Malware analysis http://135.181.83.225:9090/files Malicious activity

Add for printing

URL:	http://135.181.83.225:9090/files
Full analysis:	https://app.any.run/tasks/df04ba86-67b2-4897-9193-3cea5cfabd85
Verdict:	Malicious activity
Analysis date:	June 05, 2025, 17:11:34
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec
Indicators:
MD5:	20E949B736A61A151739718D14CDF5A6
SHA1:	C0FB48B0331B9CC1697C184FEBEF3A9F4BEC4289
SHA256:	4B79BB96151F755CFA14792815C3A7C5E9352C2E874129D34248CADDD36CF0CA
SSDEEP:	3:N1KuQYUDVGIAW:CuQYkGIAW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Potential Corporate Privacy Violation
  - msedge.exe (PID: 6300)
- Creates a software uninstall entry
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
- Searches for installed software
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
- Get information on the list of running processes
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
- Drops 7-zip archiver for unpacking
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
- The process drops C-runtime libraries
  - 7z.exe (PID: 7864)
  - 7z.exe (PID: 5024)
- Process drops legitimate windows executable
  - 7z.exe (PID: 7864)
  - 7z.exe (PID: 5024)
- Executable content was dropped or overwritten
  - 7z.exe (PID: 7864)
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - HYUpdater.exe (PID: 232)
  - 7z.exe (PID: 5024)
  - HYP.exe (PID: 6724)
- There is functionality for taking screenshot (YARA)
  - HYP.exe (PID: 6724)
  - HYPHelper.exe (PID: 1120)
INFO
- Reads Environment values
  - identity_helper.exe (PID: 8180)
  - identity_helper.exe (PID: 6560)
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - HYP.exe (PID: 6040)
- Application launched itself
  - msedge.exe (PID: 7796)
  - msedge.exe (PID: 5508)
- Reads the computer name
  - identity_helper.exe (PID: 8180)
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - identity_helper.exe (PID: 6560)
  - 7z.exe (PID: 7864)
  - 7z.exe (PID: 1176)
  - HYP.exe (PID: 6040)
- Checks supported languages
  - identity_helper.exe (PID: 8180)
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - identity_helper.exe (PID: 6560)
  - 7z.exe (PID: 1176)
  - 7z.exe (PID: 7864)
  - launcher.exe (PID: 2104)
  - HYP.exe (PID: 6040)
- Connects to unusual port
  - msedge.exe (PID: 6300)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 7796)
- Reads CPU info
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - HYP.exe (PID: 6040)
- Reads the machine GUID from the registry
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - HYP.exe (PID: 6040)
- Create files in a temporary directory
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
- Checks proxy server information
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - HYP.exe (PID: 6040)
- The sample compiled with english language support
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - 7z.exe (PID: 7864)
  - HYUpdater.exe (PID: 232)
  - 7z.exe (PID: 5024)
  - HYP.exe (PID: 6724)
- Reads the software policy settings
  - slui.exe (PID: 4040)
  - HYP.exe (PID: 6040)
- Creates files or folders in the user directory
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - HYP.exe (PID: 6040)
- Creates files in the program directory
  - HoYoPlay_install_ua_d947e14e0060.exe (PID: 4628)
  - 7z.exe (PID: 7864)
  - HYP.exe (PID: 6040)
- Reads product name
  - HYP.exe (PID: 6040)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

222

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

232

HYUpdater.exe "--data={\"analysis_data\":{\"self_update_source\":\"hyp\"},\"dialog\":\"{\\\"zh-cn\\\":{\\\"title\\\":\\\"HoYoPlay版本更新\\\",\\\"content\\\":\\\"1、优化了启动器的卸载功能，更新完成后可以直接通过Windows控制面板卸载游戏。\\n2、修复了HoYoPlay的部分已知问题。\\\"},\\\"zh-tw\\\":{\\\"title\\\":\\\"HoYoPlay版本更新\\\",\\\"content\\\":\\\"1.改善了啟動器的解除安裝功能，更新完成後可以直接透過Windows控制面板解除安裝遊戲。\\n2.修正了HoYoPlay的部分已知問題。\\\"},\\\"en\\\":{\\\"title\\\":\\\"HoYoPlay Version Update\\\",\\\"content\\\":\\\"1. Optimizes the Uninstall function. After the update is complete, you can uninstall the game directly through the Windows Control Panel. \\r\\n2. Fixes some known issues in HoYoPlay.\\\"},\\\"id\\\":{\\\"title\\\":\\\"Update versi HoYoPlay\\\",\\\"content\\\":\\\"1. Mengoptimalkan fitur Hapus. Kamu bisa langsung menghapus game melalui Panel Kontrol Windows setelah update selesai. \\r\\n2. Memperbaiki beberapa masalah yang ditemukan di HoYoPlay.\\\"},\\\"th\\\":{\\\"title\\\":\\\"อัปเดตเวอร์ชัน HoYoPlay\\\",\\\"content\\\":\\\"1. ปรับปรุงฟังก์ชันถอนการติดตั้ง หลังจากอัปเดตเสร็จสิ้นแล้ว คุณสามารถถอนการติดตั้งเกมได้โดยตรง ผ่าน Control Panel ของ Windows \\r\\n2. แก้ไขปัญหาบางส่วนที่รับทราบแล้วเกี่ยวกับ HoYoPlay\\\"},\\\"de\\\":{\\\"title\\\":\\\"Aktualisierung von HoYoPlay\\\",\\\"content\\\":\\\"1. Optimierung der Deinstallationsfunktion des Launchers. Nach der Aktualisierung lässt sich das Spiel direkt über die Systemsteuerung von Windows deinstallieren. \\r\\n2. Behebung einiger bekannter Probleme des HoYoPlay-Launchers.\\\"},\\\"fr\\\":{\\\"title\\\":\\\"Mise à jour de version de HoYoPlay\\\",\\\"content\\\":\\\"1. Optimisation de la fonctionnalité de désinstallation du launcher. Une fois la mise à jour terminée, vous pouvez désinstaller le jeu directement via le panneau de configuration de Windows. \\r\\n2. Correction de certains problèmes connus de HoYoPlay.\\\"},\\\"es\\\":{\\\"title\\\":\\\"Actualización de la versión de HoYoPlay\\\",\\\"content\\\":\\\"1. Optimizada la función de desinstalación del lanzador. Puedes desinstalar los juegos directamente desde el panel de control de Windows una vez completada la actualización. \\r\\n2. Reparados algunos errores detectados anteriormente en HoYoPlay.\\\"},\\\"pt\\\":{\\\"title\\\":\\\"Atualização de Versão da HoYoPlay\\\",\\\"content\\\":\\\"1. Otimizada a função de desinstalação. Após a atualização ser concluída, você poderá desinstalar o jogo diretamente pelo Painel de Controle do Windows. \\r\\n2. Corrigidos alguns problemas conhecidos na HoYoPlay.\\\"},\\\"ru\\\":{\\\"title\\\":\\\"Обновление HoYoPlay\\\",\\\"content\\\":\\\"1. Улучшена функция удаления в загрузчике. После обновления вы можете удалить игру через Панель управление Windows. \\r\\n2. Исправлены некоторые известные ошибки HoYoPlay.\\\"},\\\"ko\\\":{\\\"title\\\":\\\"HoYoPlay 버전 업데이트\\\",\\\"content\\\":\\\"1. 실행기의 제거 관련 기능이 개선되었습니다. 업데이트 이후에는 Windows 제어판에서 직접 게임을 제거할 수 있게 됩니다. \\r\\n2. HoYoPlay 관련 일부 문제가 수정되었습니다.\\\"},\\\"vi\\\":{\\\"title\\\":\\\"Cập Nhật Phiên Bản HoYoPlay\\\",\\\"content\\\":\\\"1. Ưu hóa tính năng Gỡ của trình khởi chạy Sau khi hoàn thành cập nhật, có thể trực tiếp gỡ game trong qua bảng điều khiển của Windows. \\r\\n2. Sửa một số lỗi đã biết của HoYoPlay.\\\"},\\\"ja\\\":{\\\"title\\\":\\\"HoYoPlayバージョンアップについて\\\",\\\"content\\\":\\\"1.ランチャーのアンインストール機能を改善しました。バージョンアップ後は、Windowsのコントロールパネルからゲームを直接アンインストールすることができます。 \\r\\n2. HoYoPlayの起動に関する一部の不具合を修復しました。\\\"},\\\"tr\\\":{\\\"title\\\":\\\"HoYoPlay Sürüm Güncellemesi\\\",\\\"content\\\":\\\"1. Başlatıcıyı kaldırma işlevi iyileştirildi. Güncelleme tamamlandıktan sonra oyunu doğrudan Windows Denetim Masasından kaldırabilirsin. \\r\\n2. HoYoPlay'deki bilinen bazı sorunlar giderildi.\\\"},\\\"it\\\":{\\\"title\\\":\\\"Aggiornamento della versione di HoYoPlay\\\",\\\"content\\\":\\\"1. Ottimizzata la funzione di disinstallazione del launcher. Dopo l'aggiornamento, sarà possibile disinstallare il gioco direttamente dal Pannello di controllo di Windows. \\r\\n2. Risolti alcuni problemi riscontrati in HoYoPlay.\\\"}}\",\"dialog_content\":\"1. Optimizes the Uninstall function. After the update is complete, you can uninstall the game directly through the Windows Control Panel. \r\n2. Fixes some known issues in HoYoPlay.\",\"dialog_content_en\":\"\",\"dialog_num\":1,\"dialog_period\":3,\"dialog_period_type\":1,\"dialog_title\":\"HoYoPlay Version Update\",\"dialog_title_en\":\"\",\"has_update\":true,\"hyp_game_ids\":[],\"loop_way\":\"\",\"package_md5\":\"AE329AFA34B26F1293B6B6D91493640E\",\"package_name\":\"updater_upload_1746673478.8004541_MSAKSFbg_1_7_3_261.zip\",\"package_size\":\"215615860\",\"package_url\":\"https://hyp-webstatic.hoyoverse.com/hyp-client/VYTpXlbWo8_1.7.3.261_1_1_cps_hyp_global_VYTpXlbWo8_21hoyoverse_202505081105_YXxcagMy.zip\",\"package_version\":\"1.7.3.261\",\"silent\":\"\",\"strategy_id\":704,\"unzip_path\":\"C:/Program Files/HoYoPlay\",\"update_recommended_intensity\":\"1\",\"update_type\":2,\"user_defined\":\"{}\"}"

C:\Program Files\HoYoPlay\1.4.5.222\HYUpdater.exe

HYP.exe

User:

admin

Company:

Cognosphere

Integrity Level:

HIGH

Description:

HoYoPlay

Exit code:

Version:

1.4.5.222

Modules

Images
c:\program files\hoyoplay\1.4.5.222\hyupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

236

"C:\Program Files\HoYoPlay\1.7.3.261\HYPHelper" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-sandbox --locales-dir-path="C:\Program Files\HoYoPlay\1.7.3.261\resources\locales" --log-severity=warning --resources-dir-path="C:\Program Files\HoYoPlay\1.7.3.261\resources" --user-agent="HYPContainer/1.7.3.261 (windows 10)" --lang=en-US --user-data-dir="C:\Users\admin\AppData\Roaming\Cognosphere\HYP\1_0\cache" --windows-job-name=CefView-Job-{f0a3c1e3-ff89-4581-8a45-f0bfd74c4bb0}-6724 --disable-extensions --renderer-process-limit=1 --enable-aggressive-domstorage-flushing --enable-experimental-web-platform-features --pretend-process-name=chrome.exe --no-proxy-server --bridge-obj-name=HYPClient --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\HoYoPlay\1.7.3.261\debug.log" --mojo-platform-channel-handle=2200 --field-trial-handle=3228,i,2831438382899112171,16129188939255990363,131072 --enable-features=BlockInsecurePrivateNetworkRequests,BlockInsecurePrivateNetworkRequestsForNavigations,BlockInsecurePrivateNetworkRequestsFromPrivate,BlockInsecurePrivateNetworkRequestsFromUnknown,ClientHintThirdPartyDelegation,ClientHintsMetaEquivDelegateCH,ClientHintsMetaHTTPEquivAcceptCH,ClipboardCustomFormats,CookieSameSiteConsidersRedirectChain,CriticalClientHint,DocumentPolicyNegotiation,DocumentReporting,EditContext,EnableCanvas2DLayers,ExperimentalContentSecurityPolicyFeatures,OriginIsolationHeader,PendingBeaconAPI,PrefersColorSchemeClientHintHeader,PrefersReducedMotionClientHintHeader,PrivateNetworkAccessForWorkers,PrivateNetworkAccessRespectPreflightResults,SchemefulSameSite,UserAgentClientHint --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\HoYoPlay\1.7.3.261\HYPHelper.exe

—

HYP.exe

User:

admin

Company:

Cognosphere

Integrity Level:

HIGH

Description:

HoYoPlay

Exit code:

Version:

1.7.3.261

Modules

Images
c:\program files\hoyoplay\1.7.3.261\hyphelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\program files\hoyoplay\1.7.3.261\libcef.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll

472

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=6396 --field-trial-handle=2072,i,15519668068582675524,8475233739453632918,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

924

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5128 --field-trial-handle=2072,i,15519668068582675524,8475233739453632918,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

924

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5204 --field-trial-handle=2380,i,14969174800064673166,1315807486178198973,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1116

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4988 --field-trial-handle=2380,i,14969174800064673166,1315807486178198973,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1120

"C:\Program Files\HoYoPlay\1.7.3.261\HYPHelper" --type=gpu-process --no-sandbox --locales-dir-path="C:\Program Files\HoYoPlay\1.7.3.261\resources\locales" --log-severity=warning --resources-dir-path="C:\Program Files\HoYoPlay\1.7.3.261\resources" --user-agent="HYPContainer/1.7.3.261 (windows 10)" --lang=en-US --user-data-dir="C:\Users\admin\AppData\Roaming\Cognosphere\HYP\1_0\cache" --windows-job-name=CefView-Job-{f0a3c1e3-ff89-4581-8a45-f0bfd74c4bb0}-6724 --disable-extensions --renderer-process-limit=1 --enable-aggressive-domstorage-flushing --enable-experimental-web-platform-features --pretend-process-name=chrome.exe --no-proxy-server --bridge-obj-name=HYPClient --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\HoYoPlay\1.7.3.261\debug.log" --mojo-platform-channel-handle=3140 --field-trial-handle=3228,i,2831438382899112171,16129188939255990363,131072 --enable-features=BlockInsecurePrivateNetworkRequests,BlockInsecurePrivateNetworkRequestsForNavigations,BlockInsecurePrivateNetworkRequestsFromPrivate,BlockInsecurePrivateNetworkRequestsFromUnknown,ClientHintThirdPartyDelegation,ClientHintsMetaEquivDelegateCH,ClientHintsMetaHTTPEquivAcceptCH,ClipboardCustomFormats,CookieSameSiteConsidersRedirectChain,CriticalClientHint,DocumentPolicyNegotiation,DocumentReporting,EditContext,EnableCanvas2DLayers,ExperimentalContentSecurityPolicyFeatures,OriginIsolationHeader,PendingBeaconAPI,PrefersColorSchemeClientHintHeader,PrefersReducedMotionClientHintHeader,PrivateNetworkAccessForWorkers,PrivateNetworkAccessRespectPreflightResults,SchemefulSameSite,UserAgentClientHint --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\HoYoPlay\1.7.3.261\HYPHelper.exe

—

HYP.exe

User:

admin

Company:

Cognosphere

Integrity Level:

HIGH

Description:

HoYoPlay

Version:

1.7.3.261

Modules

Images
c:\program files\hoyoplay\1.7.3.261\hyphelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\program files\hoyoplay\1.7.3.261\libcef.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll

1128

"C:\Program Files\HoYoPlay\1.7.3.261\HYPHelper" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --enable-experimental-web-platform-features --locales-dir-path="C:\Program Files\HoYoPlay\1.7.3.261\resources\locales" --log-severity=warning --resources-dir-path="C:\Program Files\HoYoPlay\1.7.3.261\resources" --user-agent="HYPContainer/1.7.3.261 (windows 10)" --lang=en-US --user-data-dir="C:\Users\admin\AppData\Roaming\Cognosphere\HYP\1_0\cache" --windows-job-name=CefView-Job-{f0a3c1e3-ff89-4581-8a45-f0bfd74c4bb0}-6724 --disable-extensions --renderer-process-limit=1 --enable-aggressive-domstorage-flushing --enable-experimental-web-platform-features --pretend-process-name=chrome.exe --no-proxy-server --bridge-obj-name=HYPClient --log-file="C:\Program Files\HoYoPlay\1.7.3.261\debug.log" --mojo-platform-channel-handle=4304 --field-trial-handle=3228,i,2831438382899112171,16129188939255990363,131072 --enable-features=BlockInsecurePrivateNetworkRequests,BlockInsecurePrivateNetworkRequestsForNavigations,BlockInsecurePrivateNetworkRequestsFromPrivate,BlockInsecurePrivateNetworkRequestsFromUnknown,ClientHintThirdPartyDelegation,ClientHintsMetaEquivDelegateCH,ClientHintsMetaHTTPEquivAcceptCH,ClipboardCustomFormats,CookieSameSiteConsidersRedirectChain,CriticalClientHint,DocumentPolicyNegotiation,DocumentReporting,EditContext,EnableCanvas2DLayers,ExperimentalContentSecurityPolicyFeatures,OriginIsolationHeader,PendingBeaconAPI,PrefersColorSchemeClientHintHeader,PrefersReducedMotionClientHintHeader,PrivateNetworkAccessForWorkers,PrivateNetworkAccessRespectPreflightResults,SchemefulSameSite,UserAgentClientHint --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\HoYoPlay\1.7.3.261\HYPHelper.exe

—

HYP.exe

User:

admin

Company:

Cognosphere

Integrity Level:

HIGH

Description:

HoYoPlay

Version:

1.7.3.261

Modules

Images
c:\program files\hoyoplay\1.7.3.261\hyphelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ucrtbase.dll
c:\program files\hoyoplay\1.7.3.261\libcef.dll
c:\windows\system32\user32.dll

1176

7z.exe l C:/Users/admin/AppData/Local/Temp/HYP-cWYtuU/app.7z

C:\Users\admin\AppData\Local\Temp\HYP-cWYtuU\7z.exe

—

HoYoPlay_install_ua_d947e14e0060.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

HIGH

Description:

7-Zip Console

Exit code:

Version:

19.00

Modules

Images
c:\users\admin\appdata\local\temp\hyp-cwytuu\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1240

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4992 --field-trial-handle=2072,i,15519668068582675524,8475233739453632918,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

39 004

Read events

38 910

Write events

Delete events

Modification events


(PID) Process:	(7796) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(7796) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(7796) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(7796) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(7796) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 56BA727D6C952F00
(PID) Process:	(7796) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 5CA6787D6C952F00
(PID) Process:	(7796) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\656172
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {A61A03F3-4763-413D-B62F-62365131D35A}
(PID) Process:	(7796) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\656172
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {64682255-1EF4-4D88-A13B-406B245FBA7C}
(PID) Process:	(7796) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\656172
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {8B72C331-FDA4-470E-AE85-F0147F5B94B0}
(PID) Process:	(7796) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 0CB7977D6C952F00

Add for printing

Executable files

148

Suspicious files

659

Text files

122

Unknown types

200

Dropped files

PID	Process	Filename		Type
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State~RF11f2ba.TMP		—
		MD5:—	SHA256:—
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF11f2d9.TMP		—
		MD5:—	SHA256:—
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old~RF11f2d9.TMP		—
		MD5:—	SHA256:—
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG.old		—
		MD5:—	SHA256:—
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old		—
		MD5:—	SHA256:—
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF11f308.TMP		—
		MD5:—	SHA256:—
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF11f317.TMP		—
		MD5:—	SHA256:—
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
7796	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF11f327.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

188

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6300	msedge.exe	GET	200	135.181.83.225:9090	http://135.181.83.225:9090/files	unknown	—	—	unknown
6300	msedge.exe	GET	—	135.181.83.225:9090	http://135.181.83.225:9090/static/assets/sync.io.svg	unknown	—	—	unknown
6300	msedge.exe	GET	—	135.181.83.225:9090	http://135.181.83.225:9090/static/css/build.css	unknown	—	—	unknown
6544	svchost.exe	GET	200	2.22.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6300	msedge.exe	GET	200	135.181.83.225:9090	http://135.181.83.225:9090/download/HoYoPlay_install_ua_d947e14e0060.exe	unknown	—	—	unknown
7940	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7940	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6480	svchost.exe	HEAD	200	208.89.74.19:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d0729495-2185-4a92-a46f-fde358fd775c?P1=1749596220&P2=404&P3=2&P4=JvUIf9mkhoyEB8YxFIHyR%2by9zp3olTRu62VT1wpcryPrDIbQY2F72XmSIDilUYx7xCJwxITSa6QsFdtAwi%2biyQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6544	svchost.exe	40.126.31.1:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
6544	svchost.exe	2.22.98.7:80	ocsp.digicert.com	AKAMAI-AS	GB	whitelisted
2064	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2112	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	40.126.31.1 20.190.159.129 40.126.31.131 40.126.31.71 20.190.159.75 40.126.31.130 20.190.159.71 40.126.31.3	whitelisted
crl.microsoft.com	23.32.238.112 23.32.238.107	whitelisted
google.com	142.250.185.238	whitelisted
www.microsoft.com	2.16.253.202 2.23.246.101	whitelisted
ocsp.digicert.com	2.22.98.7	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
business.bing.com	13.107.6.158	whitelisted

Threats

PID	Process	Class	Message
6300	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6300	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6300	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6300	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6300	msedge.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6300	msedge.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6300	msedge.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
6300	msedge.exe	Misc activity	ET INFO EXE - Served Attached HTTP
6300	msedge.exe	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download

Add for printing

No debug info

General Info

http://135.181.83.225:9090/files

20E949B736A61A151739718D14CDF5A6

C0FB48B0331B9CC1697C184FEBEF3A9F4BEC4289

4B79BB96151F755CFA14792815C3A7C5E9352C2E874129D34248CADDD36CF0CA

3:N1KuQYUDVGIAW:CuQYkGIAW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Potential Corporate Privacy Violation

Creates a software uninstall entry

Searches for installed software

Get information on the list of running processes

Drops 7-zip archiver for unpacking

The process drops C-runtime libraries

Process drops legitimate windows executable

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

INFO

Reads Environment values

Application launched itself

Reads the computer name

Checks supported languages

Connects to unusual port

Executable content was dropped or overwritten

Reads CPU info

Reads the machine GUID from the registry

Create files in a temporary directory

Checks proxy server information

The sample compiled with english language support

Reads the software policy settings

Creates files or folders in the user directory

Creates files in the program directory

Reads product name

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings