Resubmissions
08/05/2024, 21:44
240508-1lg3dabe46 808/05/2024, 21:22
240508-z7vpxsgb7v 808/05/2024, 21:14
240508-z3b21sfh5x 8Analysis
-
max time kernel
527s -
max time network
533s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 21:44
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.memuplay.com/download-com.frostpixel.robux.pullthepin-on-pc.html
Resource
win10v2004-20240426-en
General
-
Target
https://www.memuplay.com/download-com.frostpixel.robux.pullthepin-on-pc.html
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\MEmuDrv.sys MEmuDrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\SET931E.tmp MEmuDrvInst.exe File created C:\Windows\system32\DRIVERS\SET931E.tmp MEmuDrvInst.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MEmu.exe -
Executes dropped EXE 29 IoCs
pid Process 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 5680 7za.exe 924 7za.exe 5828 7za.exe 5092 MEmuDrvInst.exe 1472 MEmuManage.exe 180 MEmuSVC.exe 6020 MEmuSVC.exe 3192 MEmuSVC.exe 3124 MEmuSVC.exe 1176 MemuService.exe 1488 MEmuManage.exe 3188 MEmuSVC.exe 3972 MEmuRepair.exe 524 MEmuManage.exe 5724 MEmuManage.exe 3436 MEmuc.exe 5336 MEmuConsole.exe 5864 MEmuSVC.exe 5652 MEmu.exe 3124 MEmuSVC.exe 2964 MEmuManage.exe 2824 MEmuManage.exe 5740 screenrecord.exe 5832 MEmu.exe 4668 MEmuSVC.exe 5264 MEmu.exe 3140 MEmuRepair.exe 4964 MEmuSVC.exe -
Loads dropped DLL 64 IoCs
pid Process 5092 MEmuDrvInst.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 1472 MEmuManage.exe 180 MEmuSVC.exe 180 MEmuSVC.exe 180 MEmuSVC.exe 180 MEmuSVC.exe 180 MEmuSVC.exe 180 MEmuSVC.exe 180 MEmuSVC.exe 180 MEmuSVC.exe 180 MEmuSVC.exe 180 MEmuSVC.exe 6020 MEmuSVC.exe 6020 MEmuSVC.exe 6020 MEmuSVC.exe 6020 MEmuSVC.exe 6020 MEmuSVC.exe 6020 MEmuSVC.exe 6020 MEmuSVC.exe 6020 MEmuSVC.exe 6020 MEmuSVC.exe 5988 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 1008 regsvr32.exe 4936 regsvr32.exe 6012 regsvr32.exe 6012 regsvr32.exe 6012 regsvr32.exe 6012 regsvr32.exe 6012 regsvr32.exe 6012 regsvr32.exe 6012 regsvr32.exe 6012 regsvr32.exe 6012 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe 5696 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 50 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" MEmuManage.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ThreadingModel = "Free" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 MEmuSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuProxyStub.dll" MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32\ = "\"C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuSVC.exe\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32 MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 MEmuManage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32\ = "\"C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuSVC.exe\"" MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 MEmuManage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ThreadingModel = "Free" MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 MEmuSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32\ThreadingModel = "Both" MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ThreadingModel = "Free" MEmuManage.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 MEmuManage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ThreadingModel = "Free" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 MEmuManage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuProxyStub.dll" regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 MEmu.exe File opened for modification \??\PHYSICALDRIVE0 MEmu.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.sys MEmuDrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt MEmuDrvInst.exe File opened for modification C:\Windows\system32\DRVSTORE MEmuDrvInst.exe File created C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.inf MEmuDrvInst.exe File opened for modification C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.inf MEmuDrvInst.exe File created C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.cat MEmuDrvInst.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microvirt\MEmu\opengl32sw.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuDD2RC.rc 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuHeadless.exe 7za.exe File created C:\Program Files\Microvirt\MEmuHyperv\libEGL.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\config.ini.tLMysH MEmuConsole.exe File opened for modification C:\Program Files\Microvirt\MEmu\resources\img\e.img 7za.exe File created C:\Program Files\Microvirt\MEmu\lang\MEmu_zh_tr.qm 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\translations\qt_pt_BR.qm 7za.exe File created C:\Program Files\Microvirt\MEmu\lang\MEmu_uk.qm 7za.exe File created C:\Program Files\Microvirt\MEmu\lang\MEmu_zh.qm 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\translations\qt_cs.qm 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\translations\qt_ko.qm 7za.exe File created C:\Program Files\Microvirt\MEmu\opengl32sw.dll 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\en-US.pak 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\fil.pak 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\lang\MEmu_de.qm 7za.exe File created C:\Program Files\Microvirt\MEmuHyperv\libGLES_CM_translator.dll 7za.exe File created C:\Program Files\Microvirt\MEmuHyperv\x86\libcrypto-1_1.dll 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qt_de.qm 7za.exe File created C:\Program Files\Microvirt\MEmu\adbdrv\32\i386\USBCoInstaller.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv\libxysprt.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\quicklinkicon 7za.exe File created C:\Program Files\Microvirt\MEmuHyperv\MEmuGuestPropSvc.dll 7za.exe File created C:\Program Files\Microvirt\MEmuHyperv32.7z 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qt_gd.qm 7za.exe File created C:\Program Files\Microvirt\MEmu\Qt5QmlModels.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\config.ini.fX4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe File opened for modification C:\Program Files\Microvirt\MEmu\Qt5Network.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\zh-TW.pak 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv\HPVR0.r0 7za.exe File created C:\Program Files\Microvirt\MEmuHyperv\MEmuNetLwf.sys 7za.exe File created C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\bn.pak 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\hu.pak 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\kn.pak 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.inf 7za.exe File created C:\Program Files\Microvirt\MEmu\resources\qtwebengine_resources_200p.pak 7za.exe File created C:\Program Files\Microvirt\MEmu\lang\MEmu_tl.qm 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\MEmu.dll 7za.exe File created C:\Program Files\Microvirt\MEmu\libcurl.dll 7za.exe File created C:\Program Files\Microvirt\MEmu\msvcr100.dll 7za.exe File created C:\Program Files\Microvirt\MEmu\Qt5Gui.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\playlistformats\qtmultimedia_m3u.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\fr.pak 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\hi.pak 7za.exe File created C:\Program Files\Microvirt\MEmu\lang\MEmu_ru.qm 7za.exe File created C:\Program Files\Microvirt\MEmu\mediaservice\dsengine.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv32.7z 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\fi.pak 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\translations\qt_hu.qm 7za.exe File created C:\Program Files\Microvirt\MEmu\image\96\MEmu96-2024040200027FFF-disk2.vmdk 7za.exe File created C:\Program Files\Microvirt\MEmuHyperv\NetFltInstall.exe 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv\NetFltInstall.exe 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\th.pak 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\adbdrv\64\android_winusb.inf 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\platforms\qoffscreen.dll 7za.exe File created C:\Program Files\Microvirt\MEmuHyperv\x86\msvcr100.dll 7za.exe File opened for modification C:\Program Files\Microvirt\MEmuHyperv64.7z 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\nb.pak 7za.exe File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\sl.pak 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\consoleskins\Other\Yellow 7za.exe File opened for modification C:\Program Files\Microvirt\MEmu\config.ini.enKqBI MEmuConsole.exe -
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1420 sc.exe 2328 sc.exe 1032 sc.exe 1216 sc.exe 5796 sc.exe 5772 sc.exe 5268 sc.exe 4440 sc.exe 6052 sc.exe 3532 sc.exe 3256 sc.exe 5608 sc.exe 3704 sc.exe 3756 sc.exe 5996 sc.exe 5660 sc.exe 5992 sc.exe 3108 sc.exe 4164 sc.exe 2596 sc.exe 5612 sc.exe 4612 sc.exe 5192 sc.exe 2320 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MEmu-Setup-9.1.2.0-ha8edcb97c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MEmuConsole.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MEmuConsole.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MEmu.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MEmu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MEmu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier MEmu-Setup-9.1.2.0-ha8edcb97c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MEmu.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MEmu-Setup-9.1.2.0-ha8edcb97c.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3972 ipconfig.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c6f56e791a1da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e7f13e891a1da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b7f04e791a1da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085b71de891a1da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000953938e791a1da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f7d21e791a1da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a1126e791a1da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9ACD33F-647D-45AC-8FE9-F49B3183BA3A}\TypeLib\Version = "1.3" MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2514881b-23d0-430a-a7ff-7ed7f05534ba} MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5732F030-4194-EC8B-C761-E1A99327E9FA}\TypeLib MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7569351-1750-46F0-936E-BD127D5BC26A}\1.3\HELPDIR MEmuSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431685da-3618-4ebc-b038-833ba829b4ba}\NumMethods\ = "25" MEmuManage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f4d803b4-9b2d-4377-bfe6-9702e881516a}\NumMethods\ = "15" MEmuManage.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3ba329dc-659c-488b-835c-4eca7ae71c6a}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2e20707d-4325-9a83-83cf-3faf5b97457a} MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c365fb7b-4430-499f-92c8-8bed814a5671} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0A0904D-2F05-4D28-855F-488F96BAD2BA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b2547866-a0a1-4391-8b86-6952d82efaaa} MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81314d14-fd1c-411a-95c5-e9bb1414e63a} MEmuSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6A}\ = "ISerialPortChangedEvent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF398A9A-6B76-4805-8FAB-00A9DCF4732A}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39b4e759-1ec0-4c0f-857f-fbe2a737a25a} MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101ae042-1a29-4a19-92cf-02285773f3ba} MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFCA788C-4477-787D-60B2-3FA70E56FBBA}\TypeLib MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7844AA05-B02E-4CDD-A04F-ADE4A762E6BA}\ProxyStubClsid32 MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839CA}\ProxyStubClsid32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{adf292b0-92c9-4a77-9d35-e058b39fe0ba} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516A}\ = "ISnapshotRestoredEvent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{334DF94A-7556-4CBC-8C04-043096B02D8A}\TypeLib\ = "{d7569351-1750-46f0-936e-bd127d5bc26a}" MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77faf1c0-489d-b123-274c-5a95e77ab28a} MEmuSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5191A7C-9536-4EF8-820E-3B0E17E5BBCA}\ = "IGuestFileIOEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F99CD4D-BBD2-49BA-B24D-4B5B42FB4C31}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39B4E759-1EC0-4C0F-857F-FBE2A737A25A}\TypeLib MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dd3e2654-a161-41f1-b583-4892f4a9d5da}\ProxyStubClsid32 MEmuManage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0c293c51-4810-e174-4f78-199376c63bba}\TypeLib\Version = "1.3" MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{245D88BD-800A-40F8-87A6-170D02249A5A}\TypeLib MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21637b0e-34b8-42d3-acfb-7e96daf77c2a} MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA1155A}\ = "IDnDTarget" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40A}\TypeLib MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d23a9ca3-42da-c94b-8aec-21968e08355a}\NumMethods MEmuManage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D7609A}\NumMethods\ = "18" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946BA}\NumMethods MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{e062a915-3cf5-4c0a-bc90-9b8d4cc94d8a} MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA91D4C9-4C02-FDB1-C5AC-D89E22E8130A}\TypeLib MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E63A} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{e7932cb8-f6d4-4ab6-9cbf-558eb8959a61}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C984D15F-E191-400B-840E-970F3DAD729A}\ProxyStubClsid32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7569351-1750-46F0-936E-BD127D5BC26A}\1.3 MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8398f026-4add-4474-5bc3-2f9f2140b23a} MEmuSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27C0B3D-6038-422C-B45E-6D4A0503D9FA}\TypeLib\ = "{d7569351-1750-46f0-936e-bd127d5bc26a}" MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4bbc405d-f268-4483-9a52-f43ffdbf67fa}\ProxyStubClsid32 MEmuManage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4AFE423B-43E0-E9D0-82E8-CEB307940DD1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{788B87DF-7708-444B-9EEF-C116CE423D3A}\NumMethods\ = "20" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MemuHyperv.MemuHypervClient\CurVer\ = "MemuHyperv.MemuHypervClient.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00C8F974-92C5-44A1-8F3F-702469FDD04A}\ = "IDHCPServer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E7779A-E64A-4908-804E-371CAD23A75A}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BBC405D-F268-4483-9A52-F43FFDBF67FA}\ProxyStubClsid32 MEmuSVC.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{8398F026-4ADD-4474-5BC3-2F9F2140B23A}\NUMMETHODS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{486FD828-4C6B-239B-A846-C4BB69E4103A}\NumMethods\ = "77" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40A}\TypeLib MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB8A}\ProxyStubClsid32 MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAC21692-7997-4595-A731-3A509DB604EA}\NumMethods MEmuSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B66A}\NumMethods MEmuSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f73650f4-4506-50ca-045a-23a0e32ea50a}\TypeLib\Version = "1.3" MEmuManage.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13a11514-402e-022e-6180-c3944de3f9ca}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97C78FCD-D4FC-485F-8613-5AF88BFCFCDA}\ = "IMEmuSVCAvailabilityChangedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{806DA61B-6679-422A-B629-51B06B0C6D9A}\ = "IUSBDeviceStateChangedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABE94809-2E88-4436-83D7-50F3E64D050A}\TypeLib MEmuManage.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 1113.crdownload:SmartScreen msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5848 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 8 IoCs
pid Process 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 3972 MEmuRepair.exe 5336 MEmuConsole.exe 5652 MEmu.exe 5832 MEmu.exe 5740 screenrecord.exe 5264 MEmu.exe 3140 MEmuRepair.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1192 msedge.exe 1192 msedge.exe 2016 msedge.exe 2016 msedge.exe 628 identity_helper.exe 628 identity_helper.exe 464 msedge.exe 464 msedge.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 6020 msedge.exe 6020 msedge.exe 6020 msedge.exe 6020 msedge.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 5336 MEmuConsole.exe 5264 MEmu.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: 33 5572 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5572 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe -
Suspicious use of SetWindowsHookEx 59 IoCs
pid Process 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 5680 7za.exe 924 7za.exe 5828 7za.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 1472 MEmuManage.exe 180 MEmuSVC.exe 6020 MEmuSVC.exe 3192 MEmuSVC.exe 3124 MEmuSVC.exe 1488 MEmuManage.exe 3188 MEmuSVC.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 3972 MEmuRepair.exe 3972 MEmuRepair.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 524 MEmuManage.exe 5724 MEmuManage.exe 3436 MEmuc.exe 3436 MEmuc.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 3436 MEmuc.exe 5864 MEmuSVC.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 5336 MEmuConsole.exe 5652 MEmu.exe 5652 MEmu.exe 5652 MEmu.exe 3124 MEmuSVC.exe 2964 MEmuManage.exe 5832 MEmu.exe 5832 MEmu.exe 5832 MEmu.exe 5740 screenrecord.exe 4668 MEmuSVC.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 4536 MEmu-Setup-9.1.2.0-ha8edcb97c.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe 5264 MEmu.exe 3140 MEmuRepair.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1868 2016 msedge.exe 83 PID 2016 wrote to memory of 1868 2016 msedge.exe 83 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 2296 2016 msedge.exe 84 PID 2016 wrote to memory of 1192 2016 msedge.exe 85 PID 2016 wrote to memory of 1192 2016 msedge.exe 85 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 PID 2016 wrote to memory of 2388 2016 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.memuplay.com/download-com.frostpixel.robux.pullthepin-on-pc.html1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe730346f8,0x7ffe73034708,0x7ffe730347182⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:22⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5056 /prefetch:82⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 /prefetch:82⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:82⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:464
-
-
C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe"C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4536 -
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuSVC3⤵
- Launches sc.exe
PID:1420
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuSVC3⤵
- Launches sc.exe
PID:5268
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuUSB3⤵
- Launches sc.exe
PID:4164
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuNetFlt3⤵
- Launches sc.exe
PID:4440
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuNetLwf3⤵
- Launches sc.exe
PID:6052
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuNetAdp3⤵
- Launches sc.exe
PID:5996
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuNetFlt3⤵
- Launches sc.exe
PID:2596
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuNetLwf3⤵
- Launches sc.exe
PID:2328
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuNetAdp3⤵
- Launches sc.exe
PID:1032
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuUSBMon3⤵
- Launches sc.exe
PID:3532
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuDrv3⤵
- Launches sc.exe
PID:3256
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"3⤵PID:1984
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"3⤵PID:2204
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"3⤵PID:5600
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"3⤵PID:868
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" query MEmuDrv3⤵
- Launches sc.exe
PID:5608
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" query MEmuUSBMon3⤵
- Launches sc.exe
PID:5612
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" query MEmuNetFlt3⤵
- Launches sc.exe
PID:5660
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" query MEmuNetLwf3⤵
- Launches sc.exe
PID:4612
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" query MEmuNetAdp3⤵
- Launches sc.exe
PID:1216
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuSVC3⤵
- Launches sc.exe
PID:5796
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuSVC3⤵
- Launches sc.exe
PID:5772
-
-
C:\Program Files\Microvirt\tempDir\7za.exe"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\tempDir\Setup.7z" "-oC:\Program Files\Microvirt"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5680
-
-
C:\Program Files\Microvirt\tempDir\7za.exe"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\MEmuHyperv64.7z" "-oC:\Program Files\Microvirt\MEmuHyperv"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:924
-
-
C:\Program Files\Microvirt\tempDir\7za.exe"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\MEmuHyperv32.7z" "-oC:\Program Files\Microvirt\MEmuHyperv\x86" libcurl.dll libcrypto-1_1.dll libssl-1_1.dll msvcp100.dll msvcr100.dll msvcr120.dll MEmuC.dll MEmuHPV.dll MEmuProxyStub.dll MEmuREM.dll MEmuRT.dll3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5828
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuDrv3⤵
- Launches sc.exe
PID:5192
-
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe" driver install "C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.inf"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:5092
-
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms3⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1472
-
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /UnregServer3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6020
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"3⤵
- Loads dropped DLL
PID:5988 -
C:\Windows\system32\regsvr32.exe/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"4⤵
- Loads dropped DLL
PID:1008
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"3⤵
- Loads dropped DLL
PID:4936 -
C:\Windows\system32\regsvr32.exe/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:6012
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"3⤵
- Loads dropped DLL
PID:5696
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"3⤵PID:2156
-
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /RegServer3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3192
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"3⤵PID:680
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"4⤵PID:5888
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"3⤵PID:5532
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"4⤵
- Registers COM server for autorun
- Modifies registry class
PID:5460
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"3⤵PID:3460
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"3⤵
- Modifies registry class
PID:2720
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuSVC3⤵
- Launches sc.exe
PID:3704
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuSVC3⤵
- Launches sc.exe
PID:5992
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuSVC3⤵
- Launches sc.exe
PID:2320
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc start MEmuSVC3⤵
- Launches sc.exe
PID:3108
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc query MEmuSVC3⤵
- Launches sc.exe
PID:3756
-
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1488
-
-
C:\Program Files\Microvirt\MEmu\MEmuRepair.exe"C:\Program Files\Microvirt\MEmu\MEmuRepair.exe" --getVtStatus3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3972
-
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:524
-
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" showmediuminfo "C:\Program Files\Microvirt\MEmu\image\96\MEmu96-2024040200027FFF-disk1.vmdk"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5724
-
-
C:\Program Files\Microvirt\MEmu\MEmuc.exe"C:\Program Files\Microvirt\MEmu\MEmuc.exe" create 963⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3436 -
C:\Program Files\Microvirt\MEmu\MEmuConsole.exe"C:\Program Files\Microvirt\MEmu\MEmuConsole.exe" -b4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5336
-
-
-
C:\Program Files\Microvirt\MEmu\MEmu.exe"C:\Program Files\Microvirt\MEmu\MEmu.exe" adjustconfig MEmu3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5652
-
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms3⤵
- Executes dropped EXE
PID:2824
-
-
C:\Program Files\Microvirt\MEmu\screenrecord.exe"C:\Program Files\Microvirt\MEmu\screenrecord.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5740
-
-
C:\Program Files\Microvirt\MEmu\MEmu.exe"C:\Program Files\Microvirt\MEmu\MEmu.exe" install3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.memuplay.com/thanks/3⤵PID:5872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe730346f8,0x7ffe73034708,0x7ffe730347184⤵PID:1236
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6164 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:12⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:12⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:12⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2000 /prefetch:82⤵PID:5296
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:732
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1588
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3172
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:180
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3124
-
C:\Program Files\Microvirt\MEmu\MemuService.exe"C:\Program Files\Microvirt\MEmu\MemuService.exe"1⤵
- Executes dropped EXE
PID:1176
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3188
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5864
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3124
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3192
-
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4668
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"1⤵PID:6052
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4c4 0x1501⤵PID:1476
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5572 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:628
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7842⤵
- Modifies data under HKEY_USERS
PID:2816
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"1⤵PID:4180
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"1⤵PID:2380
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe"1⤵PID:2928
-
C:\Program Files\Microvirt\MEmu\MEmu.exe"C:\Program Files\Microvirt\MEmu\MEmu.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5264 -
C:\Windows\SysWOW64\cmd.execmd /c chcp 65001 && ping www.baidu.com -n 52⤵PID:4180
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:3636
-
-
C:\Windows\SysWOW64\PING.EXEping www.baidu.com -n 53⤵
- Runs ping.exe
PID:5848
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵PID:3512
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:3972
-
-
-
C:\Program Files\Microvirt\MEmu\MEmuRepair.exe"C:\Program Files\Microvirt\MEmu\MEmuRepair.exe" --repairDrv2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3140 -
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /UnregServer3⤵
- Executes dropped EXE
PID:4964
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"3⤵PID:4948
-
C:\Windows\system32\regsvr32.exe/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"4⤵PID:6092
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"3⤵PID:3560
-
C:\Windows\system32\regsvr32.exe/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"4⤵
- Registers COM server for autorun
- Modifies registry class
PID:5680
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.6MB
MD5ee6cbcf21b968f4925ea15134a29809e
SHA1d0ff7cdcb950f142f657c3ea48fea285e82500fa
SHA256528132a17b1e321c1c7772d01ca1e47dcc017eb775c83cf275900921b32d455b
SHA5125d53f4b086360d3f2e59cc621e810018fa1e2b8c9a7f92526d04b313316acbc57b6cec3bd62c47413bc9fcb8f05a00596811d33e4e482b3a574c54ac81990151
-
Filesize
12.8MB
MD54f5a8a2038c7e22ea39f17986df5c7d4
SHA1cce44b2c9d2eab991025205a310b198a5f2c66c5
SHA256f9287bab2e458a55956195e23688ec6781b81f153d7c5b28c50cc9e6fb8eedf8
SHA51251996dd2f0004b30e4ccf0e69a8364c7260b777377221580319829e1be7cba9a711d251e47fce0c40b3bd2b5d5bf1189f56997d6057279a985b003e17e37623a
-
Filesize
95KB
MD5ed5a809dc0024d83cbab4fb9933d598d
SHA10bc5a82327f8641d9287101e4cc7041af20bad57
SHA256d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9
SHA5121fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17
-
Filesize
61KB
MD50e24119daf1909e398fa1850b6112077
SHA1293eedadb3172e756a421790d551e407457e0a8c
SHA25625207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97
SHA5129cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43
-
Filesize
9KB
MD5dc54de3999894d74750372182580888d
SHA11ad361668a833c116a7305b6bdfc1cd816c460e8
SHA2561753cc2e7ca705aa4f7e51f2a857fde4b000e4f4abf8e7b3cd2025b091a34e67
SHA5126f247def9c6c3d33433233e4d536053d04db0993bd525fe9ef1319fbc7629a354f3ffc0028083a929fa5649ab282e93e3e4edd2043ee31e82c8bb03f1c9d7df1
-
Filesize
6KB
MD5ffdbe96e1c71e6199be20fc317479b5f
SHA15a9f3067bfe0f1ecb6da7fe2964b94b838caa230
SHA256d08edb2aab9eec9dcb4f471705cd41b45839f7e0bc58cce72ca56d8cb39bdd9e
SHA51222f9cbee9155cbd8b8f472a0c52b48165c32a8e6c1121b5b44793fa44ec43f211cf47f55501bed7cff014f65859f0fdc0bfeb01940da622f7c3d8f20ba3fe77d
-
Filesize
1.6MB
MD5284db64a9ed1c070602bf9ee77550e3e
SHA148aa0bb65247f1fc0a62404e9cfa355f519d6d4e
SHA25629ff3f525786f8014ded9f5a093007dc8e986f5f3d29c345f2fde93416c400eb
SHA5122a9b54e88ccbbf79a883deb5c09139f35161d404a53535a83f1d2f650e7adf8ea9d5de5b2b99fddb74687f330941e53f3c6a9f0f158d7fd5bcd1ec33e9205410
-
Filesize
5.7MB
MD5f6e68c4cc8cc3288fd5a411f54d8cae2
SHA19ce3c09bda67e746d385593f3385228790815923
SHA256fd488a4e13d4c71acce69e209164398a056fba5a559b7f00c1351390604e5b98
SHA512dc66258eb4d8558d578744c2e1124732f48b48333ba67ef3a24ccfa608f1cc619c4f443f61dd15c4264594b9a97305150afbe169226757357aac382241e6f392
-
Filesize
2KB
MD5bd81f8ba792dcffaaf9e2e8cc9549c55
SHA1940f5aa8d959d469ccd37ddf432f18a739fa41e6
SHA2569408780740fa1214f8e8c2a32353ca10839282e096787f43166f9b555cf1c665
SHA512890f9cbab961b829b72dc54d482048da745721ce54beb45298728969896264f5e601b4d4ad8b3b5210ca78c948dcdee1974cb551533a2030ec3f074b8ca4df34
-
Filesize
9KB
MD5e43ed0b69e138218a044ffa4507f55da
SHA1444736f81165aec30e700e513537b732dfb93339
SHA256dc11de7734b8cbcbcffa628dc703662e1acd00142de5f8d2770ff52b7c74fe9b
SHA512ed6096ebdaf4cc8b82f497a4492586376ec5861a6ef4d413d490e8b51e66870f4c3728d45ab683974b4634c111368304459b8c470f8fcf24f75bde2c64ac4c98
-
Filesize
84KB
MD58efdbdd90337842ef4b8ceb7adcac7bf
SHA11eb6440e60bb09078831ba011e7f2366bf06b8b6
SHA256bd91a6d385183af2495ff151b6872a0665beaa4c72d05943a7c97e201ef4a4f8
SHA5121543d8ad7d347c2818d9467672547f80d44bad6f5498b2bb2153765d14fec3400ea1dd34f87022aa5b2128a92cc00ab00f84c88c42e31be353eef105510117c7
-
Filesize
56KB
MD59f3cb843225cbbf5612ba0015354bca1
SHA14e0cd78823be5aa78be2054f4d4296884a7b5294
SHA2569ad6ae3ba83531bb6f95c47f008586c2f09b03dcc01743212d611d6ee93a5ee2
SHA512fd1111739e03f8769dd879793215c70abc48b10965bc700ec1806a1289a3dfa829c32efc0f6f7e5e17aba39dfa95b13a130e59fb0160676c796db084517514fb
-
Filesize
1.4MB
MD5d2f19c1a1067bef5653959bc26695d54
SHA1403102bb14550751dfa7745c744f2cfa29f49ca6
SHA25611167a49a71cb85d29b8cfd61447ba7bad9870de172be8efa1525eb37958fde2
SHA512d5327fb0e09868b4db4af875a61b0767af5441c664083cff4bb4988ad2e3858cfb34375888fa54c17d01fd008a5db9d9e392ac059dbf7fb344abacce93559d7a
-
Filesize
837KB
MD53259ebd7742a78e8fa0ad5a689b7377d
SHA1fbe79b1f6b207c3b47ff37071c47b8ffdadf889f
SHA25691baea13dc25e24916de0faab9a59a70fef12f3a2eec96528c1d9d076ce320b2
SHA5123dcdeed5c2078d4c82308b63bd9812c16d07883f47a615ce06616de94c59934e916966ab026391d95af9a370fbc7a7fb90cce931736484cdc85a377080ad2f1b
-
Filesize
1.7MB
MD57ee110fbe5147b3402e70f23e0f57780
SHA1feb6a002b4090c098c1b46dd1bceef4a78379b86
SHA25648bea71e994fa8f2a30e98c0547323b7f0246884664550f869a3f2f1c2c3bf62
SHA51221b18cf73c0a1b040ffc9353ce66b03e9c1252787004d3597d41c84c6bf1d8151aaaf0b4d35f6317949c85fbc89fd025a5ccb7f814af3a618e42969c6e85ebbd
-
Filesize
986KB
MD5b55d5cd0742979dd9f46e69b2b56eee7
SHA1d93f73f0904b7bc1a28565bcf1b90de0533fd79b
SHA256196e47522ae1eb7a5014b196f433bc0f5fc90ed2b934177512cd3e1e5782f0f1
SHA512aef9d7c1c3a2f6bed61a2a733e6f5c2f4656e26c5bc235bf00d26dca221901b7d7544fd859d4f4e04a65374b27e85f3dfc2088fe0bb4272f155b4cb9626d94bb
-
Filesize
9KB
MD5abe648c8e5dabd56e7d9800cdc918de8
SHA10f6a9c3c2fa5bfb25526a130976bd18c598ee5ab
SHA2564e2b3b5e4e92b6ef1dfda95ab5eea7cf4b4eb5a8c232e634684dac3c05ae2bff
SHA512104d20ae79c6e0f3af8899f706a1678e4b4a95460f8841ac14f80ab358f98a6409f412fc80d31adc2740527b53ce3b09bfde477edb03cd9572bd2239517fbf51
-
Filesize
2KB
MD520fa26363d4e532ae03ad24a9a2492c3
SHA11410cf9289bf3a20f58aca2577ee433ae48fa1c1
SHA256dd71107e650bd49118e43257e1bca7e902d7c30f1f249a0a7d4012e827f8795c
SHA5123fc815e89ca79e9d7384fdd5838be8e118f4006de18b1c360ba7de49b659c80641b4a1c2ab446bcbfe91cc6d66dfd03d086091e8c2ab62cdc014e98377e999b2
-
Filesize
88KB
MD55d38f264735116c3f6d7114b18e7e173
SHA16635352bbeb16235dd2ecab22ca9122596d3bde2
SHA2569f08f1ce607877c5292e57da6310e064375d6b5ea9535045b3019a2a7e91a351
SHA5124c7021d1d9a3b7bbc7bebeb8f9a972db19e1e8f62cdf3f60c985df7855fb06075f3f943137b25483eccec9cb56f1ca12d24176def434c46f103a870694c0a0de
-
Filesize
632B
MD59b924764cda9a9844ed2983eb20d34ea
SHA17ca4f57bff7b01607445003973fa66a9290aee6a
SHA2562a6f11b34cee17017b878105cb0bcbdd81f716a9bee4c9e6180f4605d0fa760a
SHA512abd36ff8efcc464a47387c300e0010ef4a4cf4b08aa4ee96c58709de0d06ec79950b530ae75b3176e7c92744f846b2cffb0efe90e2a37cb787f06a9fb2bedb49
-
Filesize
172KB
MD587cd4c763c98779576affecfa2ea1253
SHA1b7e31d5771aa9ed053804efd3e7ccfe45a1f631c
SHA256bb02b918542258544b4f20a490c34ed701f8867952467f5234f9ccf25a8d64c1
SHA5121ebdc06a6a2f05a92a798444e637e1ed8188dfd0a2f49f8f63bacd95cbcc910f1304f31cbeaa5e26491499519c27128cd74f647c803756dc4270431561a2c194
-
Filesize
52KB
MD588577bfc1a8f34cbf575205db3f1cb31
SHA1cb9d72fa0dd97cd4008015551cc5764c9be328c7
SHA256868c105861b6fb2207997a9b13d52b8cc0a22ce37d63382a869fd33277526213
SHA5124c3d65adfaee850e40f2725fca62a11f3b6652c8adad2e7372222e53f77c538a1904b4a7ed6df8167dd08d6bac628160caa3eb5906673d2f9a467947d85c45b8
-
Filesize
14.0MB
MD506280e3e5eec9783b4af071e7375f820
SHA1380036754e5fc786137ceddba989711e02146d05
SHA2560be1ab58ef33c40fa092cc56b1730967e77fb5cc3c54f09a0e599b0e658f389c
SHA5129edd0515eff29bcb27cd447d97ae7b02f68e2b06885b8671f7cfca7e90696cd7b100a8520e533f2fc9f70795889a983ddec546a5f9827e36d13e63b762909d5d
-
Filesize
2.7MB
MD50e3d42ca963f0a8251dcf57eb17beed3
SHA19105c402052f50e3b57d21aa464e763411f48a53
SHA2565d12c718a9865df81bf4376af1223d746401a11bf2300880393b40b174d37c9c
SHA51275ef7d2fbb1dcf4a7aaa26f0d29b6471f42da105739e6f7acdb6dd59c97c25a3cf241fe41d87d8ef6c8ff17c3528172ae47017c35fbd46c73f63fc20f95bee6e
-
Filesize
1.2MB
MD59025557bd1298dba028f61b60b3ca925
SHA16c54e44e5e275a677e7cd3ee03c5f8ccd2532764
SHA256ba1cf881912a0ba7f6858544009f0ef296d32bb740dcb421125fbb9c7097008b
SHA512338cb2f8afdd0edfd3880465fb83b2cc8eefedc5befdafd9f2a5c94217a5e7664858c67eadbc3fced18f5e21c2cf7e6f097e6d3d489cd59e136cd3e997eff78e
-
Filesize
43KB
MD557f3ffcf6a99abdeca93d0bebd9f05d8
SHA1f1b7038c4f6cad75b8a6d115255421d60f1de04f
SHA25644b59c980ca26aca133bd3842155c55eb30630853c3c316e1955415e10b34c0f
SHA512cbe0ed19d03540ffef93c4028ba7bf170ca82d1bfd15d432c7fb0edf96e450c9ddd85701b3ef52edabac96fd3cb6e3da2eadf4ed1de3907e986e8f3d64dd3b08
-
Filesize
8B
MD500f3c3bb21e257949b6c9f4529f9072f
SHA1a5d4c34c857dea84c5b5860fea4084b6e5120d22
SHA256b2c2de8af62723c9e548e560719684e801aad048bd04955214921fd6145b018b
SHA5122567242bed4ec44b2ceb36ab8c98c0442f88b9bb8a3796cd40e99f580a02d9a21baada98780ea1063ed2f92793278f4ad31666f069d98242627daaa1e76d110a
-
Filesize
36KB
MD5e0974aa9475d8877b23fd910216d53d0
SHA1c26ba9d61d56d50a094cecf382855855c3957510
SHA256564c9fafa45abfac0e8844b4874397adeb00c0ec8f0326b434741e4770111899
SHA512517fa863eb4ede6055fc5642563df55483cec7844545612d509411dbd0799ffd70cbb73b461dab9b0b93ff3375628f1311d90a58fe97d8629e1a6035619b08fe
-
Filesize
216B
MD55102445679502d430edc25e9df7886f8
SHA167f4ea140e48d2d6869fa3f29bc54644831db86c
SHA2567f02ed3cfa93e263033b645edc7383dd034327bd419867f0d70c740bf832a654
SHA5128bca960cf16c4504a3368b5042cec3c0aa81f8dfb8dd43cea201a2790d36cd4199df886c0d143268a438da9719febad0ef775803c82891e980034c4e6f6d0fc6
-
Filesize
27B
MD5e436b4d07d00512c18d91b1718623cbf
SHA10ca5679d13db7699f6c1536a1b7f7bc8d03c74b1
SHA256430e76adc83979ad936d3944bb9dec176defbfb98eef33b3dfd7962994f1cdcd
SHA5129cba9ba30eb5c2ce8756c50d427d36763e79c309c3f2e702fbf0d9f41a6e99d9ebfc2176445515c6330926222fc2d902fae39a47360e5c414efafe1d8c872b59
-
Filesize
64B
MD503e879faf00ba2a5e36898802ee2e808
SHA1f12e930a836fae6a98d414be78340bc2fe26520b
SHA2560b3f6e4a712324d118649bce0e8f58866321a077d3c260ce580a7ca88503c69d
SHA512a71101dc56fb6531c9545d2b43eb9a8315c001526423c9ed5fb276fcde9c1101ecaebb3210985f4b323e31c072ff1d8c0ca02253bc78b9f257917271233da710
-
Filesize
393KB
MD5e42dfd00bc871ab477ad7411fcaebca8
SHA17e2ba9f1c55d8e4f37925f628989a38618e19fd5
SHA256041c455cf5b41d1bd26b25658c0f6f99b72188f3db8da7325fd7514486bde224
SHA512191e2151cb59010068bfe592deb4fe0f9e3c190b140681c8518701a84d93d83132ce5c0479d0134c9883dd00f345380cb8778569c05f81a720bcc8f388ac3314
-
Filesize
381KB
MD53fa8fe8c8829f270f6afe540c55863d2
SHA163dac522fa34057d35140b21f4cf5db2ecad2117
SHA256a6cc6eb4e80b865f309e4c077ea9f7920a6df57a068867610bbe9b58f77887a0
SHA512d51db966f9ead415598d627fbf76b8e0fb1e978f72083fbf058ab20508536a3f8d04267b72b9cbefc80226efbde88fdb813d44ab0e3c427f74824e0e6710040e
-
Filesize
397KB
MD593ae36d895d3a213a89a312e16fafb82
SHA1b3f3352c23fe445dc06ed2ce723c6baa302d67cc
SHA256d7df7e764a1e80313932390b49748d45ce5f9f0a6e960ac059926404547f5143
SHA512a151068d21bc0a4a2ad17df52b3e4822b38caebcaadf5cf95653466aa54d8e6801e01ccb668ede5af94cf5be4d7fff7cdd899f38bb9de93b098722140334b353
-
Filesize
3.3MB
MD5c5b362bce86bb0ad3149c4540201331d
SHA191bc4989345a4e26f06c0c781a21a27d4ee9bacd
SHA256efbdbbcd0d954f8fdc53467de5d89ad525e4e4a9cfff8a15d07c6fdb350c407f
SHA51282fa22f6509334a6a481b0731de1898aa70d2cf3a35f81c4a91fffe0f4c4dd727c8d6a238c778adc7678dfcf1bc81011a9eff2dee912e6b14f93ca3600d62ddd
-
Filesize
3.0MB
MD52dacb1b350cbcba43dc7e2e2a42db595
SHA1a90c3d4a3beda7796c2d529afea2fc2cd48d7dcc
SHA256a9ac798d1ac4fd370bfa37d3732983da302d4f102cda4f854c017e6e4cc10dcc
SHA512741270e2326d6c20bfb029faca6a7d6edde8f936f77c7c666c5d08dc15f88a10601cf5b0a651dd27ea054b776c917dd109c256e13fa7021d5ce0322f25aa0693
-
Filesize
34KB
MD5a85ea17fb2ca9258e71d0a60667eae6a
SHA19bc4333321611769a51bcb5292c0517c227614c6
SHA2565456152400a84c153728007bd1c7d549788d2300441addd40c18d7e17f757856
SHA512ead8a715f75c82fe85a2d475010d8c880b13700c847840810bd6f75f6a4a418ded406133404a1c3d196461d676f8819a7bff25e556d25250d031e513303f81eb
-
Filesize
10KB
MD53e6b8043b85931514eef90a68713fea4
SHA1c33cc7f9752b299ef59b309eb88a99ebfd0aaca3
SHA25657f337f986ca34466345eeb4316043d746eed625892ff51760b74ad97c1c52ae
SHA512b78dc31f64704f34a858a8a57599d055fd7093b59beac4296b8993e9f9a2a0fa7bf41d81f42c2ea075823d6dd9b278a099264e922ab589f39f6624f279c8ceb1
-
Filesize
4.0MB
MD5c698d89f145b43c441d8a41dfa30dc66
SHA11b80b10a64c7097c47d6e5d43e7842379b4c197e
SHA256fc3083bb02dc8785493481d716310178e3659416fc1bbd8ccd1b0418659f04c4
SHA5128f424c35148fafe933a1db72779466884ac3755b343201a6b63abe546836810e8d963572ef54e5b89accf529d130c86558d5607e364050ed2e7e0dba768123d6
-
Filesize
4KB
MD58de1bd47700734f22fb9e25512aba248
SHA1a333de1b2eedec209bf800364e1a1277b4ed217f
SHA2566bee1284e364cd634cafc4c53ffd6d96c29e318a3ad253a7e7497a585f1eac81
SHA512d16bd577ebdb7c8295c64447114228954d6a9a7b98eedfbc578049006c390687ed29f8e903000a71f412fce49eb368a8c2cf5e19f131657a0f319483d1e68eca
-
Filesize
33KB
MD5e3a1338efadabb9fc23d955af9a7e070
SHA1dfbe82b183fff002a2e841d73474c78f646fdba2
SHA256f1fa3bfeea6a600f2c6d209775154cee349b7f687cb4f7213a8cad8870dbb812
SHA5120413a6116e227fa6a3dd7da6fa4bb8db59ed64fc16e37bfa49ca28c687fe791941b3a23193796eb0ece458e87f9f78f587b3a1fe0f188b63b9148037997df1a2
-
Filesize
37KB
MD5862a826020dfe7ab690900a87250992d
SHA1983117858f162f7eab3f4aee6e0d9619e20637ef
SHA256f96e413dc1b8a67c025b3d1769241ee96dd8b079b367a6c868d650a6b68154c4
SHA512a71cdfba3023934d0bfe25a05d2fda00f60caaf77122cc0d52c7c6f6555ebf43e13555b563a564023c02e9419471a8ed325d182508ad276517c68c9691d5704a
-
Filesize
31KB
MD57200f8e1af1c6a60501d5fef7772fd0b
SHA15f2bac81a60f7fdfbe8b1a01f111660a3614d679
SHA25635cf0ae6bcd1b8322482d40bf2dd693e276548885284b88e6631ab18a0c2c60e
SHA512097835d4c8c61c2489e831b31a8bb6f2feea277439d6697b6e3165ccb6e4758986c9a1fa754696da53b6005a041156ff8bc455a71dc31ea799f5891348a07f22
-
Filesize
365KB
MD5438b696a9811cd821bbe2c54b5c1b4b1
SHA155eb74a0015228b1e6c1dc97e6f427c9dc804587
SHA25684c23191b5e35eaf899358c21445a5377845c0653668bbd99b1aa8796e0248c7
SHA512961ed9cfcd61a1fc32de89cb97100aaa9a9225c80673b2176975bf62af7f3a0e77a91fb723ed52c553e10a6f754a5e8c8085bdfbd56ef2de8144c53bf41f4e91
-
Filesize
27KB
MD5f304a2c8067f804d25b98d360e92829f
SHA1dae1d07de8c33912ff4ffc957f8817b2b3e8293a
SHA256e45893bb7db31bfd32e87dc7a6b02709fca36eb83a25aedc45a39178ec80051e
SHA5125bc122bea8de687820932666c6b76bb153b115263b31a40fd7823a2a36ebc88b27626e06e3a6c5dc5f62970c8c7e9c094984b494d7f279bfdb9bac7a8c2964ca
-
Filesize
26KB
MD5367c723591fde64c38202d4c0f5ecfde
SHA1c13d74f417601c656f343f00d15e56517ee03b6a
SHA256ccd620e74045d9c9157903120140b97419cbbe91fd43337e640c67cd4522072a
SHA51231c084ba00e094e30c6f912ecd045e19c4451d8783a80dc99b99098f84c5500665a35ac901b0fde84d04df898ad67448e83539a7daa4928e8c78f798b359b256
-
Filesize
585KB
MD5b9425918e9f7b8affb9952ed02e01285
SHA1ff8c9a13df26035911b57edd8bbe28b2f6b07b72
SHA2568a5e4cce83ca7c08945348bfb13395109656079e99bc6445b62c4daae16faa5d
SHA512c25695517910f30424dc23e5f6f6f2a8c94b471dd69b77798c148f1520d313dcf43985cee507427c5d3aef2f12ab103a598450239668fde1c7b245e156bd501f
-
Filesize
1KB
MD5e8948501d2e2781d539a982240c0e682
SHA1340717f9da7ef76aa75c50e09d349de3ea6f6221
SHA25620cb5203adf2b9027362efc88c7c9585ce68ebea96cd0db7f2ea2e13172abcf3
SHA512f05a201a1e8b53c8410989cc0f1d597ca71f6f5fe725b50670544af9285e1dd7cc0d50f8f1732d194a5c86c58bfba59ff2310b71fecf71ebe1cced1e181cc0c2
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
Filesize
46KB
MD5ac83857f0497a4a0e7669329827cf228
SHA118ea483c966969e43a654fcadea9719a8aca370c
SHA25643337a1354f376890cdb73f3dbaf95a8027761c574c30cdecb321096be485d3e
SHA5126a35c50764d31d4bac07ddbec2329238cd04f2c58c00629e523ae7fc2a7d6be5d1226f8fb6c3c1043b215c38c47951a66fa8a9d4f4d6ddce7664bd1d011db2aa
-
Filesize
19KB
MD5827f01c76ddae0a5c3b4da0419437878
SHA18aea34be6f9fc6c6f5cfb97145f6788cbee12aa5
SHA256791f26f4bf37b5fcc0a6428e65134c563d3d43c789750d540c605fb62e8e59fe
SHA512daa39455157118cacc9191b03df0a3a6cebdcb7d12df431a865182a46676ae371b271ed9b3266be9a93303a3c5bd057d529e4cd801f8fc75661fea8dce3b6a66
-
Filesize
32KB
MD566301e63b3bb488b5eadd7831f4d03c4
SHA1b70a38218bf14ca53c46289a7a31d268923b4493
SHA256acacf083064c0ba06aeeede1a15d139c3000dce7c8b418cc811c9ab45e83cf18
SHA512474dad6ccc63fea8fa44dd225714e8e596882e209ef845a4b898f973dfcab91e36b9a18b35ae113f12a1aca27d992a708261ef37868069969684a01728de8184
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize360B
MD594c8ea81a2808da75878dc7588f06a3e
SHA15344cf4ecf3b0eebb5bd0e93e445f34556e12d7c
SHA25698edb3593d9756f8e33dccd499953e4ba8112e55d967c0250fc8aba88f9d2e8b
SHA5129a69e47a36765ed12e32df2778124e33637c7969c80611d765f9cbc660feed4745229111a856bfa3fc9b00aa614d67aafa467e005fb6d904e8011a1d0c105970
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD59a3fcfc78544f83fad6f1ba973b99d7a
SHA1fb21807c412b02ce3bec926b8a5d148ac33e63b6
SHA25664c57f8430b8286a0dbeab703ec92b0c69a70d20c50daf6d8a3d426a9aa1a651
SHA512ab20f3cd49ea39d45f75fbe820e2d21fef107d04b9e21af606b09facdd5b332bb47be695f9647592bb098a1ae4caa73a0db9502f689771235e686865738f18d5
-
Filesize
4KB
MD5f9b8991ba445672f3c3d8ae845c807b8
SHA13da6757ab1721400923cb3957c9e1381e765ddc8
SHA256f15f8877ba3e48c3daac4b829236864b8c7335e8b54cb189c1da24da77e5e78c
SHA512ef26ba8a6ca24bfc2329efae15c0fcbcaec23581f027ce86958764c9afb92e4b368a6fba183469d3166752ac787d32423301d7204a765692686b9a466e7a5eda
-
Filesize
5KB
MD5cc12bb39b0c9f78ef8639104074e1869
SHA1b72ffcb6e788fbcebd35c14fb545ac16d4dcb3e1
SHA2561c4253ea50b2650b19fba11b65523ac3286443e68c3e2670d2db3a917f944839
SHA512a89cca1b73a35feb66d6bf63aeca7b665f7230e3ccdfe8d639a83e58369c296c504ad708aa9e4a85543dc9b7bd388a3834020514ec2a8d2e6bc0d359c7db5636
-
Filesize
5KB
MD5c1935f2dd5d670b8ff48ff91634e450d
SHA178bff2dcced5006818ec6b493adb792eae8a72c9
SHA256cba0fab9396b58c0c31a1d32e05cbd2c07f1969223953a048f64c2b8d9a07421
SHA5126d30b5350f7d720369ebe54a4d6af60dbb9d0fb22a8b949d6d592841c4d969c87712ffb8cccc721ff00bcb25d7e0169559909e1f6941481861c481d5e3fe1238
-
Filesize
5KB
MD5c45be2b106830862bf42aa97379f5ba5
SHA1a2d83d66d8f4d336631743f33b5dce38c10c2a02
SHA256fd07cb5c0f98abb35c9bb3c24ca8b6b6d675eeba8b9f52d1ab243c740ded8652
SHA51237fe4bc0a40c08845aef2fc2299e70953081376d7d7c0859ebba697d2424a68f513e809a018eb356e9bc0520457580a374e5ada4b81dcd20f4548068b70f3b07
-
Filesize
2KB
MD587e303a9340c9fb4c158e521977004c5
SHA14c159e930dde9b5fd7bc006842cab9676c186323
SHA256594927c96194f1b059cfea43b7965ca5acbd5e37fe9c39b071fbb29dcd65c411
SHA512e0ec58d75e81202639a8061d387f0a93a33272034ed90bd35d40e961ff1ff570a3e0a2305e53322562635b116027fb2f3b3037812a0545182e03d092fd8bd18c
-
Filesize
6KB
MD5f73f4e7bd0988f3f344e155c211b6d50
SHA15b01af2c28af1181efb9980bc9f52a971d1f22f1
SHA25694a22cf957ae4544977316220330683bdb3b8b35b3289a43f42d928f0a1d32f1
SHA51297a6372e98a176f87a2042cae80c889d4ef67c9a260ea5835b3cdb661fef87d2985129671a51ad751e3925c3bcf233a398fcb75ef4fc7a95cad5113ce2c98304
-
Filesize
7KB
MD545107087d3569960c8d545d01ccea6a4
SHA14f617376ff11c643397eb8f7e745e40dee4abc61
SHA2561a95522ef788348def1e97216183561e46fe0bafe0ba9f7a5b4c183519b4e9a2
SHA5129f570628d571b244a3e042dafd37d46a633c3c54814aae3e115efcb19c0b819503ed8784480414e2bbc6ea25c517ce192a8cde726c183237d0c993d2a7ff91bc
-
Filesize
9KB
MD53c863a2aef7afea30f8e2ed8aef02418
SHA1daea07ff58e96c85573269fa1b359975bdb75a40
SHA256429e072e36a2c14c87ce8c80235f12e42409285c22986192ad52ccc533877bce
SHA512865451da022792c4ac7928390b99b0a0c9c68307fd31c9fe3686362fa2ce20e30735fbc16a059c1bffb872cba3e1a7ac8b2b7580d876d6bc1024753d8d94ed6c
-
Filesize
9KB
MD562bdfe258f0808f0087fa0da4cd776d5
SHA1c50c6d67239327024cc3b77e501a86e0cd7db47c
SHA2564383660d70a4db29b8191382648661286d916f0d85fa26c76ee8b82832363913
SHA512d79b5fe9a4c9a6b17a13ca1279a43f82aa0a118ecc1f0a90aba010f4241803d454856842a8e0b49aa9b8737f3f842f3bf5d1b7ccd65cbb70e506d930c6e4d4db
-
Filesize
873B
MD5cde3255b0b52823254fdeed39451650c
SHA18c0c5c535fbbd1b4e4cf60c0638af94666eb8d0e
SHA25650c6960735b871d0ac959b1e4a881866c7427b3bf071efc53ef30197e5097d15
SHA5125018f0ef01ad6c4419745a7f8298a4e52f493ddcbf116e9d75b4c59a0e626da483a608316ba47b2e6ee35728a8ae76661d6ecee1ae1989a36e1f8c386e4d9c91
-
Filesize
536B
MD51113526b968c15dd48a05321064df71a
SHA17fefdcb24fc8092a79fea4f24b1bab4155ee3743
SHA2569e67107748c0354959af1f1d73b553a90a97d34c2aa68cd6683aa5abf1788b67
SHA51211216d7c7e04af8f19643897f422e9d6a4d65aa2ec938e680eccf2162b59bbfb760bfa45a21b38bd3edc28efa70c96b616576223d4c74e5835b173061e246fd2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD54e97efe65479b5578cab3b7bf261a507
SHA193468584cbce2bb11509fe7d2ddb7ef346706dd3
SHA256ce5885ed714bb6c829a7ff82a6843cacc8f56cc6cf3a2b55517805803bb69eb3
SHA512f5a3824db1881854005092cc600201fd5ec16b9b760a5d1a288ea1a37cf46f67d6c9e5401829eedd0ca707bcacc8013665287426906f1bda049c9d70a72e8d1f
-
Filesize
12KB
MD598e831ae41e554c2357223ac58f10c39
SHA15ad60fe222eb5a6c61de2a40207315b929b66b86
SHA2565ca04d6f1b5901a31d2f09781eb67bb8487da463c8741cf35fa250cd66a75eba
SHA5122feecd8f0f3639d46a9a843c3e49632538d8b8752967d34d113e38a142a19932cabb30e541be4baa7e21be01cf0077aef16608fc48ef38446604e17feae67c57
-
Filesize
12KB
MD556c16ca76f0c920c9a9204008d5c5aaf
SHA1eeeede9672b03536dac8bbe2018c58665ec57962
SHA2564b6d8625c027df26b6f5be9f793ef1d41d9449588ed18028e28e8832b60a24b1
SHA512c43ae1544e20f1e9a55a288995fe3a4bebfcca91a0ecc163ddb770a2467f0f7332a95dff855806010374a8127c0f81bfbf31d117b7297ff79bc2376370db2311
-
Filesize
12KB
MD508ce0e7d571822aaa5952922b4625787
SHA165da665e2044e909deed513ddc90c086903d8438
SHA2569747d6f3f6ec6c94dff2bcf09fa22a057621cf570c3cc242658bda67d378059a
SHA512e7f5969091f50f5899ab91a957d4928e02ee789d7add3490b5dbffc982a45d6c34123e09f6fd6243d5389c2bb225ade34ff970ad393f6c41088024ce4d818e0c
-
Filesize
4KB
MD558054bb681e67d7c3f7f5283463fba50
SHA141f30e478dabcc98ed69e856141d67270016f6a2
SHA2568e08b73aa29819ccd68eb458dfc518d2140e12ae08383dbc96511cc2af493551
SHA51234d42898fd6e58f61a07275fe7b53e7f57421c3f2dcc2774f63f22edb32dca3a222af77f5ce0d8b0b5ca0bbc308fcb6710d39172b6d401f1bf427a539d98e08e
-
Filesize
312KB
MD539ff928d8ec49a318b40761dd7c1cdf3
SHA15c20cb15caa4704b7a5bfadd12885646aca50fce
SHA2569e18ed94739ae711585e397a8ea2f7e1b05e00bd23f57fbb7606c4498192c5e0
SHA51204a3198da7dd33e6d960de8474814b7220c6d9f0378e495683fd38a5bdfe15179daedf24bf3038e78a775c20ced87bc05d64aee9202f08924e017b4d0d724524