Encoding
      X-Ser: BC13_dx-lt-yd-hunan-changsha-12-cache-6, BC194_lt-obgp-fujian-xiamen-33-cache-1, BC232_FR-Paris-Paris-3-cache-1, BC229_GB-london-london-3-cache-2
    • flag-us
      DNS
      dl.memuplay.com
      MEmu-setup-abroad-sdk-20240322.exe
      Remote address:
      8.8.8.8:53
      Request
      dl.memuplay.com
      IN A
      Response
      dl.memuplay.com
      IN CNAME
      dl.memuplay.com.rgslb.net
      dl.memuplay.com.rgslb.net
      IN CNAME
      d3p779s2xhx48e.cloudfront.net
      d3p779s2xhx48e.cloudfront.net
      IN A
      18.245.31.17
      d3p779s2xhx48e.cloudfront.net
      IN A
      18.245.31.52
      d3p779s2xhx48e.cloudfront.net
      IN A
      18.245.31.108
      d3p779s2xhx48e.cloudfront.net
      IN A
      18.245.31.49
    • flag-de
      GET
      http://dl.memuplay.com/download/assetbundle/rc.dll.b1317206
      MEmu-setup-abroad-sdk-20240322.exe
      Remote address:
      18.245.31.17:80
      Request
      GET /download/assetbundle/rc.dll.b1317206 HTTP/1.1
      Connection: Keep-Alive
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,*
      User-Agent: Mozilla/5.0
      Host: dl.memuplay.com
      Response
      HTTP/1.1 200 OK
      Content-Type: application/octet-stream
      Content-Length: 217088
      Connection: keep-alive
      Server: nginx/1.18.0 (Ubuntu)
      Last-Modified: Mon, 08 Jan 2024 08:40:35 GMT
      Accept-Ranges: bytes
      Date: Tue, 09 Apr 2024 13:12:33 GMT
      ETag: "659bb503-35000"
      X-Cache: Hit from cloudfront
      Via: 1.1 964525de46241eae6ff9f5fb91498662.cloudfront.net (CloudFront)
      X-Amz-Cf-Pop: FRA56-P8
      X-Amz-Cf-Id: RGepLS287jEeUOf_mGMTiJP4oTi78BO2rMpflyvS5-b9YUQN6SgMFA==
      Age: 1055202
    • flag-us
      DNS
      229.160.166.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      229.160.166.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.160.166.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.160.166.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.160.166.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.160.166.104.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      d2o3w12poh7bs1.cloudfront.net
      MEmu-setup-abroad-sdk-20240322.exe
      Remote address:
      8.8.8.8:53
      Request
      d2o3w12poh7bs1.cloudfront.net
      IN A
      Response
    • flag-us
      DNS
      17.31.245.18.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      17.31.245.18.in-addr.arpa
      IN PTR
      Response
      17.31.245.18.in-addr.arpa
      IN PTR
      server-18-245-31-17fra56r cloudfrontnet
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.32.209.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.32.209.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.114.53.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.114.53.23.in-addr.arpa
      IN PTR
      Response
      21.114.53.23.in-addr.arpa
      IN PTR
      a23-53-114-21deploystaticakamaitechnologiescom
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      154.173.246.72.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.173.246.72.in-addr.arpa
      IN PTR
      Response
      154.173.246.72.in-addr.arpa
      IN PTR
      a72-246-173-154deploystaticakamaitechnologiescom
    • flag-us
      DNS
      154.173.246.72.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.173.246.72.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      119.110.54.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      119.110.54.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      24.139.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.139.73.23.in-addr.arpa
      IN PTR
      Response
      24.139.73.23.in-addr.arpa
      IN PTR
      a23-73-139-24deploystaticakamaitechnologiescom
    • flag-us
      DNS
      240.197.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.197.17.2.in-addr.arpa
      IN PTR
      Response
      240.197.17.2.in-addr.arpa
      IN PTR
      a2-17-197-240deploystaticakamaitechnologiescom
    • flag-us
      DNS
      249.197.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      249.197.17.2.in-addr.arpa
      IN PTR
      Response
      249.197.17.2.in-addr.arpa
      IN PTR
      a2-17-197-249deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.251.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.251.17.2.in-addr.arpa
      IN PTR
      Response
      14.251.17.2.in-addr.arpa
      IN PTR
      a2-17-251-14deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.251.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.251.17.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 659775
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 3580E8E2124D43FA96E8EEC51E40CC77 Ref B: LON04EDGE0606 Ref C: 2024-04-21T09:22:12Z
      date: Sun, 21 Apr 2024 09:22:11 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 621794
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 993FA6072E7C4C57842B79E83FCC3A4B Ref B: LON04EDGE0606 Ref C: 2024-04-21T09:22:12Z
      date: Sun, 21 Apr 2024 09:22:11 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 555746
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 7789EA33056740CE816B386CC2E6BC10 Ref B: LON04EDGE0606 Ref C: 2024-04-21T09:22:12Z
      date: Sun, 21 Apr 2024 09:22:11 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 638730
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 59413086FD6243E4A51321DD6AA0C5B7 Ref B: LON04EDGE0606 Ref C: 2024-04-21T09:22:12Z
      date: Sun, 21 Apr 2024 09:22:11 GMT
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.14.97.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.14.97.104.in-addr.arpa
      IN PTR
      Response
      217.14.97.104.in-addr.arpa
      IN PTR
      a104-97-14-217deploystaticakamaitechnologiescom
    • flag-us
      DNS
      217.14.97.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.14.97.104.in-addr.arpa
      IN PTR
      Response
      217.14.97.104.in-addr.arpa
      IN PTR
      a104-97-14-217deploystaticakamaitechnologiescom
    • flag-us
      DNS
      88.65.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.65.42.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.65.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.65.42.20.in-addr.arpa
      IN PTR
    • 104.166.160.229:80
      http://www.microvirt.com/new_market/service.php?action=getassetbundle&channel=cd5e1e2&ver=1.0.0
      http
      MEmu-setup-abroad-sdk-20240322.exe
      496 B
       725 B
       6
      5

      HTTP Request

      GET http://www.microvirt.com/new_market/service.php?action=getassetbundle&channel=cd5e1e2&ver=1.0.0

      HTTP Response

      200
    • 104.166.160.228:80
      http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-sdk-20240322&insMode=ins&version=1.0.0.7&channel=cd5e1e00&silence=0&currPage=ShowWelcomePage&lifeCycle=0&exitCode=0&mac=7A:A8:D8:E1:C8:DE&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1
      http
      MEmu-setup-abroad-sdk-20240322.exe
      739 B
       677 B
       6
      5

      HTTP Request

      GET http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-sdk-20240322&insMode=ins&version=1.0.0.7&channel=cd5e1e00&silence=0&currPage=ShowWelcomePage&lifeCycle=0&exitCode=0&mac=7A:A8:D8:E1:C8:DE&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1

      HTTP Response

      200
    • 104.166.160.228:80
      http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-sdk-20240322&insMode=ins&version=1.0.0.7&channel=cd5e1e00&silence=0&currPage=StepStart&lifeCycle=0&exitCode=0&mac=7A:A8:D8:E1:C8:DE&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1
      http
      MEmu-setup-abroad-sdk-20240322.exe
      687 B
       630 B
       5
      4

      HTTP Request

      GET http://stat.microvirt.com/new_market/service.php?action=postmemusetupinfo&table=memusetupinfo&packageName=MEmu-setup-abroad-sdk-20240322&insMode=ins&version=1.0.0.7&channel=cd5e1e00&silence=0&currPage=StepStart&lifeCycle=0&exitCode=0&mac=7A:A8:D8:E1:C8:DE&error=&initTime=0&initTime=0&acceptCount=-1&declineCount=-1&installOffers=-1

      HTTP Response

      200
    • 18.245.31.17:80
      http://dl.memuplay.com/download/assetbundle/rc.dll.b1317206
      http
      MEmu-setup-abroad-sdk-20240322.exe
      7.9kB
       224.1kB
       144
      164

      HTTP Request

      GET http://dl.memuplay.com/download/assetbundle/rc.dll.b1317206

      HTTP Response

      200
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      tls, http2
      90.2kB
       2.6MB
       1899
      1895

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.3kB
       9.6kB
       18
      16
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.1kB
       16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.3kB
       8.2kB
       17
      15
    • 8.8.8.8:53
      stat.microvirt.com
      dns
      MEmu-setup-abroad-sdk-20240322.exe
      64 B
       160 B
       1
      1

      DNS Request

      stat.microvirt.com

      DNS Response

      104.166.160.228
      104.166.160.229

    • 8.8.8.8:53
      www.microvirt.com
      dns
      MEmu-setup-abroad-sdk-20240322.exe
      63 B
       158 B
       1
      1

      DNS Request

      www.microvirt.com

      DNS Response

      104.166.160.229
      104.166.160.228

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      132 B
       90 B
       2
      1

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      134.32.126.40.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      134.32.126.40.in-addr.arpa

      DNS Request

      134.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      0.205.248.87.in-addr.arpa
      dns
      213 B
       116 B
       3
      1

      DNS Request

      0.205.248.87.in-addr.arpa

      DNS Request

      0.205.248.87.in-addr.arpa

      DNS Request

      0.205.248.87.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      219 B
       147 B
       3
      1

      DNS Request

      104.219.191.52.in-addr.arpa

      DNS Request

      104.219.191.52.in-addr.arpa

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      dl.memuplay.com
      dns
      MEmu-setup-abroad-sdk-20240322.exe
      61 B
       204 B
       1
      1

      DNS Request

      dl.memuplay.com

      DNS Response

      18.245.31.17
      18.245.31.52
      18.245.31.108
      18.245.31.49

    • 8.8.8.8:53
      229.160.166.104.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      229.160.166.104.in-addr.arpa

    • 8.8.8.8:53
      228.160.166.104.in-addr.arpa
      dns
      148 B
       128 B
       2
      1

      DNS Request

      228.160.166.104.in-addr.arpa

      DNS Request

      228.160.166.104.in-addr.arpa

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      d2o3w12poh7bs1.cloudfront.net
      dns
      MEmu-setup-abroad-sdk-20240322.exe
      75 B
       142 B
       1
      1

      DNS Request

      d2o3w12poh7bs1.cloudfront.net

    • 8.8.8.8:53
      17.31.245.18.in-addr.arpa
      dns
      71 B
       127 B
       1
      1

      DNS Request

      17.31.245.18.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      198.32.209.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.32.209.4.in-addr.arpa

    • 8.8.8.8:53
      21.114.53.23.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      21.114.53.23.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      154.173.246.72.in-addr.arpa
      dns
      146 B
       139 B
       2
      1

      DNS Request

      154.173.246.72.in-addr.arpa

      DNS Request

      154.173.246.72.in-addr.arpa

    • 8.8.8.8:53
      119.110.54.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      119.110.54.20.in-addr.arpa

    • 8.8.8.8:53
      24.139.73.23.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      24.139.73.23.in-addr.arpa

    • 8.8.8.8:53
      240.197.17.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      240.197.17.2.in-addr.arpa

    • 8.8.8.8:53
      249.197.17.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      249.197.17.2.in-addr.arpa

    • 8.8.8.8:53
      14.251.17.2.in-addr.arpa
      dns
      140 B
       133 B
       2
      1

      DNS Request

      14.251.17.2.in-addr.arpa

      DNS Request

      14.251.17.2.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      19.229.111.52.in-addr.arpa

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      124 B
       173 B
       2
      1

      DNS Request

      tse1.mm.bing.net

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
       106 B
       1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      144 B
       316 B
       2
      2

      DNS Request

      56.126.166.20.in-addr.arpa

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      146 B
       288 B
       2
      2

      DNS Request

      240.221.184.93.in-addr.arpa

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      148 B
       256 B
       2
      2

      DNS Request

      172.210.232.199.in-addr.arpa

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      217.14.97.104.in-addr.arpa
      dns
      144 B
       274 B
       2
      2

      DNS Request

      217.14.97.104.in-addr.arpa

      DNS Request

      217.14.97.104.in-addr.arpa

    • 8.8.8.8:53
      88.65.42.20.in-addr.arpa
      dns
      140 B
       156 B
       2
      1

      DNS Request

      88.65.42.20.in-addr.arpa

      DNS Request

      88.65.42.20.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\mds\mds.dll
      Filesize

      212KB

      MD5

      48f07e86c6d50f527d7fd5026a3fbe5c

      SHA1

      64184c950bc0622df2c8e7707d37fae566ee5722

      SHA256

      b1317206a12f105e28338fea33c5d1a66df07fb35586bb4e1727555bec90e71b

      SHA512

      9172b41d51643349cb0d755d1f90ffbe15cb7bd4ed80700d91c73f4afba17055f0488fd1d5858dea2843d545fd4752751d081dcf2117204cafe0f6fc3cf30c5d

      Download Submit

    • memory/2340-26-0x000001F627E50000-0x000001F627E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2340-62-0x000001F630400000-0x000001F630401000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2340-61-0x000001F6302F0000-0x000001F6302F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2340-60-0x000001F6302F0000-0x000001F6302F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2340-58-0x000001F6302C0000-0x000001F6302C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2340-42-0x000001F627F50000-0x000001F627F60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5072-20-0x0000000073960000-0x000000007399E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5072-25-0x00000000730C0000-0x0000000073870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5072-24-0x0000000004030000-0x0000000004040000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5072-23-0x0000000006780000-0x0000000006812000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5072-22-0x0000000008E10000-0x00000000093B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5072-21-0x00000000730C0000-0x0000000073870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5072-19-0x00000000045F0000-0x000000000462E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5072-15-0x0000000004030000-0x0000000004040000-memory.dmp

      Filesize

      64KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.