Malware Analysis Report

2025-08-06 04:10

Sample ID 240508-1lg3dabe46
Target https://www.memuplay.com/download-com.frostpixel.robux.pullthepin-on-pc.html
Tags
bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://www.memuplay.com/download-com.frostpixel.robux.pullthepin-on-pc.html was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Downloads MZ/PE file

Drops file in Drivers directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

Reads user/profile data of web browsers

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

NTFS ADS

Runs ping.exe

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 21:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 21:44

Reported

2024-05-08 21:53

Platform

win10v2004-20240426-en

Max time kernel

527s

Max time network

533s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.memuplay.com/download-com.frostpixel.robux.pullthepin-on-pc.html

Signatures

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\MEmuDrv.sys C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET931E.tmp C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A
File created C:\Windows\system32\DRIVERS\SET931E.tmp C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Program Files\Microvirt\MEmu\MEmu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files\Microvirt\tempDir\7za.exe N/A
N/A N/A C:\Program Files\Microvirt\tempDir\7za.exe N/A
N/A N/A C:\Program Files\Microvirt\tempDir\7za.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MemuService.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuRepair.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuc.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\screenrecord.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuRepair.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuProxyStub.dll" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32\ = "\"C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuSVC.exe\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32\ = "\"C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuSVC.exe\"" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ThreadingModel = "Free" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32\ThreadingModel = "Both" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ThreadingModel = "Free" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuProxyStub.dll" C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Program Files\Microvirt\MEmu\MEmu.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.sys C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.inf C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.inf C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.cat C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microvirt\MEmu\opengl32sw.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuDD2RC.rc C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuHeadless.exe C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmuHyperv\libEGL.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\config.ini.tLMysH C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\resources\img\e.img C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\lang\MEmu_zh_tr.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\translations\qt_pt_BR.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\lang\MEmu_uk.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\lang\MEmu_zh.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\translations\qt_cs.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\translations\qt_ko.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\opengl32sw.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\en-US.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\fil.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\lang\MEmu_de.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmuHyperv\libGLES_CM_translator.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmuHyperv\x86\libcrypto-1_1.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qt_de.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\adbdrv\32\i386\USBCoInstaller.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv\libxysprt.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\quicklinkicon C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmuHyperv\MEmuGuestPropSvc.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmuHyperv32.7z C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qt_gd.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\Qt5QmlModels.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\config.ini.fX4536 C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\Qt5Network.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\zh-TW.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv\HPVR0.r0 C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmuHyperv\MEmuNetLwf.sys C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\bn.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\hu.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\kn.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.inf C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\resources\qtwebengine_resources_200p.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\lang\MEmu_tl.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\MEmu.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\libcurl.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\msvcr100.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\Qt5Gui.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\playlistformats\qtmultimedia_m3u.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\fr.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\hi.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\lang\MEmu_ru.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\mediaservice\dsengine.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv32.7z C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\fi.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\translations\qt_hu.qm C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\image\96\MEmu96-2024040200027FFF-disk2.vmdk C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmuHyperv\NetFltInstall.exe C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv\NetFltInstall.exe C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\th.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\adbdrv\64\android_winusb.inf C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\platforms\qoffscreen.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmuHyperv\x86\msvcr100.dll C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmuHyperv64.7z C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\nb.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File created C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\sl.pak C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\consoleskins\Other\Yellow C:\Program Files\Microvirt\tempDir\7za.exe N/A
File opened for modification C:\Program Files\Microvirt\MEmu\config.ini.enKqBI C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c6f56e791a1da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e7f13e891a1da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b7f04e791a1da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085b71de891a1da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000953938e791a1da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f7d21e791a1da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a1126e791a1da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9ACD33F-647D-45AC-8FE9-F49B3183BA3A}\TypeLib\Version = "1.3" C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2514881b-23d0-430a-a7ff-7ed7f05534ba} C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5732F030-4194-EC8B-C761-E1A99327E9FA}\TypeLib C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7569351-1750-46F0-936E-BD127D5BC26A}\1.3\HELPDIR C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431685da-3618-4ebc-b038-833ba829b4ba}\NumMethods\ = "25" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f4d803b4-9b2d-4377-bfe6-9702e881516a}\NumMethods\ = "15" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3ba329dc-659c-488b-835c-4eca7ae71c6a}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2e20707d-4325-9a83-83cf-3faf5b97457a} C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c365fb7b-4430-499f-92c8-8bed814a5671} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0A0904D-2F05-4D28-855F-488F96BAD2BA} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b2547866-a0a1-4391-8b86-6952d82efaaa} C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81314d14-fd1c-411a-95c5-e9bb1414e63a} C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6A}\ = "ISerialPortChangedEvent" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF398A9A-6B76-4805-8FAB-00A9DCF4732A}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39b4e759-1ec0-4c0f-857f-fbe2a737a25a} C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101ae042-1a29-4a19-92cf-02285773f3ba} C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFCA788C-4477-787D-60B2-3FA70E56FBBA}\TypeLib C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7844AA05-B02E-4CDD-A04F-ADE4A762E6BA}\ProxyStubClsid32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839CA}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{adf292b0-92c9-4a77-9d35-e058b39fe0ba} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516A}\ = "ISnapshotRestoredEvent" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{334DF94A-7556-4CBC-8C04-043096B02D8A}\TypeLib\ = "{d7569351-1750-46f0-936e-bd127d5bc26a}" C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77faf1c0-489d-b123-274c-5a95e77ab28a} C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5191A7C-9536-4EF8-820E-3B0E17E5BBCA}\ = "IGuestFileIOEvent" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F99CD4D-BBD2-49BA-B24D-4B5B42FB4C31}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39B4E759-1EC0-4C0F-857F-FBE2A737A25A}\TypeLib C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dd3e2654-a161-41f1-b583-4892f4a9d5da}\ProxyStubClsid32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0c293c51-4810-e174-4f78-199376c63bba}\TypeLib\Version = "1.3" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{245D88BD-800A-40F8-87A6-170D02249A5A}\TypeLib C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21637b0e-34b8-42d3-acfb-7e96daf77c2a} C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AA} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA1155A}\ = "IDnDTarget" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40A}\TypeLib C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d23a9ca3-42da-c94b-8aec-21968e08355a}\NumMethods C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D7609A}\NumMethods\ = "18" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946BA}\NumMethods C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{e062a915-3cf5-4c0a-bc90-9b8d4cc94d8a} C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA91D4C9-4C02-FDB1-C5AC-D89E22E8130A}\TypeLib C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E63A} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{e7932cb8-f6d4-4ab6-9cbf-558eb8959a61}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C984D15F-E191-400B-840E-970F3DAD729A}\ProxyStubClsid32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7569351-1750-46F0-936E-BD127D5BC26A}\1.3 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8398f026-4add-4474-5bc3-2f9f2140b23a} C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27C0B3D-6038-422C-B45E-6D4A0503D9FA}\TypeLib\ = "{d7569351-1750-46f0-936e-bd127d5bc26a}" C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4bbc405d-f268-4483-9a52-f43ffdbf67fa}\ProxyStubClsid32 C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4AFE423B-43E0-E9D0-82E8-CEB307940DD1} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{788B87DF-7708-444B-9EEF-C116CE423D3A}\NumMethods\ = "20" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MemuHyperv.MemuHypervClient\CurVer\ = "MemuHyperv.MemuHypervClient.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00C8F974-92C5-44A1-8F3F-702469FDD04A}\ = "IDHCPServer" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E7779A-E64A-4908-804E-371CAD23A75A}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BBC405D-F268-4483-9A52-F43FFDBF67FA}\ProxyStubClsid32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{8398F026-4ADD-4474-5BC3-2F9F2140B23A}\NUMMETHODS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{486FD828-4C6B-239B-A846-C4BB69E4103A}\NumMethods\ = "77" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40A}\TypeLib C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB8A}\ProxyStubClsid32 C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAC21692-7997-4595-A731-3A509DB604EA}\NumMethods C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B66A}\NumMethods C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f73650f4-4506-50ca-045a-23a0e32ea50a}\TypeLib\Version = "1.3" C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13a11514-402e-022e-6180-c3944de3f9ca}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97C78FCD-D4FC-485F-8613-5AF88BFCFCDA}\ = "IMEmuSVCAvailabilityChangedEvent" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{806DA61B-6679-422A-B629-51B06B0C6D9A}\ = "IUSBDeviceStateChangedEvent" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABE94809-2E88-4436-83D7-50F3E64D050A}\TypeLib C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 1113.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files\Microvirt\tempDir\7za.exe N/A
N/A N/A C:\Program Files\Microvirt\tempDir\7za.exe N/A
N/A N/A C:\Program Files\Microvirt\tempDir\7za.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuRepair.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuRepair.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuc.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuc.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuc.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuConsole.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\screenrecord.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmu.exe N/A
N/A N/A C:\Program Files\Microvirt\MEmu\MEmuRepair.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 1192 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2016 wrote to memory of 2388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.memuplay.com/download-com.frostpixel.robux.pullthepin-on-pc.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe730346f8,0x7ffe73034708,0x7ffe73034718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5056 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:8

C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe

"C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuSVC

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuSVC

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuUSB

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuNetFlt

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuNetLwf

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuNetAdp

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuNetFlt

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuNetLwf

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuNetAdp

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuUSBMon

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuDrv

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" query MEmuDrv

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" query MEmuUSBMon

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" query MEmuNetFlt

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" query MEmuNetLwf

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" query MEmuNetAdp

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuSVC

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuSVC

C:\Program Files\Microvirt\tempDir\7za.exe

"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\tempDir\Setup.7z" "-oC:\Program Files\Microvirt"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6164 /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Microvirt\tempDir\7za.exe

"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\MEmuHyperv64.7z" "-oC:\Program Files\Microvirt\MEmuHyperv"

C:\Program Files\Microvirt\tempDir\7za.exe

"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\MEmuHyperv32.7z" "-oC:\Program Files\Microvirt\MEmuHyperv\x86" libcurl.dll libcrypto-1_1.dll libssl-1_1.dll msvcp100.dll msvcr100.dll msvcr120.dll MEmuC.dll MEmuHPV.dll MEmuProxyStub.dll MEmuREM.dll MEmuRT.dll

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuDrv

C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe" driver install "C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.inf"

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /UnregServer

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"

C:\Windows\system32\regsvr32.exe

/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"

C:\Windows\system32\regsvr32.exe

/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /RegServer

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuSVC

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuSVC

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuSVC

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc start MEmuSVC

C:\Program Files\Microvirt\MEmu\MemuService.exe

"C:\Program Files\Microvirt\MEmu\MemuService.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc query MEmuSVC

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding

C:\Program Files\Microvirt\MEmu\MEmuRepair.exe

"C:\Program Files\Microvirt\MEmu\MEmuRepair.exe" --getVtStatus

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" showmediuminfo "C:\Program Files\Microvirt\MEmu\image\96\MEmu96-2024040200027FFF-disk1.vmdk"

C:\Program Files\Microvirt\MEmu\MEmuc.exe

"C:\Program Files\Microvirt\MEmu\MEmuc.exe" create 96

C:\Program Files\Microvirt\MEmu\MEmuConsole.exe

"C:\Program Files\Microvirt\MEmu\MEmuConsole.exe" -b

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding

C:\Program Files\Microvirt\MEmu\MEmu.exe

"C:\Program Files\Microvirt\MEmu\MEmu.exe" adjustconfig MEmu

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms

C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms

C:\Program Files\Microvirt\MEmu\screenrecord.exe

"C:\Program Files\Microvirt\MEmu\screenrecord.exe"

C:\Program Files\Microvirt\MEmu\MEmu.exe

"C:\Program Files\Microvirt\MEmu\MEmu.exe" install

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.memuplay.com/thanks/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe730346f8,0x7ffe73034708,0x7ffe73034718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2000 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4c4 0x150

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe"

C:\Windows\notepad.exe

"C:\Windows\notepad.exe"

C:\Program Files\Microvirt\MEmu\MEmu.exe

"C:\Program Files\Microvirt\MEmu\MEmu.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c chcp 65001 && ping www.baidu.com -n 5

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping www.baidu.com -n 5

C:\Windows\SysWOW64\cmd.exe

cmd /c ipconfig /flushdns

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /flushdns

C:\Program Files\Microvirt\MEmu\MEmuRepair.exe

"C:\Program Files\Microvirt\MEmu\MEmuRepair.exe" --repairDrv

C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe

"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /UnregServer

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"

C:\Windows\system32\regsvr32.exe

/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"

C:\Windows\system32\regsvr32.exe

/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.memuplay.com udp
GB 108.138.233.66:443 www.memuplay.com tcp
GB 108.138.233.66:443 www.memuplay.com tcp
GB 108.138.233.66:443 www.memuplay.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 66.233.138.108.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 dl.memuplay.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
GB 216.58.213.2:443 securepubads.g.doubleclick.net tcp
GB 18.172.153.57:443 dl.memuplay.com tcp
GB 18.172.153.57:443 dl.memuplay.com tcp
GB 18.172.153.57:443 dl.memuplay.com tcp
GB 18.172.153.57:443 dl.memuplay.com tcp
GB 18.172.153.57:443 dl.memuplay.com tcp
GB 18.172.153.57:443 dl.memuplay.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.213.2:443 securepubads.g.doubleclick.net udp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 216.239.34.36:443 region1.analytics.google.com tcp
GB 216.58.204.67:443 www.google.co.uk tcp
BE 64.233.167.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 232.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 2.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 34.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 57.153.172.18.in-addr.arpa udp
US 8.8.8.8:53 66.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 156.167.233.64.in-addr.arpa udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
NL 23.62.61.58:443 www.bing.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 58.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.223.35.26:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 stat.microvirt.com udp
DE 154.85.69.81:80 stat.microvirt.com tcp
US 8.8.8.8:53 81.69.85.154.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.107:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 107.61.62.23.in-addr.arpa udp
DE 154.85.69.81:80 stat.microvirt.com tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 www.microvirt.com udp
DE 154.85.69.81:80 www.microvirt.com tcp
DE 154.85.69.81:80 www.microvirt.com tcp
DE 154.85.69.81:80 www.microvirt.com tcp
DE 154.85.69.81:80 www.microvirt.com tcp
DE 154.85.69.81:80 www.microvirt.com tcp
DE 154.85.69.81:80 www.microvirt.com tcp
DE 154.85.69.81:443 www.microvirt.com tcp
US 8.8.8.8:53 www.memuplay.com udp
GB 108.138.233.41:80 www.memuplay.com tcp
GB 108.138.233.41:80 www.memuplay.com tcp
GB 108.138.233.41:80 www.memuplay.com tcp
GB 216.58.213.2:443 securepubads.g.doubleclick.net udp
GB 172.217.169.34:80 pagead2.googlesyndication.com tcp
US 8.8.8.8:53 kr.memuplay.com udp
GB 108.138.233.41:80 www.memuplay.com tcp
GB 108.138.233.41:80 www.memuplay.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 discord.gg udp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 172.217.169.14:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.180.22:443 i.ytimg.com tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 41.233.138.108.in-addr.arpa udp
US 8.8.8.8:53 200.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 226.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 22.180.250.142.in-addr.arpa udp
US 216.239.34.36:443 region1.analytics.google.com udp
BE 64.233.167.156:443 stats.g.doubleclick.net udp
GB 216.58.204.67:443 www.google.co.uk udp
GB 216.58.212.195:80 fonts.gstatic.com tcp
GB 216.58.212.195:80 fonts.gstatic.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
GB 142.250.179.230:443 static.doubleclick.net tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.225:443 yt3.ggpht.com tcp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
GB 142.250.180.22:443 i.ytimg.com udp
GB 142.250.187.225:443 yt3.ggpht.com tcp
GB 172.217.169.74:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 230.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
GB 142.250.187.206:443 play.google.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 142.250.200.33:443 tpc.googlesyndication.com tcp
GB 142.250.200.33:443 tpc.googlesyndication.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 csi.gstatic.com udp
US 142.251.46.163:443 csi.gstatic.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 33.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.46.251.142.in-addr.arpa udp
US 8.8.8.8:53 hstat.microvirt.com udp
DE 154.85.69.84:443 hstat.microvirt.com tcp
US 8.8.8.8:53 84.69.85.154.in-addr.arpa udp
GB 142.250.200.33:443 tpc.googlesyndication.com udp
US 142.251.46.163:443 csi.gstatic.com udp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.201.110:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r3---sn-aigl6nsr.gvt1.com udp
GB 74.125.105.136:443 r3---sn-aigl6nsr.gvt1.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 136.105.125.74.in-addr.arpa udp
N/A 127.0.0.1:52669 tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
GB 172.217.169.14:443 www.youtube.com udp
US 8.8.8.8:53 stat.microvirt.com udp
DE 154.85.69.86:80 stat.microvirt.com tcp
US 8.8.8.8:53 86.69.85.154.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 csi.gstatic.com udp
US 216.239.34.36:443 region1.analytics.google.com udp
GB 216.58.204.67:443 www.google.co.uk udp
JP 142.250.206.227:443 csi.gstatic.com udp
US 8.8.8.8:53 227.206.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.microvirt.com udp
DE 154.85.69.85:80 www.microvirt.com tcp
DE 154.85.69.85:80 www.microvirt.com tcp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 85.69.85.154.in-addr.arpa udp
US 8.8.8.8:53 hstat.microvirt.com udp
DE 154.85.69.85:443 hstat.microvirt.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ea98e583ad99df195d29aa066204ab56
SHA1 f89398664af0179641aa0138b337097b617cb2db
SHA256 a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512 e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

\??\pipe\LOCAL\crashpad_2016_AZDZTTTEHWARZZJC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4f7152bc5a1a715ef481e37d1c791959
SHA1 c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA512 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f73f4e7bd0988f3f344e155c211b6d50
SHA1 5b01af2c28af1181efb9980bc9f52a971d1f22f1
SHA256 94a22cf957ae4544977316220330683bdb3b8b35b3289a43f42d928f0a1d32f1
SHA512 97a6372e98a176f87a2042cae80c889d4ef67c9a260ea5835b3cdb661fef87d2985129671a51ad751e3925c3bcf233a398fcb75ef4fc7a95cad5113ce2c98304

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4e97efe65479b5578cab3b7bf261a507
SHA1 93468584cbce2bb11509fe7d2ddb7ef346706dd3
SHA256 ce5885ed714bb6c829a7ff82a6843cacc8f56cc6cf3a2b55517805803bb69eb3
SHA512 f5a3824db1881854005092cc600201fd5ec16b9b760a5d1a288ea1a37cf46f67d6c9e5401829eedd0ca707bcacc8013665287426906f1bda049c9d70a72e8d1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 45107087d3569960c8d545d01ccea6a4
SHA1 4f617376ff11c643397eb8f7e745e40dee4abc61
SHA256 1a95522ef788348def1e97216183561e46fe0bafe0ba9f7a5b4c183519b4e9a2
SHA512 9f570628d571b244a3e042dafd37d46a633c3c54814aae3e115efcb19c0b819503ed8784480414e2bbc6ea25c517ce192a8cde726c183237d0c993d2a7ff91bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 94c8ea81a2808da75878dc7588f06a3e
SHA1 5344cf4ecf3b0eebb5bd0e93e445f34556e12d7c
SHA256 98edb3593d9756f8e33dccd499953e4ba8112e55d967c0250fc8aba88f9d2e8b
SHA512 9a69e47a36765ed12e32df2778124e33637c7969c80611d765f9cbc660feed4745229111a856bfa3fc9b00aa614d67aafa467e005fb6d904e8011a1d0c105970

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 87e303a9340c9fb4c158e521977004c5
SHA1 4c159e930dde9b5fd7bc006842cab9676c186323
SHA256 594927c96194f1b059cfea43b7965ca5acbd5e37fe9c39b071fbb29dcd65c411
SHA512 e0ec58d75e81202639a8061d387f0a93a33272034ed90bd35d40e961ff1ff570a3e0a2305e53322562635b116027fb2f3b3037812a0545182e03d092fd8bd18c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 56c16ca76f0c920c9a9204008d5c5aaf
SHA1 eeeede9672b03536dac8bbe2018c58665ec57962
SHA256 4b6d8625c027df26b6f5be9f793ef1d41d9449588ed18028e28e8832b60a24b1
SHA512 c43ae1544e20f1e9a55a288995fe3a4bebfcca91a0ecc163ddb770a2467f0f7332a95dff855806010374a8127c0f81bfbf31d117b7297ff79bc2376370db2311

C:\Users\Admin\AppData\Local\Microvirt\setup\MEmuSetup.log

MD5 58054bb681e67d7c3f7f5283463fba50
SHA1 41f30e478dabcc98ed69e856141d67270016f6a2
SHA256 8e08b73aa29819ccd68eb458dfc518d2140e12ae08383dbc96511cc2af493551
SHA512 34d42898fd6e58f61a07275fe7b53e7f57421c3f2dcc2774f63f22edb32dca3a222af77f5ce0d8b0b5ca0bbc308fcb6710d39172b6d401f1bf427a539d98e08e

C:\Program Files\Microvirt\tempDir\7za.exe

MD5 b9425918e9f7b8affb9952ed02e01285
SHA1 ff8c9a13df26035911b57edd8bbe28b2f6b07b72
SHA256 8a5e4cce83ca7c08945348bfb13395109656079e99bc6445b62c4daae16faa5d
SHA512 c25695517910f30424dc23e5f6f6f2a8c94b471dd69b77798c148f1520d313dcf43985cee507427c5d3aef2f12ab103a598450239668fde1c7b245e156bd501f

C:\Program Files\Microvirt\MEmuHyperv64.7z

MD5 4f5a8a2038c7e22ea39f17986df5c7d4
SHA1 cce44b2c9d2eab991025205a310b198a5f2c66c5
SHA256 f9287bab2e458a55956195e23688ec6781b81f153d7c5b28c50cc9e6fb8eedf8
SHA512 51996dd2f0004b30e4ccf0e69a8364c7260b777377221580319829e1be7cba9a711d251e47fce0c40b3bd2b5d5bf1189f56997d6057279a985b003e17e37623a

C:\Program Files\Microvirt\MEmuHyperv32.7z

MD5 ee6cbcf21b968f4925ea15134a29809e
SHA1 d0ff7cdcb950f142f657c3ea48fea285e82500fa
SHA256 528132a17b1e321c1c7772d01ca1e47dcc017eb775c83cf275900921b32d455b
SHA512 5d53f4b086360d3f2e59cc621e810018fa1e2b8c9a7f92526d04b313316acbc57b6cec3bd62c47413bc9fcb8f05a00596811d33e4e482b3a574c54ac81990151

C:\Program Files\Microvirt\MEmu\aapt.exe

MD5 284db64a9ed1c070602bf9ee77550e3e
SHA1 48aa0bb65247f1fc0a62404e9cfa355f519d6d4e
SHA256 29ff3f525786f8014ded9f5a093007dc8e986f5f3d29c345f2fde93416c400eb
SHA512 2a9b54e88ccbbf79a883deb5c09139f35161d404a53535a83f1d2f650e7adf8ea9d5de5b2b99fddb74687f330941e53f3c6a9f0f158d7fd5bcd1ec33e9205410

C:\Program Files\Microvirt\MEmu\adb.exe

MD5 f6e68c4cc8cc3288fd5a411f54d8cae2
SHA1 9ce3c09bda67e746d385593f3385228790815923
SHA256 fd488a4e13d4c71acce69e209164398a056fba5a559b7f00c1351390604e5b98
SHA512 dc66258eb4d8558d578744c2e1124732f48b48333ba67ef3a24ccfa608f1cc619c4f443f61dd15c4264594b9a97305150afbe169226757357aac382241e6f392

C:\Program Files\Microvirt\MEmu\imageformats\qtga.dll

MD5 367c723591fde64c38202d4c0f5ecfde
SHA1 c13d74f417601c656f343f00d15e56517ee03b6a
SHA256 ccd620e74045d9c9157903120140b97419cbbe91fd43337e640c67cd4522072a
SHA512 31c084ba00e094e30c6f912ecd045e19c4451d8783a80dc99b99098f84c5500665a35ac901b0fde84d04df898ad67448e83539a7daa4928e8c78f798b359b256

C:\Program Files\Microvirt\MEmu\imageformats\qsvg.dll

MD5 f304a2c8067f804d25b98d360e92829f
SHA1 dae1d07de8c33912ff4ffc957f8817b2b3e8293a
SHA256 e45893bb7db31bfd32e87dc7a6b02709fca36eb83a25aedc45a39178ec80051e
SHA512 5bc122bea8de687820932666c6b76bb153b115263b31a40fd7823a2a36ebc88b27626e06e3a6c5dc5f62970c8c7e9c094984b494d7f279bfdb9bac7a8c2964ca

C:\Program Files\Microvirt\MEmu\imageformats\qjpeg.dll

MD5 438b696a9811cd821bbe2c54b5c1b4b1
SHA1 55eb74a0015228b1e6c1dc97e6f427c9dc804587
SHA256 84c23191b5e35eaf899358c21445a5377845c0653668bbd99b1aa8796e0248c7
SHA512 961ed9cfcd61a1fc32de89cb97100aaa9a9225c80673b2176975bf62af7f3a0e77a91fb723ed52c553e10a6f754a5e8c8085bdfbd56ef2de8144c53bf41f4e91

C:\Program Files\Microvirt\MEmu\imageformats\qico.dll

MD5 7200f8e1af1c6a60501d5fef7772fd0b
SHA1 5f2bac81a60f7fdfbe8b1a01f111660a3614d679
SHA256 35cf0ae6bcd1b8322482d40bf2dd693e276548885284b88e6631ab18a0c2c60e
SHA512 097835d4c8c61c2489e831b31a8bb6f2feea277439d6697b6e3165ccb6e4758986c9a1fa754696da53b6005a041156ff8bc455a71dc31ea799f5891348a07f22

C:\Program Files\Microvirt\MEmu\imageformats\qicns.dll

MD5 862a826020dfe7ab690900a87250992d
SHA1 983117858f162f7eab3f4aee6e0d9619e20637ef
SHA256 f96e413dc1b8a67c025b3d1769241ee96dd8b079b367a6c868d650a6b68154c4
SHA512 a71cdfba3023934d0bfe25a05d2fda00f60caaf77122cc0d52c7c6f6555ebf43e13555b563a564023c02e9419471a8ed325d182508ad276517c68c9691d5704a

C:\Program Files\Microvirt\MEmu\imageformats\qgif.dll

MD5 e3a1338efadabb9fc23d955af9a7e070
SHA1 dfbe82b183fff002a2e841d73474c78f646fdba2
SHA256 f1fa3bfeea6a600f2c6d209775154cee349b7f687cb4f7213a8cad8870dbb812
SHA512 0413a6116e227fa6a3dd7da6fa4bb8db59ed64fc16e37bfa49ca28c687fe791941b3a23193796eb0ece458e87f9f78f587b3a1fe0f188b63b9148037997df1a2

C:\Program Files\Microvirt\MEmu\image\96\MEmu.memu

MD5 3e6b8043b85931514eef90a68713fea4
SHA1 c33cc7f9752b299ef59b309eb88a99ebfd0aaca3
SHA256 57f337f986ca34466345eeb4316043d746eed625892ff51760b74ad97c1c52ae
SHA512 b78dc31f64704f34a858a8a57599d055fd7093b59beac4296b8993e9f9a2a0fa7bf41d81f42c2ea075823d6dd9b278a099264e922ab589f39f6624f279c8ceb1

C:\Program Files\Microvirt\MEmu\image\96\hyperv.json

MD5 8de1bd47700734f22fb9e25512aba248
SHA1 a333de1b2eedec209bf800364e1a1277b4ed217f
SHA256 6bee1284e364cd634cafc4c53ffd6d96c29e318a3ad253a7e7497a585f1eac81
SHA512 d16bd577ebdb7c8295c64447114228954d6a9a7b98eedfbc578049006c390687ed29f8e903000a71f412fce49eb368a8c2cf5e19f131657a0f319483d1e68eca

C:\Program Files\Microvirt\MEmu\image\96\boot.vhd

MD5 c698d89f145b43c441d8a41dfa30dc66
SHA1 1b80b10a64c7097c47d6e5d43e7842379b4c197e
SHA256 fc3083bb02dc8785493481d716310178e3659416fc1bbd8ccd1b0418659f04c4
SHA512 8f424c35148fafe933a1db72779466884ac3755b343201a6b63abe546836810e8d963572ef54e5b89accf529d130c86558d5607e364050ed2e7e0dba768123d6

C:\Program Files\Microvirt\MEmu\iconengines\qsvgicon.dll

MD5 a85ea17fb2ca9258e71d0a60667eae6a
SHA1 9bc4333321611769a51bcb5292c0517c227614c6
SHA256 5456152400a84c153728007bd1c7d549788d2300441addd40c18d7e17f757856
SHA512 ead8a715f75c82fe85a2d475010d8c880b13700c847840810bd6f75f6a4a418ded406133404a1c3d196461d676f8819a7bff25e556d25250d031e513303f81eb

C:\Program Files\Microvirt\MEmu\discord_game_sdk.dll

MD5 2dacb1b350cbcba43dc7e2e2a42db595
SHA1 a90c3d4a3beda7796c2d529afea2fc2cd48d7dcc
SHA256 a9ac798d1ac4fd370bfa37d3732983da302d4f102cda4f854c017e6e4cc10dcc
SHA512 741270e2326d6c20bfb029faca6a7d6edde8f936f77c7c666c5d08dc15f88a10601cf5b0a651dd27ea054b776c917dd109c256e13fa7021d5ce0322f25aa0693

C:\Program Files\Microvirt\MEmu\d3dcompiler_47.dll

MD5 c5b362bce86bb0ad3149c4540201331d
SHA1 91bc4989345a4e26f06c0c781a21a27d4ee9bacd
SHA256 efbdbbcd0d954f8fdc53467de5d89ad525e4e4a9cfff8a15d07c6fdb350c407f
SHA512 82fa22f6509334a6a481b0731de1898aa70d2cf3a35f81c4a91fffe0f4c4dd727c8d6a238c778adc7678dfcf1bc81011a9eff2dee912e6b14f93ca3600d62ddd

C:\Program Files\Microvirt\MEmu\consoleskins\Other\Yellow\1.0.0\Yellow.rcc

MD5 93ae36d895d3a213a89a312e16fafb82
SHA1 b3f3352c23fe445dc06ed2ce723c6baa302d67cc
SHA256 d7df7e764a1e80313932390b49748d45ce5f9f0a6e960ac059926404547f5143
SHA512 a151068d21bc0a4a2ad17df52b3e4822b38caebcaadf5cf95653466aa54d8e6801e01ccb668ede5af94cf5be4d7fff7cdd899f38bb9de93b098722140334b353

C:\Program Files\Microvirt\MEmu\consoleskins\Other\Blue\1.0.0\Blue.rcc

MD5 3fa8fe8c8829f270f6afe540c55863d2
SHA1 63dac522fa34057d35140b21f4cf5db2ecad2117
SHA256 a6cc6eb4e80b865f309e4c077ea9f7920a6df57a068867610bbe9b58f77887a0
SHA512 d51db966f9ead415598d627fbf76b8e0fb1e978f72083fbf058ab20508536a3f8d04267b72b9cbefc80226efbde88fdb813d44ab0e3c427f74824e0e6710040e

C:\Program Files\Microvirt\MEmu\consoleskins\Default\Default.rcc

MD5 e42dfd00bc871ab477ad7411fcaebca8
SHA1 7e2ba9f1c55d8e4f37925f628989a38618e19fd5
SHA256 041c455cf5b41d1bd26b25658c0f6f99b72188f3db8da7325fd7514486bde224
SHA512 191e2151cb59010068bfe592deb4fe0f9e3c190b140681c8518701a84d93d83132ce5c0479d0134c9883dd00f345380cb8778569c05f81a720bcc8f388ac3314

C:\Program Files\Microvirt\MEmu\clearRemnants.exe

MD5 e0974aa9475d8877b23fd910216d53d0
SHA1 c26ba9d61d56d50a094cecf382855855c3957510
SHA256 564c9fafa45abfac0e8844b4874397adeb00c0ec8f0326b434741e4770111899
SHA512 517fa863eb4ede6055fc5642563df55483cec7844545612d509411dbd0799ffd70cbb73b461dab9b0b93ff3375628f1311d90a58fe97d8629e1a6035619b08fe

C:\Program Files\Microvirt\MEmu\bearer\qgenericbearer.dll

MD5 57f3ffcf6a99abdeca93d0bebd9f05d8
SHA1 f1b7038c4f6cad75b8a6d115255421d60f1de04f
SHA256 44b59c980ca26aca133bd3842155c55eb30630853c3c316e1955415e10b34c0f
SHA512 cbe0ed19d03540ffef93c4028ba7bf170ca82d1bfd15d432c7fb0edf96e450c9ddd85701b3ef52edabac96fd3cb6e3da2eadf4ed1de3907e986e8f3d64dd3b08

C:\Program Files\Microvirt\MEmu\avutil-55.dll

MD5 9025557bd1298dba028f61b60b3ca925
SHA1 6c54e44e5e275a677e7cd3ee03c5f8ccd2532764
SHA256 ba1cf881912a0ba7f6858544009f0ef296d32bb740dcb421125fbb9c7097008b
SHA512 338cb2f8afdd0edfd3880465fb83b2cc8eefedc5befdafd9f2a5c94217a5e7664858c67eadbc3fced18f5e21c2cf7e6f097e6d3d489cd59e136cd3e997eff78e

C:\Program Files\Microvirt\MEmu\avformat-57.dll

MD5 0e3d42ca963f0a8251dcf57eb17beed3
SHA1 9105c402052f50e3b57d21aa464e763411f48a53
SHA256 5d12c718a9865df81bf4376af1223d746401a11bf2300880393b40b174d37c9c
SHA512 75ef7d2fbb1dcf4a7aaa26f0d29b6471f42da105739e6f7acdb6dd59c97c25a3cf241fe41d87d8ef6c8ff17c3528172ae47017c35fbd46c73f63fc20f95bee6e

C:\Program Files\Microvirt\MEmu\avcodec-57.dll

MD5 06280e3e5eec9783b4af071e7375f820
SHA1 380036754e5fc786137ceddba989711e02146d05
SHA256 0be1ab58ef33c40fa092cc56b1730967e77fb5cc3c54f09a0e599b0e658f389c
SHA512 9edd0515eff29bcb27cd447d97ae7b02f68e2b06885b8671f7cfca7e90696cd7b100a8520e533f2fc9f70795889a983ddec546a5f9827e36d13e63b762909d5d

C:\Program Files\Microvirt\MEmu\audio\qtaudio_windows.dll

MD5 88577bfc1a8f34cbf575205db3f1cb31
SHA1 cb9d72fa0dd97cd4008015551cc5764c9be328c7
SHA256 868c105861b6fb2207997a9b13d52b8cc0a22ce37d63382a869fd33277526213
SHA512 4c3d65adfaee850e40f2725fca62a11f3b6652c8adad2e7372222e53f77c538a1904b4a7ed6df8167dd08d6bac628160caa3eb5906673d2f9a467947d85c45b8

C:\Program Files\Microvirt\MEmu\apk.ico

MD5 87cd4c763c98779576affecfa2ea1253
SHA1 b7e31d5771aa9ed053804efd3e7ccfe45a1f631c
SHA256 bb02b918542258544b4f20a490c34ed701f8867952467f5234f9ccf25a8d64c1
SHA512 1ebdc06a6a2f05a92a798444e637e1ed8188dfd0a2f49f8f63bacd95cbcc910f1304f31cbeaa5e26491499519c27128cd74f647c803756dc4270431561a2c194

C:\Program Files\Microvirt\MEmu\AdbWinUsbApi.dll

MD5 0e24119daf1909e398fa1850b6112077
SHA1 293eedadb3172e756a421790d551e407457e0a8c
SHA256 25207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97
SHA512 9cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43

C:\Program Files\Microvirt\MEmu\AdbWinApi.dll

MD5 ed5a809dc0024d83cbab4fb9933d598d
SHA1 0bc5a82327f8641d9287101e4cc7041af20bad57
SHA256 d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9
SHA512 1fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17

C:\Program Files\Microvirt\MEmu\adbdrv\adb_usb.ini

MD5 9b924764cda9a9844ed2983eb20d34ea
SHA1 7ca4f57bff7b01607445003973fa66a9290aee6a
SHA256 2a6f11b34cee17017b878105cb0bcbdd81f716a9bee4c9e6180f4605d0fa760a
SHA512 abd36ff8efcc464a47387c300e0010ef4a4cf4b08aa4ee96c58709de0d06ec79950b530ae75b3176e7c92744f846b2cffb0efe90e2a37cb787f06a9fb2bedb49

C:\Program Files\Microvirt\MEmu\adbdrv\64\devcon.exe

MD5 5d38f264735116c3f6d7114b18e7e173
SHA1 6635352bbeb16235dd2ecab22ca9122596d3bde2
SHA256 9f08f1ce607877c5292e57da6310e064375d6b5ea9535045b3019a2a7e91a351
SHA512 4c7021d1d9a3b7bbc7bebeb8f9a972db19e1e8f62cdf3f60c985df7855fb06075f3f943137b25483eccec9cb56f1ca12d24176def434c46f103a870694c0a0de

C:\Program Files\Microvirt\MEmu\adbdrv\64\android_winusb.inf

MD5 20fa26363d4e532ae03ad24a9a2492c3
SHA1 1410cf9289bf3a20f58aca2577ee433ae48fa1c1
SHA256 dd71107e650bd49118e43257e1bca7e902d7c30f1f249a0a7d4012e827f8795c
SHA512 3fc815e89ca79e9d7384fdd5838be8e118f4006de18b1c360ba7de49b659c80641b4a1c2ab446bcbfe91cc6d66dfd03d086091e8c2ab62cdc014e98377e999b2

C:\Program Files\Microvirt\MEmu\adbdrv\64\android_winusb.cat

MD5 abe648c8e5dabd56e7d9800cdc918de8
SHA1 0f6a9c3c2fa5bfb25526a130976bd18c598ee5ab
SHA256 4e2b3b5e4e92b6ef1dfda95ab5eea7cf4b4eb5a8c232e634684dac3c05ae2bff
SHA512 104d20ae79c6e0f3af8899f706a1678e4b4a95460f8841ac14f80ab358f98a6409f412fc80d31adc2740527b53ce3b09bfde477edb03cd9572bd2239517fbf51

C:\Program Files\Microvirt\MEmu\adbdrv\64\amd64\winusbcoinstaller2.dll

MD5 b55d5cd0742979dd9f46e69b2b56eee7
SHA1 d93f73f0904b7bc1a28565bcf1b90de0533fd79b
SHA256 196e47522ae1eb7a5014b196f433bc0f5fc90ed2b934177512cd3e1e5782f0f1
SHA512 aef9d7c1c3a2f6bed61a2a733e6f5c2f4656e26c5bc235bf00d26dca221901b7d7544fd859d4f4e04a65374b27e85f3dfc2088fe0bb4272f155b4cb9626d94bb

C:\Program Files\Microvirt\MEmu\adbdrv\64\amd64\WdfCoInstaller01009.dll

MD5 7ee110fbe5147b3402e70f23e0f57780
SHA1 feb6a002b4090c098c1b46dd1bceef4a78379b86
SHA256 48bea71e994fa8f2a30e98c0547323b7f0246884664550f869a3f2f1c2c3bf62
SHA512 21b18cf73c0a1b040ffc9353ce66b03e9c1252787004d3597d41c84c6bf1d8151aaaf0b4d35f6317949c85fbc89fd025a5ccb7f814af3a618e42969c6e85ebbd

C:\Program Files\Microvirt\MEmu\adbdrv\32\i386\winusbcoinstaller2.dll

MD5 3259ebd7742a78e8fa0ad5a689b7377d
SHA1 fbe79b1f6b207c3b47ff37071c47b8ffdadf889f
SHA256 91baea13dc25e24916de0faab9a59a70fef12f3a2eec96528c1d9d076ce320b2
SHA512 3dcdeed5c2078d4c82308b63bd9812c16d07883f47a615ce06616de94c59934e916966ab026391d95af9a370fbc7a7fb90cce931736484cdc85a377080ad2f1b

C:\Program Files\Microvirt\MEmu\adbdrv\32\i386\WdfCoInstaller01009.dll

MD5 d2f19c1a1067bef5653959bc26695d54
SHA1 403102bb14550751dfa7745c744f2cfa29f49ca6
SHA256 11167a49a71cb85d29b8cfd61447ba7bad9870de172be8efa1525eb37958fde2
SHA512 d5327fb0e09868b4db4af875a61b0767af5441c664083cff4bb4988ad2e3858cfb34375888fa54c17d01fd008a5db9d9e392ac059dbf7fb344abacce93559d7a

C:\Program Files\Microvirt\MEmu\adbdrv\32\i386\USBCoInstaller.dll

MD5 9f3cb843225cbbf5612ba0015354bca1
SHA1 4e0cd78823be5aa78be2054f4d4296884a7b5294
SHA256 9ad6ae3ba83531bb6f95c47f008586c2f09b03dcc01743212d611d6ee93a5ee2
SHA512 fd1111739e03f8769dd879793215c70abc48b10965bc700ec1806a1289a3dfa829c32efc0f6f7e5e17aba39dfa95b13a130e59fb0160676c796db084517514fb

C:\Program Files\Microvirt\MEmu\adbdrv\32\devcon.exe

MD5 8efdbdd90337842ef4b8ceb7adcac7bf
SHA1 1eb6440e60bb09078831ba011e7f2366bf06b8b6
SHA256 bd91a6d385183af2495ff151b6872a0665beaa4c72d05943a7c97e201ef4a4f8
SHA512 1543d8ad7d347c2818d9467672547f80d44bad6f5498b2bb2153765d14fec3400ea1dd34f87022aa5b2128a92cc00ab00f84c88c42e31be353eef105510117c7

C:\Program Files\Microvirt\MEmu\adbdrv\32\android_winusb.inf

MD5 bd81f8ba792dcffaaf9e2e8cc9549c55
SHA1 940f5aa8d959d469ccd37ddf432f18a739fa41e6
SHA256 9408780740fa1214f8e8c2a32353ca10839282e096787f43166f9b555cf1c665
SHA512 890f9cbab961b829b72dc54d482048da745721ce54beb45298728969896264f5e601b4d4ad8b3b5210ca78c948dcdee1974cb551533a2030ec3f074b8ca4df34

C:\Program Files\Microvirt\MEmu\adbdrv\32\androidwinusb86.cat

MD5 e43ed0b69e138218a044ffa4507f55da
SHA1 444736f81165aec30e700e513537b732dfb93339
SHA256 dc11de7734b8cbcbcffa628dc703662e1acd00142de5f8d2770ff52b7c74fe9b
SHA512 ed6096ebdaf4cc8b82f497a4492586376ec5861a6ef4d413d490e8b51e66870f4c3728d45ab683974b4634c111368304459b8c470f8fcf24f75bde2c64ac4c98

C:\Windows\System32\DRVSTORE\MEMUDR~1\MEmuDrv.sys

MD5 39ff928d8ec49a318b40761dd7c1cdf3
SHA1 5c20cb15caa4704b7a5bfadd12885646aca50fce
SHA256 9e18ed94739ae711585e397a8ea2f7e1b05e00bd23f57fbb7606c4498192c5e0
SHA512 04a3198da7dd33e6d960de8474814b7220c6d9f0378e495683fd38a5bdfe15179daedf24bf3038e78a775c20ced87bc05d64aee9202f08924e017b4d0d724524

memory/1472-1046-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/6020-1047-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/1008-1048-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/180-1049-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/6012-1050-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/5696-1051-0x0000000073260000-0x0000000073319000-memory.dmp

memory/2156-1052-0x0000000073660000-0x0000000073719000-memory.dmp

memory/3192-1053-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/5888-1054-0x00007FFE7A3D0000-0x00007FFE7A493000-memory.dmp

memory/5460-1055-0x00007FFE5FB80000-0x00007FFE5FC43000-memory.dmp

memory/3460-1056-0x0000000073260000-0x0000000073319000-memory.dmp

memory/2720-1057-0x0000000073660000-0x0000000073719000-memory.dmp

memory/3124-1062-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/1488-1076-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

C:\Program Files\Microvirt\MEmu\channel.ini

MD5 00f3c3bb21e257949b6c9f4529f9072f
SHA1 a5d4c34c857dea84c5b5860fea4084b6e5120d22
SHA256 b2c2de8af62723c9e548e560719684e801aad048bd04955214921fd6145b018b
SHA512 2567242bed4ec44b2ceb36ab8c98c0442f88b9bb8a3796cd40e99f580a02d9a21baada98780ea1063ed2f92793278f4ad31666f069d98242627daaa1e76d110a

C:\Users\Admin\.MemuHyperv\MemuHyperv.xml

MD5 e8948501d2e2781d539a982240c0e682
SHA1 340717f9da7ef76aa75c50e09d349de3ea6f6221
SHA256 20cb5203adf2b9027362efc88c7c9585ce68ebea96cd0db7f2ea2e13172abcf3
SHA512 f05a201a1e8b53c8410989cc0f1d597ca71f6f5fe725b50670544af9285e1dd7cc0d50f8f1732d194a5c86c58bfba59ff2310b71fecf71ebe1cced1e181cc0c2

memory/524-1104-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/5724-1105-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/3188-1112-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

C:\Program Files\Microvirt\MEmu\config.ini

MD5 5102445679502d430edc25e9df7886f8
SHA1 67f4ea140e48d2d6869fa3f29bc54644831db86c
SHA256 7f02ed3cfa93e263033b645edc7383dd034327bd419867f0d70c740bf832a654
SHA512 8bca960cf16c4504a3368b5042cec3c0aa81f8dfb8dd43cea201a2790d36cd4199df886c0d143268a438da9719febad0ef775803c82891e980034c4e6f6d0fc6

C:\Program Files\Microvirt\MEmu\config.ini.lock

MD5 03e879faf00ba2a5e36898802ee2e808
SHA1 f12e930a836fae6a98d414be78340bc2fe26520b
SHA256 0b3f6e4a712324d118649bce0e8f58866321a077d3c260ce580a7ca88503c69d
SHA512 a71101dc56fb6531c9545d2b43eb9a8315c001526423c9ed5fb276fcde9c1101ecaebb3210985f4b323e31c072ff1d8c0ca02253bc78b9f257917271233da710

C:\Program Files\Microvirt\MEmu\MemuHyperv VMs\MEmu\MEmu.memu

MD5 dc54de3999894d74750372182580888d
SHA1 1ad361668a833c116a7305b6bdfc1cd816c460e8
SHA256 1753cc2e7ca705aa4f7e51f2a857fde4b000e4f4abf8e7b3cd2025b091a34e67
SHA512 6f247def9c6c3d33433233e4d536053d04db0993bd525fe9ef1319fbc7629a354f3ffc0028083a929fa5649ab282e93e3e4edd2043ee31e82c8bb03f1c9d7df1

memory/5864-1206-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

C:\Program Files\Microvirt\MEmu\MemuHyperv VMs\MEmu\MEmu.memu

MD5 ffdbe96e1c71e6199be20fc317479b5f
SHA1 5a9f3067bfe0f1ecb6da7fe2964b94b838caa230
SHA256 d08edb2aab9eec9dcb4f471705cd41b45839f7e0bc58cce72ca56d8cb39bdd9e
SHA512 22f9cbee9155cbd8b8f472a0c52b48165c32a8e6c1121b5b44793fa44ec43f211cf47f55501bed7cff014f65859f0fdc0bfeb01940da622f7c3d8f20ba3fe77d

memory/2964-1223-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

memory/2824-1225-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

C:\Program Files\Microvirt\MEmu\config.ini.lock

MD5 e436b4d07d00512c18d91b1718623cbf
SHA1 0ca5679d13db7699f6c1536a1b7f7bc8d03c74b1
SHA256 430e76adc83979ad936d3944bb9dec176defbfb98eef33b3dfd7962994f1cdcd
SHA512 9cba9ba30eb5c2ce8756c50d427d36763e79c309c3f2e702fbf0d9f41a6e99d9ebfc2176445515c6330926222fc2d902fae39a47360e5c414efafe1d8c872b59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

MD5 ac83857f0497a4a0e7669329827cf228
SHA1 18ea483c966969e43a654fcadea9719a8aca370c
SHA256 43337a1354f376890cdb73f3dbaf95a8027761c574c30cdecb321096be485d3e
SHA512 6a35c50764d31d4bac07ddbec2329238cd04f2c58c00629e523ae7fc2a7d6be5d1226f8fb6c3c1043b215c38c47951a66fa8a9d4f4d6ddce7664bd1d011db2aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

MD5 827f01c76ddae0a5c3b4da0419437878
SHA1 8aea34be6f9fc6c6f5cfb97145f6788cbee12aa5
SHA256 791f26f4bf37b5fcc0a6428e65134c563d3d43c789750d540c605fb62e8e59fe
SHA512 daa39455157118cacc9191b03df0a3a6cebdcb7d12df431a865182a46676ae371b271ed9b3266be9a93303a3c5bd057d529e4cd801f8fc75661fea8dce3b6a66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

MD5 66301e63b3bb488b5eadd7831f4d03c4
SHA1 b70a38218bf14ca53c46289a7a31d268923b4493
SHA256 acacf083064c0ba06aeeede1a15d139c3000dce7c8b418cc811c9ab45e83cf18
SHA512 474dad6ccc63fea8fa44dd225714e8e596882e209ef845a4b898f973dfcab91e36b9a18b35ae113f12a1aca27d992a708261ef37868069969684a01728de8184

memory/3124-1367-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 62bdfe258f0808f0087fa0da4cd776d5
SHA1 c50c6d67239327024cc3b77e501a86e0cd7db47c
SHA256 4383660d70a4db29b8191382648661286d916f0d85fa26c76ee8b82832363913
SHA512 d79b5fe9a4c9a6b17a13ca1279a43f82aa0a118ecc1f0a90aba010f4241803d454856842a8e0b49aa9b8737f3f842f3bf5d1b7ccd65cbb70e506d930c6e4d4db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 98e831ae41e554c2357223ac58f10c39
SHA1 5ad60fe222eb5a6c61de2a40207315b929b66b86
SHA256 5ca04d6f1b5901a31d2f09781eb67bb8487da463c8741cf35fa250cd66a75eba
SHA512 2feecd8f0f3639d46a9a843c3e49632538d8b8752967d34d113e38a142a19932cabb30e541be4baa7e21be01cf0077aef16608fc48ef38446604e17feae67c57

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cde3255b0b52823254fdeed39451650c
SHA1 8c0c5c535fbbd1b4e4cf60c0638af94666eb8d0e
SHA256 50c6960735b871d0ac959b1e4a881866c7427b3bf071efc53ef30197e5097d15
SHA512 5018f0ef01ad6c4419745a7f8298a4e52f493ddcbf116e9d75b4c59a0e626da483a608316ba47b2e6ee35728a8ae76661d6ecee1ae1989a36e1f8c386e4d9c91

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a280b.TMP

MD5 1113526b968c15dd48a05321064df71a
SHA1 7fefdcb24fc8092a79fea4f24b1bab4155ee3743
SHA256 9e67107748c0354959af1f1d73b553a90a97d34c2aa68cd6683aa5abf1788b67
SHA512 11216d7c7e04af8f19643897f422e9d6a4d65aa2ec938e680eccf2162b59bbfb760bfa45a21b38bd3edc28efa70c96b616576223d4c74e5835b173061e246fd2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9a3fcfc78544f83fad6f1ba973b99d7a
SHA1 fb21807c412b02ce3bec926b8a5d148ac33e63b6
SHA256 64c57f8430b8286a0dbeab703ec92b0c69a70d20c50daf6d8a3d426a9aa1a651
SHA512 ab20f3cd49ea39d45f75fbe820e2d21fef107d04b9e21af606b09facdd5b332bb47be695f9647592bb098a1ae4caa73a0db9502f689771235e686865738f18d5

memory/4668-1458-0x00007FFE5F600000-0x00007FFE5F6C3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f9b8991ba445672f3c3d8ae845c807b8
SHA1 3da6757ab1721400923cb3957c9e1381e765ddc8
SHA256 f15f8877ba3e48c3daac4b829236864b8c7335e8b54cb189c1da24da77e5e78c
SHA512 ef26ba8a6ca24bfc2329efae15c0fcbcaec23581f027ce86958764c9afb92e4b368a6fba183469d3166752ac787d32423301d7204a765692686b9a466e7a5eda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 cc12bb39b0c9f78ef8639104074e1869
SHA1 b72ffcb6e788fbcebd35c14fb545ac16d4dcb3e1
SHA256 1c4253ea50b2650b19fba11b65523ac3286443e68c3e2670d2db3a917f944839
SHA512 a89cca1b73a35feb66d6bf63aeca7b665f7230e3ccdfe8d639a83e58369c296c504ad708aa9e4a85543dc9b7bd388a3834020514ec2a8d2e6bc0d359c7db5636

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c1935f2dd5d670b8ff48ff91634e450d
SHA1 78bff2dcced5006818ec6b493adb792eae8a72c9
SHA256 cba0fab9396b58c0c31a1d32e05cbd2c07f1969223953a048f64c2b8d9a07421
SHA512 6d30b5350f7d720369ebe54a4d6af60dbb9d0fb22a8b949d6d592841c4d969c87712ffb8cccc721ff00bcb25d7e0169559909e1f6941481861c481d5e3fe1238

memory/5572-1532-0x00000272441D0000-0x00000272441E0000-memory.dmp

memory/5572-1548-0x00000272442D0000-0x00000272442E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 08ce0e7d571822aaa5952922b4625787
SHA1 65da665e2044e909deed513ddc90c086903d8438
SHA256 9747d6f3f6ec6c94dff2bcf09fa22a057621cf570c3cc242658bda67d378059a
SHA512 e7f5969091f50f5899ab91a957d4928e02ee789d7add3490b5dbffc982a45d6c34123e09f6fd6243d5389c2bb225ade34ff970ad393f6c41088024ce4d818e0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3c863a2aef7afea30f8e2ed8aef02418
SHA1 daea07ff58e96c85573269fa1b359975bdb75a40
SHA256 429e072e36a2c14c87ce8c80235f12e42409285c22986192ad52ccc533877bce
SHA512 865451da022792c4ac7928390b99b0a0c9c68307fd31c9fe3686362fa2ce20e30735fbc16a059c1bffb872cba3e1a7ac8b2b7580d876d6bc1024753d8d94ed6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c45be2b106830862bf42aa97379f5ba5
SHA1 a2d83d66d8f4d336631743f33b5dce38c10c2a02
SHA256 fd07cb5c0f98abb35c9bb3c24ca8b6b6d675eeba8b9f52d1ab243c740ded8652
SHA512 37fe4bc0a40c08845aef2fc2299e70953081376d7d7c0859ebba697d2424a68f513e809a018eb356e9bc0520457580a374e5ada4b81dcd20f4548068b70f3b07