Analysis Overview
Threat Level: Likely malicious
The file https://www.memuplay.com/download-com.frostpixel.robux.pullthepin-on-pc.html was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Drops file in Drivers directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Registers COM server for autorun
Reads user/profile data of web browsers
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
NTFS ADS
Runs ping.exe
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-08 21:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 21:44
Reported
2024-05-08 21:53
Platform
win10v2004-20240426-en
Max time kernel
527s
Max time network
533s
Command Line
Signatures
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\MEmuDrv.sys | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET931E.tmp | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET931E.tmp | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ThreadingModel = "Free" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuProxyStub.dll" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32\ = "\"C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuSVC.exe\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuC.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32\ = "\"C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuSVC.exe\"" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32\ThreadingModel = "Free" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0bb3b78c-1807-4249-5ba5-ea42d66af0ba}\InprocServer32\ThreadingModel = "Both" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ThreadingModel = "Free" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{dd3fc71d-26c0-4fe1-bf6f-67f633265bb1}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32\ThreadingModel = "Free" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b1a7a4f2-47b9-4a1e-82b2-07ccd5323c3a}\LocalServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InProcServer32\ = "C:\\Program Files\\Microvirt\\MEmuHyperv\\MEmuProxyStub.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.sys | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.inf | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.inf | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe | N/A |
| File created | C:\Windows\system32\DRVSTORE\MEmuDrv_4C26FE707B8538A984DDA52017FA77FDC0515737\MEmuDrv.cat | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microvirt\MEmu\opengl32sw.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv\MEmuDD2RC.rc | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv\MEmuHeadless.exe | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmuHyperv\libEGL.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\config.ini.tLMysH | C:\Program Files\Microvirt\MEmu\MEmuConsole.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\resources\img\e.img | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\lang\MEmu_zh_tr.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\translations\qt_pt_BR.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\lang\MEmu_uk.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\lang\MEmu_zh.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\translations\qt_cs.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\translations\qt_ko.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\opengl32sw.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\en-US.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\fil.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\lang\MEmu_de.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmuHyperv\libGLES_CM_translator.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmuHyperv\x86\libcrypto-1_1.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qt_de.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\adbdrv\32\i386\USBCoInstaller.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv\libxysprt.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\quicklinkicon | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmuHyperv\MEmuGuestPropSvc.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmuHyperv32.7z | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qt_gd.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\Qt5QmlModels.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\config.ini.fX4536 | C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\Qt5Network.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\zh-TW.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv\HPVR0.r0 | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmuHyperv\MEmuNetLwf.sys | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\bn.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\hu.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\kn.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.inf | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\resources\qtwebengine_resources_200p.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\lang\MEmu_tl.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\MEmu.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\libcurl.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\msvcr100.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\Qt5Gui.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\playlistformats\qtmultimedia_m3u.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\fr.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\hi.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\lang\MEmu_ru.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\mediaservice\dsengine.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv32.7z | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\fi.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\translations\qt_hu.qm | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\image\96\MEmu96-2024040200027FFF-disk2.vmdk | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmuHyperv\NetFltInstall.exe | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv\NetFltInstall.exe | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\th.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\adbdrv\64\android_winusb.inf | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\platforms\qoffscreen.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmuHyperv\x86\msvcr100.dll | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmuHyperv64.7z | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\nb.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File created | C:\Program Files\Microvirt\MEmu\translations\qtwebengine_locales\sl.pak | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\consoleskins\Other\Yellow | C:\Program Files\Microvirt\tempDir\7za.exe | N/A |
| File opened for modification | C:\Program Files\Microvirt\MEmu\config.ini.enKqBI | C:\Program Files\Microvirt\MEmu\MEmuConsole.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Microvirt\MEmu\MEmuConsole.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microvirt\MEmu\MEmuConsole.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c6f56e791a1da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e7f13e891a1da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b7f04e791a1da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085b71de891a1da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000953938e791a1da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f7d21e791a1da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a1126e791a1da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9ACD33F-647D-45AC-8FE9-F49B3183BA3A}\TypeLib\Version = "1.3" | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2514881b-23d0-430a-a7ff-7ed7f05534ba} | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5732F030-4194-EC8B-C761-E1A99327E9FA}\TypeLib | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7569351-1750-46F0-936E-BD127D5BC26A}\1.3\HELPDIR | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431685da-3618-4ebc-b038-833ba829b4ba}\NumMethods\ = "25" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f4d803b4-9b2d-4377-bfe6-9702e881516a}\NumMethods\ = "15" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3ba329dc-659c-488b-835c-4eca7ae71c6a}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2e20707d-4325-9a83-83cf-3faf5b97457a} | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c365fb7b-4430-499f-92c8-8bed814a5671} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0A0904D-2F05-4D28-855F-488F96BAD2BA} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b2547866-a0a1-4391-8b86-6952d82efaaa} | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81314d14-fd1c-411a-95c5-e9bb1414e63a} | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6A}\ = "ISerialPortChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF398A9A-6B76-4805-8FAB-00A9DCF4732A}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39b4e759-1ec0-4c0f-857f-fbe2a737a25a} | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{101ae042-1a29-4a19-92cf-02285773f3ba} | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFCA788C-4477-787D-60B2-3FA70E56FBBA}\TypeLib | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7844AA05-B02E-4CDD-A04F-ADE4A762E6BA}\ProxyStubClsid32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839CA}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{adf292b0-92c9-4a77-9d35-e058b39fe0ba} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516A}\ = "ISnapshotRestoredEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{334DF94A-7556-4CBC-8C04-043096B02D8A}\TypeLib\ = "{d7569351-1750-46f0-936e-bd127d5bc26a}" | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77faf1c0-489d-b123-274c-5a95e77ab28a} | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5191A7C-9536-4EF8-820E-3B0E17E5BBCA}\ = "IGuestFileIOEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F99CD4D-BBD2-49BA-B24D-4B5B42FB4C31}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39B4E759-1EC0-4C0F-857F-FBE2A737A25A}\TypeLib | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dd3e2654-a161-41f1-b583-4892f4a9d5da}\ProxyStubClsid32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0c293c51-4810-e174-4f78-199376c63bba}\TypeLib\Version = "1.3" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{245D88BD-800A-40F8-87A6-170D02249A5A}\TypeLib | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21637b0e-34b8-42d3-acfb-7e96daf77c2a} | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AA} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF5BEFC3-4BA3-7903-2AA4-43988BA1155A}\ = "IDnDTarget" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40A}\TypeLib | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d23a9ca3-42da-c94b-8aec-21968e08355a}\NumMethods | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D7609A}\NumMethods\ = "18" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946BA}\NumMethods | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{e062a915-3cf5-4c0a-bc90-9b8d4cc94d8a} | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA91D4C9-4C02-FDB1-C5AC-D89E22E8130A}\TypeLib | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E63A} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{e7932cb8-f6d4-4ab6-9cbf-558eb8959a61}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C984D15F-E191-400B-840E-970F3DAD729A}\ProxyStubClsid32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7569351-1750-46F0-936E-BD127D5BC26A}\1.3 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8398f026-4add-4474-5bc3-2f9f2140b23a} | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27C0B3D-6038-422C-B45E-6D4A0503D9FA}\TypeLib\ = "{d7569351-1750-46f0-936e-bd127d5bc26a}" | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BA}\InprocServer32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4bbc405d-f268-4483-9a52-f43ffdbf67fa}\ProxyStubClsid32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4AFE423B-43E0-E9D0-82E8-CEB307940DD1} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{788B87DF-7708-444B-9EEF-C116CE423D3A}\NumMethods\ = "20" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MemuHyperv.MemuHypervClient\CurVer\ = "MemuHyperv.MemuHypervClient.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00C8F974-92C5-44A1-8F3F-702469FDD04A}\ = "IDHCPServer" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70E7779A-E64A-4908-804E-371CAD23A75A}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BBC405D-F268-4483-9A52-F43FFDBF67FA}\ProxyStubClsid32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{8398F026-4ADD-4474-5BC3-2F9F2140B23A}\NUMMETHODS | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{486FD828-4C6B-239B-A846-C4BB69E4103A}\NumMethods\ = "77" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40A}\TypeLib | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB8A}\ProxyStubClsid32 | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAC21692-7997-4595-A731-3A509DB604EA}\NumMethods | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B66A}\NumMethods | C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f73650f4-4506-50ca-045a-23a0e32ea50a}\TypeLib\Version = "1.3" | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13a11514-402e-022e-6180-c3944de3f9ca}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97C78FCD-D4FC-485F-8613-5AF88BFCFCDA}\ = "IMEmuSVCAvailabilityChangedEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c02f46d-c9d2-4f11-a384-53f0cf91721a}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{806DA61B-6679-422A-B629-51B06B0C6D9A}\ = "IUSBDeviceStateChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABE94809-2E88-4436-83D7-50F3E64D050A}\TypeLib | C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 1113.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe | N/A |
| N/A | N/A | C:\Program Files\Microvirt\MEmu\MEmuRepair.exe | N/A |
| N/A | N/A | C:\Program Files\Microvirt\MEmu\MEmuConsole.exe | N/A |
| N/A | N/A | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
| N/A | N/A | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
| N/A | N/A | C:\Program Files\Microvirt\MEmu\screenrecord.exe | N/A |
| N/A | N/A | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
| N/A | N/A | C:\Program Files\Microvirt\MEmu\MEmuRepair.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe | N/A |
| N/A | N/A | C:\Program Files\Microvirt\MEmu\MEmuConsole.exe | N/A |
| N/A | N/A | C:\Program Files\Microvirt\MEmu\MEmu.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.memuplay.com/download-com.frostpixel.robux.pullthepin-on-pc.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe730346f8,0x7ffe73034708,0x7ffe73034718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5056 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:8
C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe
"C:\Users\Admin\Downloads\MEmu-Setup-9.1.2.0-ha8edcb97c.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuUSB
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetFlt
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetLwf
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetAdp
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetFlt
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetLwf
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuNetAdp
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuUSBMon
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuDrv
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuDrv
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuUSBMon
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuNetFlt
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuNetLwf
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" query MEmuNetAdp
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
C:\Program Files\Microvirt\tempDir\7za.exe
"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\tempDir\Setup.7z" "-oC:\Program Files\Microvirt"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6164 /prefetch:2
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Microvirt\tempDir\7za.exe
"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\MEmuHyperv64.7z" "-oC:\Program Files\Microvirt\MEmuHyperv"
C:\Program Files\Microvirt\tempDir\7za.exe
"C:\Program Files\Microvirt\tempDir\7za.exe" x -y -aoa "C:\Program Files\Microvirt\MEmuHyperv32.7z" "-oC:\Program Files\Microvirt\MEmuHyperv\x86" libcurl.dll libcrypto-1_1.dll libssl-1_1.dll msvcp100.dll msvcr100.dll msvcr120.dll MEmuC.dll MEmuHPV.dll MEmuProxyStub.dll MEmuREM.dll MEmuRT.dll
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuDrv
C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuDrvInst.exe" driver install "C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.inf"
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /UnregServer
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
C:\Windows\system32\regsvr32.exe
/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
C:\Windows\system32\regsvr32.exe
/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /RegServer
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuC.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files\Microvirt\MEmuHyperv\x86\MEmuProxyStub.dll"
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc start MEmuSVC
C:\Program Files\Microvirt\MEmu\MemuService.exe
"C:\Program Files\Microvirt\MEmu\MemuService.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc query MEmuSVC
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
C:\Program Files\Microvirt\MEmu\MEmuRepair.exe
"C:\Program Files\Microvirt\MEmu\MEmuRepair.exe" --getVtStatus
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" setproperty machinefolder "C:\Program Files\Microvirt\MEmu\MemuHyperv VMs"
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" showmediuminfo "C:\Program Files\Microvirt\MEmu\image\96\MEmu96-2024040200027FFF-disk1.vmdk"
C:\Program Files\Microvirt\MEmu\MEmuc.exe
"C:\Program Files\Microvirt\MEmu\MEmuc.exe" create 96
C:\Program Files\Microvirt\MEmu\MEmuConsole.exe
"C:\Program Files\Microvirt\MEmu\MEmuConsole.exe" -b
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
C:\Program Files\Microvirt\MEmu\MEmu.exe
"C:\Program Files\Microvirt\MEmu\MEmu.exe" adjustconfig MEmu
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms
C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuManage.exe" list runningvms
C:\Program Files\Microvirt\MEmu\screenrecord.exe
"C:\Program Files\Microvirt\MEmu\screenrecord.exe"
C:\Program Files\Microvirt\MEmu\MEmu.exe
"C:\Program Files\Microvirt\MEmu\MEmu.exe" install
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.memuplay.com/thanks/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe730346f8,0x7ffe73034708,0x7ffe73034718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" -Embedding
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2228,1698823655806062720,16757332104325838016,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2000 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c4 0x150
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\notepad.exe
"C:\Windows\notepad.exe"
C:\Program Files\Microvirt\MEmu\MEmu.exe
"C:\Program Files\Microvirt\MEmu\MEmu.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c chcp 65001 && ping www.baidu.com -n 5
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping www.baidu.com -n 5
C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
C:\Program Files\Microvirt\MEmu\MEmuRepair.exe
"C:\Program Files\Microvirt\MEmu\MEmuRepair.exe" --repairDrv
C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe
"C:\Program Files\Microvirt\MEmuHyperv\MEmuSVC.exe" /UnregServer
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
C:\Windows\system32\regsvr32.exe
/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuC.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
C:\Windows\system32\regsvr32.exe
/s /u "C:\Program Files\Microvirt\MEmuHyperv\MEmuProxyStub.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.memuplay.com | udp |
| GB | 108.138.233.66:443 | www.memuplay.com | tcp |
| GB | 108.138.233.66:443 | www.memuplay.com | tcp |
| GB | 108.138.233.66:443 | www.memuplay.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.233.138.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dl.memuplay.com | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| GB | 216.58.213.2:443 | securepubads.g.doubleclick.net | tcp |
| GB | 18.172.153.57:443 | dl.memuplay.com | tcp |
| GB | 18.172.153.57:443 | dl.memuplay.com | tcp |
| GB | 18.172.153.57:443 | dl.memuplay.com | tcp |
| GB | 18.172.153.57:443 | dl.memuplay.com | tcp |
| GB | 18.172.153.57:443 | dl.memuplay.com | tcp |
| GB | 18.172.153.57:443 | dl.memuplay.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 216.58.213.2:443 | securepubads.g.doubleclick.net | udp |
| GB | 216.58.204.66:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 172.217.16.238:443 | fundingchoicesmessages.google.com | tcp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| GB | 216.58.204.67:443 | www.google.co.uk | tcp |
| BE | 64.233.167.156:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 232.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.153.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.167.233.64.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 23.62.61.58:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 58.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.223.35.26:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stat.microvirt.com | udp |
| DE | 154.85.69.81:80 | stat.microvirt.com | tcp |
| US | 8.8.8.8:53 | 81.69.85.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| NL | 23.62.61.107:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.61.62.23.in-addr.arpa | udp |
| DE | 154.85.69.81:80 | stat.microvirt.com | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microvirt.com | udp |
| DE | 154.85.69.81:80 | www.microvirt.com | tcp |
| DE | 154.85.69.81:80 | www.microvirt.com | tcp |
| DE | 154.85.69.81:80 | www.microvirt.com | tcp |
| DE | 154.85.69.81:80 | www.microvirt.com | tcp |
| DE | 154.85.69.81:80 | www.microvirt.com | tcp |
| DE | 154.85.69.81:80 | www.microvirt.com | tcp |
| DE | 154.85.69.81:443 | www.microvirt.com | tcp |
| US | 8.8.8.8:53 | www.memuplay.com | udp |
| GB | 108.138.233.41:80 | www.memuplay.com | tcp |
| GB | 108.138.233.41:80 | www.memuplay.com | tcp |
| GB | 108.138.233.41:80 | www.memuplay.com | tcp |
| GB | 216.58.213.2:443 | securepubads.g.doubleclick.net | udp |
| GB | 172.217.169.34:80 | pagead2.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | kr.memuplay.com | udp |
| GB | 108.138.233.41:80 | www.memuplay.com | tcp |
| GB | 108.138.233.41:80 | www.memuplay.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | discord.gg | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 172.217.169.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.180.22:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 172.217.16.238:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | 41.233.138.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.180.250.142.in-addr.arpa | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
| BE | 64.233.167.156:443 | stats.g.doubleclick.net | udp |
| GB | 216.58.204.67:443 | www.google.co.uk | udp |
| GB | 216.58.212.195:80 | fonts.gstatic.com | tcp |
| GB | 216.58.212.195:80 | fonts.gstatic.com | tcp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | udp |
| GB | 142.250.179.230:443 | static.doubleclick.net | tcp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.187.225:443 | yt3.ggpht.com | tcp |
| GB | 172.217.169.74:443 | jnn-pa.googleapis.com | tcp |
| GB | 172.217.169.74:443 | jnn-pa.googleapis.com | tcp |
| GB | 172.217.169.74:443 | jnn-pa.googleapis.com | tcp |
| GB | 172.217.169.74:443 | jnn-pa.googleapis.com | tcp |
| GB | 172.217.169.74:443 | jnn-pa.googleapis.com | tcp |
| GB | 172.217.169.74:443 | jnn-pa.googleapis.com | tcp |
| GB | 142.250.180.22:443 | i.ytimg.com | udp |
| GB | 142.250.187.225:443 | yt3.ggpht.com | tcp |
| GB | 172.217.169.74:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 230.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | csi.gstatic.com | udp |
| US | 142.251.46.163:443 | csi.gstatic.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 33.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.46.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hstat.microvirt.com | udp |
| DE | 154.85.69.84:443 | hstat.microvirt.com | tcp |
| US | 8.8.8.8:53 | 84.69.85.154.in-addr.arpa | udp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | udp |
| US | 142.251.46.163:443 | csi.gstatic.com | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | r3---sn-aigl6nsr.gvt1.com | udp |
| GB | 74.125.105.136:443 | r3---sn-aigl6nsr.gvt1.com | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.105.125.74.in-addr.arpa | udp |
| N/A | 127.0.0.1:52669 | tcp | |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | udp |
| GB | 172.217.169.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | stat.microvirt.com | udp |
| DE | 154.85.69.86:80 | stat.microvirt.com | tcp |
| US | 8.8.8.8:53 | 86.69.85.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.169.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 8.8.8.8:53 | csi.gstatic.com | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
| GB | 216.58.204.67:443 | www.google.co.uk | udp |
| JP | 142.250.206.227:443 | csi.gstatic.com | udp |
| US | 8.8.8.8:53 | 227.206.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microvirt.com | udp |
| DE | 154.85.69.85:80 | www.microvirt.com | tcp |
| DE | 154.85.69.85:80 | www.microvirt.com | tcp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | 85.69.85.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hstat.microvirt.com | udp |
| DE | 154.85.69.85:443 | hstat.microvirt.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ea98e583ad99df195d29aa066204ab56 |
| SHA1 | f89398664af0179641aa0138b337097b617cb2db |
| SHA256 | a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6 |
| SHA512 | e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f |
\??\pipe\LOCAL\crashpad_2016_AZDZTTTEHWARZZJC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4f7152bc5a1a715ef481e37d1c791959 |
| SHA1 | c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7 |
| SHA256 | 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc |
| SHA512 | 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f73f4e7bd0988f3f344e155c211b6d50 |
| SHA1 | 5b01af2c28af1181efb9980bc9f52a971d1f22f1 |
| SHA256 | 94a22cf957ae4544977316220330683bdb3b8b35b3289a43f42d928f0a1d32f1 |
| SHA512 | 97a6372e98a176f87a2042cae80c889d4ef67c9a260ea5835b3cdb661fef87d2985129671a51ad751e3925c3bcf233a398fcb75ef4fc7a95cad5113ce2c98304 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4e97efe65479b5578cab3b7bf261a507 |
| SHA1 | 93468584cbce2bb11509fe7d2ddb7ef346706dd3 |
| SHA256 | ce5885ed714bb6c829a7ff82a6843cacc8f56cc6cf3a2b55517805803bb69eb3 |
| SHA512 | f5a3824db1881854005092cc600201fd5ec16b9b760a5d1a288ea1a37cf46f67d6c9e5401829eedd0ca707bcacc8013665287426906f1bda049c9d70a72e8d1f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 45107087d3569960c8d545d01ccea6a4 |
| SHA1 | 4f617376ff11c643397eb8f7e745e40dee4abc61 |
| SHA256 | 1a95522ef788348def1e97216183561e46fe0bafe0ba9f7a5b4c183519b4e9a2 |
| SHA512 | 9f570628d571b244a3e042dafd37d46a633c3c54814aae3e115efcb19c0b819503ed8784480414e2bbc6ea25c517ce192a8cde726c183237d0c993d2a7ff91bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 94c8ea81a2808da75878dc7588f06a3e |
| SHA1 | 5344cf4ecf3b0eebb5bd0e93e445f34556e12d7c |
| SHA256 | 98edb3593d9756f8e33dccd499953e4ba8112e55d967c0250fc8aba88f9d2e8b |
| SHA512 | 9a69e47a36765ed12e32df2778124e33637c7969c80611d765f9cbc660feed4745229111a856bfa3fc9b00aa614d67aafa467e005fb6d904e8011a1d0c105970 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 87e303a9340c9fb4c158e521977004c5 |
| SHA1 | 4c159e930dde9b5fd7bc006842cab9676c186323 |
| SHA256 | 594927c96194f1b059cfea43b7965ca5acbd5e37fe9c39b071fbb29dcd65c411 |
| SHA512 | e0ec58d75e81202639a8061d387f0a93a33272034ed90bd35d40e961ff1ff570a3e0a2305e53322562635b116027fb2f3b3037812a0545182e03d092fd8bd18c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 56c16ca76f0c920c9a9204008d5c5aaf |
| SHA1 | eeeede9672b03536dac8bbe2018c58665ec57962 |
| SHA256 | 4b6d8625c027df26b6f5be9f793ef1d41d9449588ed18028e28e8832b60a24b1 |
| SHA512 | c43ae1544e20f1e9a55a288995fe3a4bebfcca91a0ecc163ddb770a2467f0f7332a95dff855806010374a8127c0f81bfbf31d117b7297ff79bc2376370db2311 |
C:\Users\Admin\AppData\Local\Microvirt\setup\MEmuSetup.log
| MD5 | 58054bb681e67d7c3f7f5283463fba50 |
| SHA1 | 41f30e478dabcc98ed69e856141d67270016f6a2 |
| SHA256 | 8e08b73aa29819ccd68eb458dfc518d2140e12ae08383dbc96511cc2af493551 |
| SHA512 | 34d42898fd6e58f61a07275fe7b53e7f57421c3f2dcc2774f63f22edb32dca3a222af77f5ce0d8b0b5ca0bbc308fcb6710d39172b6d401f1bf427a539d98e08e |
C:\Program Files\Microvirt\tempDir\7za.exe
| MD5 | b9425918e9f7b8affb9952ed02e01285 |
| SHA1 | ff8c9a13df26035911b57edd8bbe28b2f6b07b72 |
| SHA256 | 8a5e4cce83ca7c08945348bfb13395109656079e99bc6445b62c4daae16faa5d |
| SHA512 | c25695517910f30424dc23e5f6f6f2a8c94b471dd69b77798c148f1520d313dcf43985cee507427c5d3aef2f12ab103a598450239668fde1c7b245e156bd501f |
C:\Program Files\Microvirt\MEmuHyperv64.7z
| MD5 | 4f5a8a2038c7e22ea39f17986df5c7d4 |
| SHA1 | cce44b2c9d2eab991025205a310b198a5f2c66c5 |
| SHA256 | f9287bab2e458a55956195e23688ec6781b81f153d7c5b28c50cc9e6fb8eedf8 |
| SHA512 | 51996dd2f0004b30e4ccf0e69a8364c7260b777377221580319829e1be7cba9a711d251e47fce0c40b3bd2b5d5bf1189f56997d6057279a985b003e17e37623a |
C:\Program Files\Microvirt\MEmuHyperv32.7z
| MD5 | ee6cbcf21b968f4925ea15134a29809e |
| SHA1 | d0ff7cdcb950f142f657c3ea48fea285e82500fa |
| SHA256 | 528132a17b1e321c1c7772d01ca1e47dcc017eb775c83cf275900921b32d455b |
| SHA512 | 5d53f4b086360d3f2e59cc621e810018fa1e2b8c9a7f92526d04b313316acbc57b6cec3bd62c47413bc9fcb8f05a00596811d33e4e482b3a574c54ac81990151 |
C:\Program Files\Microvirt\MEmu\aapt.exe
| MD5 | 284db64a9ed1c070602bf9ee77550e3e |
| SHA1 | 48aa0bb65247f1fc0a62404e9cfa355f519d6d4e |
| SHA256 | 29ff3f525786f8014ded9f5a093007dc8e986f5f3d29c345f2fde93416c400eb |
| SHA512 | 2a9b54e88ccbbf79a883deb5c09139f35161d404a53535a83f1d2f650e7adf8ea9d5de5b2b99fddb74687f330941e53f3c6a9f0f158d7fd5bcd1ec33e9205410 |
C:\Program Files\Microvirt\MEmu\adb.exe
| MD5 | f6e68c4cc8cc3288fd5a411f54d8cae2 |
| SHA1 | 9ce3c09bda67e746d385593f3385228790815923 |
| SHA256 | fd488a4e13d4c71acce69e209164398a056fba5a559b7f00c1351390604e5b98 |
| SHA512 | dc66258eb4d8558d578744c2e1124732f48b48333ba67ef3a24ccfa608f1cc619c4f443f61dd15c4264594b9a97305150afbe169226757357aac382241e6f392 |
C:\Program Files\Microvirt\MEmu\imageformats\qtga.dll
| MD5 | 367c723591fde64c38202d4c0f5ecfde |
| SHA1 | c13d74f417601c656f343f00d15e56517ee03b6a |
| SHA256 | ccd620e74045d9c9157903120140b97419cbbe91fd43337e640c67cd4522072a |
| SHA512 | 31c084ba00e094e30c6f912ecd045e19c4451d8783a80dc99b99098f84c5500665a35ac901b0fde84d04df898ad67448e83539a7daa4928e8c78f798b359b256 |
C:\Program Files\Microvirt\MEmu\imageformats\qsvg.dll
| MD5 | f304a2c8067f804d25b98d360e92829f |
| SHA1 | dae1d07de8c33912ff4ffc957f8817b2b3e8293a |
| SHA256 | e45893bb7db31bfd32e87dc7a6b02709fca36eb83a25aedc45a39178ec80051e |
| SHA512 | 5bc122bea8de687820932666c6b76bb153b115263b31a40fd7823a2a36ebc88b27626e06e3a6c5dc5f62970c8c7e9c094984b494d7f279bfdb9bac7a8c2964ca |
C:\Program Files\Microvirt\MEmu\imageformats\qjpeg.dll
| MD5 | 438b696a9811cd821bbe2c54b5c1b4b1 |
| SHA1 | 55eb74a0015228b1e6c1dc97e6f427c9dc804587 |
| SHA256 | 84c23191b5e35eaf899358c21445a5377845c0653668bbd99b1aa8796e0248c7 |
| SHA512 | 961ed9cfcd61a1fc32de89cb97100aaa9a9225c80673b2176975bf62af7f3a0e77a91fb723ed52c553e10a6f754a5e8c8085bdfbd56ef2de8144c53bf41f4e91 |
C:\Program Files\Microvirt\MEmu\imageformats\qico.dll
| MD5 | 7200f8e1af1c6a60501d5fef7772fd0b |
| SHA1 | 5f2bac81a60f7fdfbe8b1a01f111660a3614d679 |
| SHA256 | 35cf0ae6bcd1b8322482d40bf2dd693e276548885284b88e6631ab18a0c2c60e |
| SHA512 | 097835d4c8c61c2489e831b31a8bb6f2feea277439d6697b6e3165ccb6e4758986c9a1fa754696da53b6005a041156ff8bc455a71dc31ea799f5891348a07f22 |
C:\Program Files\Microvirt\MEmu\imageformats\qicns.dll
| MD5 | 862a826020dfe7ab690900a87250992d |
| SHA1 | 983117858f162f7eab3f4aee6e0d9619e20637ef |
| SHA256 | f96e413dc1b8a67c025b3d1769241ee96dd8b079b367a6c868d650a6b68154c4 |
| SHA512 | a71cdfba3023934d0bfe25a05d2fda00f60caaf77122cc0d52c7c6f6555ebf43e13555b563a564023c02e9419471a8ed325d182508ad276517c68c9691d5704a |
C:\Program Files\Microvirt\MEmu\imageformats\qgif.dll
| MD5 | e3a1338efadabb9fc23d955af9a7e070 |
| SHA1 | dfbe82b183fff002a2e841d73474c78f646fdba2 |
| SHA256 | f1fa3bfeea6a600f2c6d209775154cee349b7f687cb4f7213a8cad8870dbb812 |
| SHA512 | 0413a6116e227fa6a3dd7da6fa4bb8db59ed64fc16e37bfa49ca28c687fe791941b3a23193796eb0ece458e87f9f78f587b3a1fe0f188b63b9148037997df1a2 |
C:\Program Files\Microvirt\MEmu\image\96\MEmu.memu
| MD5 | 3e6b8043b85931514eef90a68713fea4 |
| SHA1 | c33cc7f9752b299ef59b309eb88a99ebfd0aaca3 |
| SHA256 | 57f337f986ca34466345eeb4316043d746eed625892ff51760b74ad97c1c52ae |
| SHA512 | b78dc31f64704f34a858a8a57599d055fd7093b59beac4296b8993e9f9a2a0fa7bf41d81f42c2ea075823d6dd9b278a099264e922ab589f39f6624f279c8ceb1 |
C:\Program Files\Microvirt\MEmu\image\96\hyperv.json
| MD5 | 8de1bd47700734f22fb9e25512aba248 |
| SHA1 | a333de1b2eedec209bf800364e1a1277b4ed217f |
| SHA256 | 6bee1284e364cd634cafc4c53ffd6d96c29e318a3ad253a7e7497a585f1eac81 |
| SHA512 | d16bd577ebdb7c8295c64447114228954d6a9a7b98eedfbc578049006c390687ed29f8e903000a71f412fce49eb368a8c2cf5e19f131657a0f319483d1e68eca |
C:\Program Files\Microvirt\MEmu\image\96\boot.vhd
| MD5 | c698d89f145b43c441d8a41dfa30dc66 |
| SHA1 | 1b80b10a64c7097c47d6e5d43e7842379b4c197e |
| SHA256 | fc3083bb02dc8785493481d716310178e3659416fc1bbd8ccd1b0418659f04c4 |
| SHA512 | 8f424c35148fafe933a1db72779466884ac3755b343201a6b63abe546836810e8d963572ef54e5b89accf529d130c86558d5607e364050ed2e7e0dba768123d6 |
C:\Program Files\Microvirt\MEmu\iconengines\qsvgicon.dll
| MD5 | a85ea17fb2ca9258e71d0a60667eae6a |
| SHA1 | 9bc4333321611769a51bcb5292c0517c227614c6 |
| SHA256 | 5456152400a84c153728007bd1c7d549788d2300441addd40c18d7e17f757856 |
| SHA512 | ead8a715f75c82fe85a2d475010d8c880b13700c847840810bd6f75f6a4a418ded406133404a1c3d196461d676f8819a7bff25e556d25250d031e513303f81eb |
C:\Program Files\Microvirt\MEmu\discord_game_sdk.dll
| MD5 | 2dacb1b350cbcba43dc7e2e2a42db595 |
| SHA1 | a90c3d4a3beda7796c2d529afea2fc2cd48d7dcc |
| SHA256 | a9ac798d1ac4fd370bfa37d3732983da302d4f102cda4f854c017e6e4cc10dcc |
| SHA512 | 741270e2326d6c20bfb029faca6a7d6edde8f936f77c7c666c5d08dc15f88a10601cf5b0a651dd27ea054b776c917dd109c256e13fa7021d5ce0322f25aa0693 |
C:\Program Files\Microvirt\MEmu\d3dcompiler_47.dll
| MD5 | c5b362bce86bb0ad3149c4540201331d |
| SHA1 | 91bc4989345a4e26f06c0c781a21a27d4ee9bacd |
| SHA256 | efbdbbcd0d954f8fdc53467de5d89ad525e4e4a9cfff8a15d07c6fdb350c407f |
| SHA512 | 82fa22f6509334a6a481b0731de1898aa70d2cf3a35f81c4a91fffe0f4c4dd727c8d6a238c778adc7678dfcf1bc81011a9eff2dee912e6b14f93ca3600d62ddd |
C:\Program Files\Microvirt\MEmu\consoleskins\Other\Yellow\1.0.0\Yellow.rcc
| MD5 | 93ae36d895d3a213a89a312e16fafb82 |
| SHA1 | b3f3352c23fe445dc06ed2ce723c6baa302d67cc |
| SHA256 | d7df7e764a1e80313932390b49748d45ce5f9f0a6e960ac059926404547f5143 |
| SHA512 | a151068d21bc0a4a2ad17df52b3e4822b38caebcaadf5cf95653466aa54d8e6801e01ccb668ede5af94cf5be4d7fff7cdd899f38bb9de93b098722140334b353 |
C:\Program Files\Microvirt\MEmu\consoleskins\Other\Blue\1.0.0\Blue.rcc
| MD5 | 3fa8fe8c8829f270f6afe540c55863d2 |
| SHA1 | 63dac522fa34057d35140b21f4cf5db2ecad2117 |
| SHA256 | a6cc6eb4e80b865f309e4c077ea9f7920a6df57a068867610bbe9b58f77887a0 |
| SHA512 | d51db966f9ead415598d627fbf76b8e0fb1e978f72083fbf058ab20508536a3f8d04267b72b9cbefc80226efbde88fdb813d44ab0e3c427f74824e0e6710040e |
C:\Program Files\Microvirt\MEmu\consoleskins\Default\Default.rcc
| MD5 | e42dfd00bc871ab477ad7411fcaebca8 |
| SHA1 | 7e2ba9f1c55d8e4f37925f628989a38618e19fd5 |
| SHA256 | 041c455cf5b41d1bd26b25658c0f6f99b72188f3db8da7325fd7514486bde224 |
| SHA512 | 191e2151cb59010068bfe592deb4fe0f9e3c190b140681c8518701a84d93d83132ce5c0479d0134c9883dd00f345380cb8778569c05f81a720bcc8f388ac3314 |
C:\Program Files\Microvirt\MEmu\clearRemnants.exe
| MD5 | e0974aa9475d8877b23fd910216d53d0 |
| SHA1 | c26ba9d61d56d50a094cecf382855855c3957510 |
| SHA256 | 564c9fafa45abfac0e8844b4874397adeb00c0ec8f0326b434741e4770111899 |
| SHA512 | 517fa863eb4ede6055fc5642563df55483cec7844545612d509411dbd0799ffd70cbb73b461dab9b0b93ff3375628f1311d90a58fe97d8629e1a6035619b08fe |
C:\Program Files\Microvirt\MEmu\bearer\qgenericbearer.dll
| MD5 | 57f3ffcf6a99abdeca93d0bebd9f05d8 |
| SHA1 | f1b7038c4f6cad75b8a6d115255421d60f1de04f |
| SHA256 | 44b59c980ca26aca133bd3842155c55eb30630853c3c316e1955415e10b34c0f |
| SHA512 | cbe0ed19d03540ffef93c4028ba7bf170ca82d1bfd15d432c7fb0edf96e450c9ddd85701b3ef52edabac96fd3cb6e3da2eadf4ed1de3907e986e8f3d64dd3b08 |
C:\Program Files\Microvirt\MEmu\avutil-55.dll
| MD5 | 9025557bd1298dba028f61b60b3ca925 |
| SHA1 | 6c54e44e5e275a677e7cd3ee03c5f8ccd2532764 |
| SHA256 | ba1cf881912a0ba7f6858544009f0ef296d32bb740dcb421125fbb9c7097008b |
| SHA512 | 338cb2f8afdd0edfd3880465fb83b2cc8eefedc5befdafd9f2a5c94217a5e7664858c67eadbc3fced18f5e21c2cf7e6f097e6d3d489cd59e136cd3e997eff78e |
C:\Program Files\Microvirt\MEmu\avformat-57.dll
| MD5 | 0e3d42ca963f0a8251dcf57eb17beed3 |
| SHA1 | 9105c402052f50e3b57d21aa464e763411f48a53 |
| SHA256 | 5d12c718a9865df81bf4376af1223d746401a11bf2300880393b40b174d37c9c |
| SHA512 | 75ef7d2fbb1dcf4a7aaa26f0d29b6471f42da105739e6f7acdb6dd59c97c25a3cf241fe41d87d8ef6c8ff17c3528172ae47017c35fbd46c73f63fc20f95bee6e |
C:\Program Files\Microvirt\MEmu\avcodec-57.dll
| MD5 | 06280e3e5eec9783b4af071e7375f820 |
| SHA1 | 380036754e5fc786137ceddba989711e02146d05 |
| SHA256 | 0be1ab58ef33c40fa092cc56b1730967e77fb5cc3c54f09a0e599b0e658f389c |
| SHA512 | 9edd0515eff29bcb27cd447d97ae7b02f68e2b06885b8671f7cfca7e90696cd7b100a8520e533f2fc9f70795889a983ddec546a5f9827e36d13e63b762909d5d |
C:\Program Files\Microvirt\MEmu\audio\qtaudio_windows.dll
| MD5 | 88577bfc1a8f34cbf575205db3f1cb31 |
| SHA1 | cb9d72fa0dd97cd4008015551cc5764c9be328c7 |
| SHA256 | 868c105861b6fb2207997a9b13d52b8cc0a22ce37d63382a869fd33277526213 |
| SHA512 | 4c3d65adfaee850e40f2725fca62a11f3b6652c8adad2e7372222e53f77c538a1904b4a7ed6df8167dd08d6bac628160caa3eb5906673d2f9a467947d85c45b8 |
C:\Program Files\Microvirt\MEmu\apk.ico
| MD5 | 87cd4c763c98779576affecfa2ea1253 |
| SHA1 | b7e31d5771aa9ed053804efd3e7ccfe45a1f631c |
| SHA256 | bb02b918542258544b4f20a490c34ed701f8867952467f5234f9ccf25a8d64c1 |
| SHA512 | 1ebdc06a6a2f05a92a798444e637e1ed8188dfd0a2f49f8f63bacd95cbcc910f1304f31cbeaa5e26491499519c27128cd74f647c803756dc4270431561a2c194 |
C:\Program Files\Microvirt\MEmu\AdbWinUsbApi.dll
| MD5 | 0e24119daf1909e398fa1850b6112077 |
| SHA1 | 293eedadb3172e756a421790d551e407457e0a8c |
| SHA256 | 25207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97 |
| SHA512 | 9cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43 |
C:\Program Files\Microvirt\MEmu\AdbWinApi.dll
| MD5 | ed5a809dc0024d83cbab4fb9933d598d |
| SHA1 | 0bc5a82327f8641d9287101e4cc7041af20bad57 |
| SHA256 | d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9 |
| SHA512 | 1fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17 |
C:\Program Files\Microvirt\MEmu\adbdrv\adb_usb.ini
| MD5 | 9b924764cda9a9844ed2983eb20d34ea |
| SHA1 | 7ca4f57bff7b01607445003973fa66a9290aee6a |
| SHA256 | 2a6f11b34cee17017b878105cb0bcbdd81f716a9bee4c9e6180f4605d0fa760a |
| SHA512 | abd36ff8efcc464a47387c300e0010ef4a4cf4b08aa4ee96c58709de0d06ec79950b530ae75b3176e7c92744f846b2cffb0efe90e2a37cb787f06a9fb2bedb49 |
C:\Program Files\Microvirt\MEmu\adbdrv\64\devcon.exe
| MD5 | 5d38f264735116c3f6d7114b18e7e173 |
| SHA1 | 6635352bbeb16235dd2ecab22ca9122596d3bde2 |
| SHA256 | 9f08f1ce607877c5292e57da6310e064375d6b5ea9535045b3019a2a7e91a351 |
| SHA512 | 4c7021d1d9a3b7bbc7bebeb8f9a972db19e1e8f62cdf3f60c985df7855fb06075f3f943137b25483eccec9cb56f1ca12d24176def434c46f103a870694c0a0de |
C:\Program Files\Microvirt\MEmu\adbdrv\64\android_winusb.inf
| MD5 | 20fa26363d4e532ae03ad24a9a2492c3 |
| SHA1 | 1410cf9289bf3a20f58aca2577ee433ae48fa1c1 |
| SHA256 | dd71107e650bd49118e43257e1bca7e902d7c30f1f249a0a7d4012e827f8795c |
| SHA512 | 3fc815e89ca79e9d7384fdd5838be8e118f4006de18b1c360ba7de49b659c80641b4a1c2ab446bcbfe91cc6d66dfd03d086091e8c2ab62cdc014e98377e999b2 |
C:\Program Files\Microvirt\MEmu\adbdrv\64\android_winusb.cat
| MD5 | abe648c8e5dabd56e7d9800cdc918de8 |
| SHA1 | 0f6a9c3c2fa5bfb25526a130976bd18c598ee5ab |
| SHA256 | 4e2b3b5e4e92b6ef1dfda95ab5eea7cf4b4eb5a8c232e634684dac3c05ae2bff |
| SHA512 | 104d20ae79c6e0f3af8899f706a1678e4b4a95460f8841ac14f80ab358f98a6409f412fc80d31adc2740527b53ce3b09bfde477edb03cd9572bd2239517fbf51 |
C:\Program Files\Microvirt\MEmu\adbdrv\64\amd64\winusbcoinstaller2.dll
| MD5 | b55d5cd0742979dd9f46e69b2b56eee7 |
| SHA1 | d93f73f0904b7bc1a28565bcf1b90de0533fd79b |
| SHA256 | 196e47522ae1eb7a5014b196f433bc0f5fc90ed2b934177512cd3e1e5782f0f1 |
| SHA512 | aef9d7c1c3a2f6bed61a2a733e6f5c2f4656e26c5bc235bf00d26dca221901b7d7544fd859d4f4e04a65374b27e85f3dfc2088fe0bb4272f155b4cb9626d94bb |
C:\Program Files\Microvirt\MEmu\adbdrv\64\amd64\WdfCoInstaller01009.dll
| MD5 | 7ee110fbe5147b3402e70f23e0f57780 |
| SHA1 | feb6a002b4090c098c1b46dd1bceef4a78379b86 |
| SHA256 | 48bea71e994fa8f2a30e98c0547323b7f0246884664550f869a3f2f1c2c3bf62 |
| SHA512 | 21b18cf73c0a1b040ffc9353ce66b03e9c1252787004d3597d41c84c6bf1d8151aaaf0b4d35f6317949c85fbc89fd025a5ccb7f814af3a618e42969c6e85ebbd |
C:\Program Files\Microvirt\MEmu\adbdrv\32\i386\winusbcoinstaller2.dll
| MD5 | 3259ebd7742a78e8fa0ad5a689b7377d |
| SHA1 | fbe79b1f6b207c3b47ff37071c47b8ffdadf889f |
| SHA256 | 91baea13dc25e24916de0faab9a59a70fef12f3a2eec96528c1d9d076ce320b2 |
| SHA512 | 3dcdeed5c2078d4c82308b63bd9812c16d07883f47a615ce06616de94c59934e916966ab026391d95af9a370fbc7a7fb90cce931736484cdc85a377080ad2f1b |
C:\Program Files\Microvirt\MEmu\adbdrv\32\i386\WdfCoInstaller01009.dll
| MD5 | d2f19c1a1067bef5653959bc26695d54 |
| SHA1 | 403102bb14550751dfa7745c744f2cfa29f49ca6 |
| SHA256 | 11167a49a71cb85d29b8cfd61447ba7bad9870de172be8efa1525eb37958fde2 |
| SHA512 | d5327fb0e09868b4db4af875a61b0767af5441c664083cff4bb4988ad2e3858cfb34375888fa54c17d01fd008a5db9d9e392ac059dbf7fb344abacce93559d7a |
C:\Program Files\Microvirt\MEmu\adbdrv\32\i386\USBCoInstaller.dll
| MD5 | 9f3cb843225cbbf5612ba0015354bca1 |
| SHA1 | 4e0cd78823be5aa78be2054f4d4296884a7b5294 |
| SHA256 | 9ad6ae3ba83531bb6f95c47f008586c2f09b03dcc01743212d611d6ee93a5ee2 |
| SHA512 | fd1111739e03f8769dd879793215c70abc48b10965bc700ec1806a1289a3dfa829c32efc0f6f7e5e17aba39dfa95b13a130e59fb0160676c796db084517514fb |
C:\Program Files\Microvirt\MEmu\adbdrv\32\devcon.exe
| MD5 | 8efdbdd90337842ef4b8ceb7adcac7bf |
| SHA1 | 1eb6440e60bb09078831ba011e7f2366bf06b8b6 |
| SHA256 | bd91a6d385183af2495ff151b6872a0665beaa4c72d05943a7c97e201ef4a4f8 |
| SHA512 | 1543d8ad7d347c2818d9467672547f80d44bad6f5498b2bb2153765d14fec3400ea1dd34f87022aa5b2128a92cc00ab00f84c88c42e31be353eef105510117c7 |
C:\Program Files\Microvirt\MEmu\adbdrv\32\android_winusb.inf
| MD5 | bd81f8ba792dcffaaf9e2e8cc9549c55 |
| SHA1 | 940f5aa8d959d469ccd37ddf432f18a739fa41e6 |
| SHA256 | 9408780740fa1214f8e8c2a32353ca10839282e096787f43166f9b555cf1c665 |
| SHA512 | 890f9cbab961b829b72dc54d482048da745721ce54beb45298728969896264f5e601b4d4ad8b3b5210ca78c948dcdee1974cb551533a2030ec3f074b8ca4df34 |
C:\Program Files\Microvirt\MEmu\adbdrv\32\androidwinusb86.cat
| MD5 | e43ed0b69e138218a044ffa4507f55da |
| SHA1 | 444736f81165aec30e700e513537b732dfb93339 |
| SHA256 | dc11de7734b8cbcbcffa628dc703662e1acd00142de5f8d2770ff52b7c74fe9b |
| SHA512 | ed6096ebdaf4cc8b82f497a4492586376ec5861a6ef4d413d490e8b51e66870f4c3728d45ab683974b4634c111368304459b8c470f8fcf24f75bde2c64ac4c98 |
C:\Windows\System32\DRVSTORE\MEMUDR~1\MEmuDrv.sys
| MD5 | 39ff928d8ec49a318b40761dd7c1cdf3 |
| SHA1 | 5c20cb15caa4704b7a5bfadd12885646aca50fce |
| SHA256 | 9e18ed94739ae711585e397a8ea2f7e1b05e00bd23f57fbb7606c4498192c5e0 |
| SHA512 | 04a3198da7dd33e6d960de8474814b7220c6d9f0378e495683fd38a5bdfe15179daedf24bf3038e78a775c20ced87bc05d64aee9202f08924e017b4d0d724524 |
memory/1472-1046-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/6020-1047-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/1008-1048-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/180-1049-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/6012-1050-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/5696-1051-0x0000000073260000-0x0000000073319000-memory.dmp
memory/2156-1052-0x0000000073660000-0x0000000073719000-memory.dmp
memory/3192-1053-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/5888-1054-0x00007FFE7A3D0000-0x00007FFE7A493000-memory.dmp
memory/5460-1055-0x00007FFE5FB80000-0x00007FFE5FC43000-memory.dmp
memory/3460-1056-0x0000000073260000-0x0000000073319000-memory.dmp
memory/2720-1057-0x0000000073660000-0x0000000073719000-memory.dmp
memory/3124-1062-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/1488-1076-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
C:\Program Files\Microvirt\MEmu\channel.ini
| MD5 | 00f3c3bb21e257949b6c9f4529f9072f |
| SHA1 | a5d4c34c857dea84c5b5860fea4084b6e5120d22 |
| SHA256 | b2c2de8af62723c9e548e560719684e801aad048bd04955214921fd6145b018b |
| SHA512 | 2567242bed4ec44b2ceb36ab8c98c0442f88b9bb8a3796cd40e99f580a02d9a21baada98780ea1063ed2f92793278f4ad31666f069d98242627daaa1e76d110a |
C:\Users\Admin\.MemuHyperv\MemuHyperv.xml
| MD5 | e8948501d2e2781d539a982240c0e682 |
| SHA1 | 340717f9da7ef76aa75c50e09d349de3ea6f6221 |
| SHA256 | 20cb5203adf2b9027362efc88c7c9585ce68ebea96cd0db7f2ea2e13172abcf3 |
| SHA512 | f05a201a1e8b53c8410989cc0f1d597ca71f6f5fe725b50670544af9285e1dd7cc0d50f8f1732d194a5c86c58bfba59ff2310b71fecf71ebe1cced1e181cc0c2 |
memory/524-1104-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/5724-1105-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/3188-1112-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
C:\Program Files\Microvirt\MEmu\config.ini
| MD5 | 5102445679502d430edc25e9df7886f8 |
| SHA1 | 67f4ea140e48d2d6869fa3f29bc54644831db86c |
| SHA256 | 7f02ed3cfa93e263033b645edc7383dd034327bd419867f0d70c740bf832a654 |
| SHA512 | 8bca960cf16c4504a3368b5042cec3c0aa81f8dfb8dd43cea201a2790d36cd4199df886c0d143268a438da9719febad0ef775803c82891e980034c4e6f6d0fc6 |
C:\Program Files\Microvirt\MEmu\config.ini.lock
| MD5 | 03e879faf00ba2a5e36898802ee2e808 |
| SHA1 | f12e930a836fae6a98d414be78340bc2fe26520b |
| SHA256 | 0b3f6e4a712324d118649bce0e8f58866321a077d3c260ce580a7ca88503c69d |
| SHA512 | a71101dc56fb6531c9545d2b43eb9a8315c001526423c9ed5fb276fcde9c1101ecaebb3210985f4b323e31c072ff1d8c0ca02253bc78b9f257917271233da710 |
C:\Program Files\Microvirt\MEmu\MemuHyperv VMs\MEmu\MEmu.memu
| MD5 | dc54de3999894d74750372182580888d |
| SHA1 | 1ad361668a833c116a7305b6bdfc1cd816c460e8 |
| SHA256 | 1753cc2e7ca705aa4f7e51f2a857fde4b000e4f4abf8e7b3cd2025b091a34e67 |
| SHA512 | 6f247def9c6c3d33433233e4d536053d04db0993bd525fe9ef1319fbc7629a354f3ffc0028083a929fa5649ab282e93e3e4edd2043ee31e82c8bb03f1c9d7df1 |
memory/5864-1206-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
C:\Program Files\Microvirt\MEmu\MemuHyperv VMs\MEmu\MEmu.memu
| MD5 | ffdbe96e1c71e6199be20fc317479b5f |
| SHA1 | 5a9f3067bfe0f1ecb6da7fe2964b94b838caa230 |
| SHA256 | d08edb2aab9eec9dcb4f471705cd41b45839f7e0bc58cce72ca56d8cb39bdd9e |
| SHA512 | 22f9cbee9155cbd8b8f472a0c52b48165c32a8e6c1121b5b44793fa44ec43f211cf47f55501bed7cff014f65859f0fdc0bfeb01940da622f7c3d8f20ba3fe77d |
memory/2964-1223-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
memory/2824-1225-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
C:\Program Files\Microvirt\MEmu\config.ini.lock
| MD5 | e436b4d07d00512c18d91b1718623cbf |
| SHA1 | 0ca5679d13db7699f6c1536a1b7f7bc8d03c74b1 |
| SHA256 | 430e76adc83979ad936d3944bb9dec176defbfb98eef33b3dfd7962994f1cdcd |
| SHA512 | 9cba9ba30eb5c2ce8756c50d427d36763e79c309c3f2e702fbf0d9f41a6e99d9ebfc2176445515c6330926222fc2d902fae39a47360e5c414efafe1d8c872b59 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023
| MD5 | ac83857f0497a4a0e7669329827cf228 |
| SHA1 | 18ea483c966969e43a654fcadea9719a8aca370c |
| SHA256 | 43337a1354f376890cdb73f3dbaf95a8027761c574c30cdecb321096be485d3e |
| SHA512 | 6a35c50764d31d4bac07ddbec2329238cd04f2c58c00629e523ae7fc2a7d6be5d1226f8fb6c3c1043b215c38c47951a66fa8a9d4f4d6ddce7664bd1d011db2aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024
| MD5 | 827f01c76ddae0a5c3b4da0419437878 |
| SHA1 | 8aea34be6f9fc6c6f5cfb97145f6788cbee12aa5 |
| SHA256 | 791f26f4bf37b5fcc0a6428e65134c563d3d43c789750d540c605fb62e8e59fe |
| SHA512 | daa39455157118cacc9191b03df0a3a6cebdcb7d12df431a865182a46676ae371b271ed9b3266be9a93303a3c5bd057d529e4cd801f8fc75661fea8dce3b6a66 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b
| MD5 | 66301e63b3bb488b5eadd7831f4d03c4 |
| SHA1 | b70a38218bf14ca53c46289a7a31d268923b4493 |
| SHA256 | acacf083064c0ba06aeeede1a15d139c3000dce7c8b418cc811c9ab45e83cf18 |
| SHA512 | 474dad6ccc63fea8fa44dd225714e8e596882e209ef845a4b898f973dfcab91e36b9a18b35ae113f12a1aca27d992a708261ef37868069969684a01728de8184 |
memory/3124-1367-0x00007FFE7A370000-0x00007FFE7A433000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 62bdfe258f0808f0087fa0da4cd776d5 |
| SHA1 | c50c6d67239327024cc3b77e501a86e0cd7db47c |
| SHA256 | 4383660d70a4db29b8191382648661286d916f0d85fa26c76ee8b82832363913 |
| SHA512 | d79b5fe9a4c9a6b17a13ca1279a43f82aa0a118ecc1f0a90aba010f4241803d454856842a8e0b49aa9b8737f3f842f3bf5d1b7ccd65cbb70e506d930c6e4d4db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 98e831ae41e554c2357223ac58f10c39 |
| SHA1 | 5ad60fe222eb5a6c61de2a40207315b929b66b86 |
| SHA256 | 5ca04d6f1b5901a31d2f09781eb67bb8487da463c8741cf35fa250cd66a75eba |
| SHA512 | 2feecd8f0f3639d46a9a843c3e49632538d8b8752967d34d113e38a142a19932cabb30e541be4baa7e21be01cf0077aef16608fc48ef38446604e17feae67c57 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | cde3255b0b52823254fdeed39451650c |
| SHA1 | 8c0c5c535fbbd1b4e4cf60c0638af94666eb8d0e |
| SHA256 | 50c6960735b871d0ac959b1e4a881866c7427b3bf071efc53ef30197e5097d15 |
| SHA512 | 5018f0ef01ad6c4419745a7f8298a4e52f493ddcbf116e9d75b4c59a0e626da483a608316ba47b2e6ee35728a8ae76661d6ecee1ae1989a36e1f8c386e4d9c91 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a280b.TMP
| MD5 | 1113526b968c15dd48a05321064df71a |
| SHA1 | 7fefdcb24fc8092a79fea4f24b1bab4155ee3743 |
| SHA256 | 9e67107748c0354959af1f1d73b553a90a97d34c2aa68cd6683aa5abf1788b67 |
| SHA512 | 11216d7c7e04af8f19643897f422e9d6a4d65aa2ec938e680eccf2162b59bbfb760bfa45a21b38bd3edc28efa70c96b616576223d4c74e5835b173061e246fd2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 9a3fcfc78544f83fad6f1ba973b99d7a |
| SHA1 | fb21807c412b02ce3bec926b8a5d148ac33e63b6 |
| SHA256 | 64c57f8430b8286a0dbeab703ec92b0c69a70d20c50daf6d8a3d426a9aa1a651 |
| SHA512 | ab20f3cd49ea39d45f75fbe820e2d21fef107d04b9e21af606b09facdd5b332bb47be695f9647592bb098a1ae4caa73a0db9502f689771235e686865738f18d5 |
memory/4668-1458-0x00007FFE5F600000-0x00007FFE5F6C3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f9b8991ba445672f3c3d8ae845c807b8 |
| SHA1 | 3da6757ab1721400923cb3957c9e1381e765ddc8 |
| SHA256 | f15f8877ba3e48c3daac4b829236864b8c7335e8b54cb189c1da24da77e5e78c |
| SHA512 | ef26ba8a6ca24bfc2329efae15c0fcbcaec23581f027ce86958764c9afb92e4b368a6fba183469d3166752ac787d32423301d7204a765692686b9a466e7a5eda |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cc12bb39b0c9f78ef8639104074e1869 |
| SHA1 | b72ffcb6e788fbcebd35c14fb545ac16d4dcb3e1 |
| SHA256 | 1c4253ea50b2650b19fba11b65523ac3286443e68c3e2670d2db3a917f944839 |
| SHA512 | a89cca1b73a35feb66d6bf63aeca7b665f7230e3ccdfe8d639a83e58369c296c504ad708aa9e4a85543dc9b7bd388a3834020514ec2a8d2e6bc0d359c7db5636 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | c1935f2dd5d670b8ff48ff91634e450d |
| SHA1 | 78bff2dcced5006818ec6b493adb792eae8a72c9 |
| SHA256 | cba0fab9396b58c0c31a1d32e05cbd2c07f1969223953a048f64c2b8d9a07421 |
| SHA512 | 6d30b5350f7d720369ebe54a4d6af60dbb9d0fb22a8b949d6d592841c4d969c87712ffb8cccc721ff00bcb25d7e0169559909e1f6941481861c481d5e3fe1238 |
memory/5572-1532-0x00000272441D0000-0x00000272441E0000-memory.dmp
memory/5572-1548-0x00000272442D0000-0x00000272442E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 08ce0e7d571822aaa5952922b4625787 |
| SHA1 | 65da665e2044e909deed513ddc90c086903d8438 |
| SHA256 | 9747d6f3f6ec6c94dff2bcf09fa22a057621cf570c3cc242658bda67d378059a |
| SHA512 | e7f5969091f50f5899ab91a957d4928e02ee789d7add3490b5dbffc982a45d6c34123e09f6fd6243d5389c2bb225ade34ff970ad393f6c41088024ce4d818e0c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3c863a2aef7afea30f8e2ed8aef02418 |
| SHA1 | daea07ff58e96c85573269fa1b359975bdb75a40 |
| SHA256 | 429e072e36a2c14c87ce8c80235f12e42409285c22986192ad52ccc533877bce |
| SHA512 | 865451da022792c4ac7928390b99b0a0c9c68307fd31c9fe3686362fa2ce20e30735fbc16a059c1bffb872cba3e1a7ac8b2b7580d876d6bc1024753d8d94ed6c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | c45be2b106830862bf42aa97379f5ba5 |
| SHA1 | a2d83d66d8f4d336631743f33b5dce38c10c2a02 |
| SHA256 | fd07cb5c0f98abb35c9bb3c24ca8b6b6d675eeba8b9f52d1ab243c740ded8652 |
| SHA512 | 37fe4bc0a40c08845aef2fc2299e70953081376d7d7c0859ebba697d2424a68f513e809a018eb356e9bc0520457580a374e5ada4b81dcd20f4548068b70f3b07 |