Malware Analysis Report

2025-05-28 16:27

Sample ID 230715-xg2z7sce3t
Target Hype_RegeditNoRec.rar
SHA256 67d51245f00911de82fa3c3d63c8dffc686c1117dcced7cf245cb5fc8609a7ae
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

67d51245f00911de82fa3c3d63c8dffc686c1117dcced7cf245cb5fc8609a7ae

Threat Level: Likely malicious

The file Hype_RegeditNoRec.rar was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-15 18:51

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-15 18:50

Reported

2023-07-15 19:16

Platform

win7-20230712-en

Max time kernel

152s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\Temp\vpxiis.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\Temp\vpxiis.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\Temp\vpxiis.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\vpxiis.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\vpxiis.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\vpxiis.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\pnl.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\pnl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\dowb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\vpxiis.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\pnl.exe
PID 2928 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\pnl.exe
PID 2928 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\pnl.exe
PID 2928 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\pnl.exe
PID 2928 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\dowb.exe
PID 2928 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\dowb.exe
PID 2928 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\dowb.exe
PID 2928 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\dowb.exe
PID 2928 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\vpxiis.exe
PID 2928 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\vpxiis.exe
PID 2928 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\vpxiis.exe
PID 2928 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\vpxiis.exe
PID 2664 wrote to memory of 3040 N/A C:\Windows\Temp\pnl.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 3040 N/A C:\Windows\Temp\pnl.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 3040 N/A C:\Windows\Temp\pnl.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 3040 N/A C:\Windows\Temp\pnl.exe C:\Windows\SysWOW64\WerFault.exe
PID 976 wrote to memory of 1124 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1124 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1124 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1124 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1900 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1900 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1900 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1900 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 3020 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 3020 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 3020 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 3020 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1596 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1596 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1596 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1596 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1080 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1080 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1080 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1080 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 788 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 788 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 788 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 788 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1964 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1964 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1964 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1964 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 2452 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 2452 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 2452 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 2452 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1984 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1984 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1984 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1984 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1680 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1680 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1680 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 1680 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 332 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 332 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 332 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 332 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 436 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 436 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 436 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 976 wrote to memory of 436 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe

"C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe"

C:\Windows\Temp\pnl.exe

"C:\Windows\Temp\pnl.exe"

C:\Windows\Temp\dowb.exe

"C:\Windows\Temp\dowb.exe"

C:\Windows\Temp\vpxiis.exe

"C:\Windows\Temp\vpxiis.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 692

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.auth.gg udp
US 192.124.249.189:443 api.auth.gg tcp

Files

memory/2928-55-0x0000000001240000-0x0000000002240000-memory.dmp

memory/2928-54-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2928-56-0x000000000F8A0000-0x000000000F8E0000-memory.dmp

\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

C:\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

C:\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

memory/2664-70-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2664-69-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

C:\Windows\Temp\dowb.exe

MD5 d4c5a6b52a0360dd4c17ad9d32484477
SHA1 6f0a77dfac1ee96c696f19a3a041fd74b7cf7e24
SHA256 ea8ff91c2c4701ba0a0614fbf52ac96c3bc979cdd4b81da1d81f5340efd7f2d4
SHA512 d64eae4e417146b4f119c0df9cbdd1cebb141fd594920961d8e1b075a8c72db8541a0bb51b4e9136fffc7ae451c7e34841576d0e58dc9104c99a7dbbf3a79435

memory/2404-77-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2404-79-0x0000000001200000-0x000000000190C000-memory.dmp

memory/2664-76-0x0000000004C60000-0x0000000004CA0000-memory.dmp

C:\Windows\Temp\dowb.exe

MD5 d4c5a6b52a0360dd4c17ad9d32484477
SHA1 6f0a77dfac1ee96c696f19a3a041fd74b7cf7e24
SHA256 ea8ff91c2c4701ba0a0614fbf52ac96c3bc979cdd4b81da1d81f5340efd7f2d4
SHA512 d64eae4e417146b4f119c0df9cbdd1cebb141fd594920961d8e1b075a8c72db8541a0bb51b4e9136fffc7ae451c7e34841576d0e58dc9104c99a7dbbf3a79435

\Windows\Temp\dowb.exe

MD5 d4c5a6b52a0360dd4c17ad9d32484477
SHA1 6f0a77dfac1ee96c696f19a3a041fd74b7cf7e24
SHA256 ea8ff91c2c4701ba0a0614fbf52ac96c3bc979cdd4b81da1d81f5340efd7f2d4
SHA512 d64eae4e417146b4f119c0df9cbdd1cebb141fd594920961d8e1b075a8c72db8541a0bb51b4e9136fffc7ae451c7e34841576d0e58dc9104c99a7dbbf3a79435

\Windows\Temp\vpxiis.exe

MD5 1339d9b2e6286b64fadaa6f8fad00091
SHA1 47585a5bd08ecd1f939ebd0c2e74504376855146
SHA256 1555d682a099098621079072db88e6cbd306f92b9ccd4db4ad6485dd6d81fe50
SHA512 572ff0bb039f77748ec36ac39e80e4f18af7364599b450a107345f608eef1587314ca50a82b4c35290107e881916dcbcc444b29692b59b3d73aa3f7f3c3ac570

memory/2928-84-0x0000000012B50000-0x0000000013A64000-memory.dmp

memory/2664-85-0x0000000004C60000-0x0000000004CA0000-memory.dmp

C:\Windows\Temp\vpxiis.exe

MD5 1339d9b2e6286b64fadaa6f8fad00091
SHA1 47585a5bd08ecd1f939ebd0c2e74504376855146
SHA256 1555d682a099098621079072db88e6cbd306f92b9ccd4db4ad6485dd6d81fe50
SHA512 572ff0bb039f77748ec36ac39e80e4f18af7364599b450a107345f608eef1587314ca50a82b4c35290107e881916dcbcc444b29692b59b3d73aa3f7f3c3ac570

memory/2404-86-0x0000000000B90000-0x0000000000BD0000-memory.dmp

memory/2404-87-0x0000000000B90000-0x0000000000BD0000-memory.dmp

memory/976-88-0x0000000076460000-0x0000000076570000-memory.dmp

memory/976-89-0x0000000076460000-0x0000000076570000-memory.dmp

memory/976-90-0x0000000076460000-0x0000000076570000-memory.dmp

memory/976-91-0x0000000076250000-0x0000000076297000-memory.dmp

memory/976-92-0x0000000076460000-0x0000000076570000-memory.dmp

memory/2928-93-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/976-94-0x0000000000D20000-0x0000000001C34000-memory.dmp

memory/976-95-0x0000000076460000-0x0000000076570000-memory.dmp

memory/976-96-0x0000000076460000-0x0000000076570000-memory.dmp

memory/976-97-0x0000000077890000-0x0000000077892000-memory.dmp

memory/976-101-0x0000000000D20000-0x0000000001C34000-memory.dmp

memory/976-100-0x0000000000D20000-0x0000000001C34000-memory.dmp

\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

memory/2928-107-0x000000000F8A0000-0x000000000F8E0000-memory.dmp

memory/2664-109-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2404-110-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2404-112-0x0000000000B90000-0x0000000000BD0000-memory.dmp

memory/2928-111-0x0000000012B50000-0x0000000013A64000-memory.dmp

memory/2404-113-0x0000000000B90000-0x0000000000BD0000-memory.dmp

memory/976-114-0x0000000076460000-0x0000000076570000-memory.dmp

memory/976-115-0x0000000076250000-0x0000000076297000-memory.dmp

memory/976-116-0x0000000000D20000-0x0000000001C34000-memory.dmp

memory/976-118-0x0000000076460000-0x0000000076570000-memory.dmp

memory/976-117-0x0000000076460000-0x0000000076570000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-15 18:50

Reported

2023-07-15 19:16

Platform

win10v2004-20230703-en

Max time kernel

153s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\Temp\vpxiis.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\Temp\vpxiis.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\Temp\vpxiis.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\vpxiis.exe N/A
N/A N/A C:\Users\Admin\Downloads\Hype_RegeditNoRec\Hype Regedit.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\vpxiis.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\vpxiis.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\pnl.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\pnl.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A
N/A N/A C:\Windows\Temp\dowb.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\pnl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\dowb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\vpxiis.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Hype_RegeditNoRec\Hype Regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\pnl.exe
PID 2256 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\pnl.exe
PID 2256 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\pnl.exe
PID 2256 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\dowb.exe
PID 2256 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\dowb.exe
PID 2256 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\dowb.exe
PID 2256 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\vpxiis.exe
PID 2256 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\vpxiis.exe
PID 2256 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe C:\Windows\Temp\vpxiis.exe
PID 4724 wrote to memory of 1320 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 4724 wrote to memory of 1320 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 4724 wrote to memory of 1320 N/A C:\Windows\Temp\vpxiis.exe C:\Windows\SysWOW64\arp.exe
PID 3220 wrote to memory of 912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 2244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 3452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe

"C:\Users\Admin\AppData\Local\Temp\Hype Regedit.exe"

C:\Windows\Temp\pnl.exe

"C:\Windows\Temp\pnl.exe"

C:\Windows\Temp\dowb.exe

"C:\Windows\Temp\dowb.exe"

C:\Windows\Temp\vpxiis.exe

"C:\Windows\Temp\vpxiis.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1140

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffefa9446f8,0x7ffefa944708,0x7ffefa944718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5544 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,7679070429078203892,7724726662299821066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Hype_RegeditNoRec\" -spe -an -ai#7zMap23308:96:7zEvent1920

C:\Users\Admin\Downloads\Hype_RegeditNoRec\Hype Regedit.exe

"C:\Users\Admin\Downloads\Hype_RegeditNoRec\Hype Regedit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 126.136.241.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 api.auth.gg udp
US 192.124.249.189:443 api.auth.gg tcp
US 8.8.8.8:53 189.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.90:443 assets.msn.com tcp
US 8.8.8.8:53 90.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
NL 95.101.74.28:443 www.bing.com tcp
US 8.8.8.8:53 28.74.101.95.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 95.101.74.28:443 th.bing.com tcp
NL 95.101.74.40:443 th.bing.com tcp
NL 95.101.74.40:443 th.bing.com tcp
NL 95.101.74.28:443 th.bing.com tcp
US 8.8.8.8:53 40.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.133:443 login.microsoftonline.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 send-anywhere.com udp
NL 65.9.86.4:443 send-anywhere.com tcp
NL 65.9.86.4:443 send-anywhere.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 static.zdassets.com udp
US 8.8.8.8:53 cdn.cookielaw.org udp
US 8.8.8.8:53 wcs.naver.net udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.18.70.113:443 static.zdassets.com tcp
US 104.18.170.114:443 cdn.cookielaw.org tcp
NL 23.42.198.213:443 wcs.naver.net tcp
US 8.8.8.8:53 wcs.naver.com udp
US 104.18.170.114:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 ekr.zdassets.com udp
US 8.8.8.8:53 www.googletagservices.com udp
US 8.8.8.8:53 connect.facebook.net udp
NL 142.251.36.34:443 www.googletagservices.com tcp
US 104.18.70.113:443 ekr.zdassets.com tcp
KR 210.89.167.46:443 wcs.naver.com tcp
US 157.240.24.13:443 connect.facebook.net tcp
US 157.240.24.13:443 connect.facebook.net tcp
KR 210.89.167.46:443 wcs.naver.com tcp
US 8.8.8.8:53 4.86.9.65.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 113.70.18.104.in-addr.arpa udp
US 8.8.8.8:53 114.170.18.104.in-addr.arpa udp
US 8.8.8.8:53 213.198.42.23.in-addr.arpa udp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 8.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 2.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 13.24.240.157.in-addr.arpa udp
US 8.8.8.8:53 js.stripe.com udp
US 8.8.8.8:53 d10lpsik1i8c69.cloudfront.net udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 m.servedby-buysellads.com udp
US 8.8.8.8:53 cdn.carbonads.com udp
US 8.8.8.8:53 send-anywhere.zendesk.com udp
US 151.101.0.176:443 js.stripe.com tcp
DE 143.204.214.30:443 d10lpsik1i8c69.cloudfront.net tcp
US 104.16.51.111:443 send-anywhere.zendesk.com tcp
US 151.139.128.10:443 cdn.carbonads.com tcp
US 151.139.128.10:443 cdn.carbonads.com tcp
US 104.18.29.38:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.194:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 95.101.74.202:80 apps.identrust.com tcp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
NL 95.101.74.202:80 apps.identrust.com tcp
DE 172.217.23.194:443 securepubads.g.doubleclick.net tcp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 216.239.32.181:443 analytics.google.com tcp
NL 142.250.102.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 46.167.89.210.in-addr.arpa udp
US 8.8.8.8:53 176.0.101.151.in-addr.arpa udp
US 8.8.8.8:53 111.51.16.104.in-addr.arpa udp
US 8.8.8.8:53 10.128.139.151.in-addr.arpa udp
US 8.8.8.8:53 30.214.204.143.in-addr.arpa udp
US 8.8.8.8:53 38.29.18.104.in-addr.arpa udp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 112.211.227.13.in-addr.arpa udp
US 8.8.8.8:53 194.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 181.32.239.216.in-addr.arpa udp
US 204.79.197.200:443 www2.bing.com tcp
US 8.8.8.8:53 ed915ad0586e2c46670476c47cdd2689.safeframe.googlesyndication.com udp
DE 172.217.23.194:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 srv.buysellads.com udp
NL 142.250.179.161:443 ed915ad0586e2c46670476c47cdd2689.safeframe.googlesyndication.com tcp
GB 159.65.16.11:443 srv.buysellads.com tcp
US 8.8.8.8:53 settings.luckyorange.net udp
US 8.8.8.8:53 srv.carbonads.net udp
GB 46.101.85.187:443 srv.carbonads.net tcp
US 172.67.75.100:443 settings.luckyorange.net tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 216.239.32.181:443 analytics.google.com udp
NL 142.251.36.34:443 www.googletagservices.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
NL 142.250.102.156:443 stats.g.doubleclick.net udp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
NL 142.251.36.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 d4a553n24khrv.cloudfront.net udp
NL 142.250.179.161:443 ed915ad0586e2c46670476c47cdd2689.safeframe.googlesyndication.com udp
US 8.8.8.8:53 156.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 161.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.16.65.159.in-addr.arpa udp
US 8.8.8.8:53 100.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 187.85.101.46.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 18.65.39.94:443 d4a553n24khrv.cloudfront.net tcp
US 8.8.8.8:53 cdn4.buysellads.net udp
US 151.139.128.10:443 cdn4.buysellads.net tcp
US 8.8.8.8:53 94.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 151.101.0.176:443 js.stripe.com udp
US 8.8.8.8:53 m.stripe.network udp
US 35.164.155.70:443 m.stripe.com tcp
US 8.8.8.8:53 70.155.164.35.in-addr.arpa udp
US 8.8.8.8:53 file-13-233-93-51.send-anywhere.com udp
IN 13.233.93.51:443 file-13-233-93-51.send-anywhere.com tcp
US 8.8.8.8:53 51.93.233.13.in-addr.arpa udp
NL 142.250.179.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads4.g.doubleclick.net udp
US 8.8.8.8:53 s0.2mdn.net udp
NL 142.250.179.134:443 s0.2mdn.net tcp
NL 142.251.36.2:443 googleads4.g.doubleclick.net tcp
US 8.8.8.8:53 134.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.36.251.142.in-addr.arpa udp
IN 13.233.93.51:443 file-13-233-93-51.send-anywhere.com tcp
IN 13.233.93.51:443 file-13-233-93-51.send-anywhere.com tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 privacyportal.onetrust.com udp
US 104.18.29.38:443 privacyportal.onetrust.com tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/2256-133-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/2256-134-0x0000000000BC0000-0x0000000001BC0000-memory.dmp

memory/2256-135-0x0000000010150000-0x00000000101EC000-memory.dmp

memory/2256-136-0x00000000107A0000-0x0000000010D44000-memory.dmp

memory/2256-137-0x00000000101F0000-0x0000000010282000-memory.dmp

memory/2256-138-0x0000000010470000-0x0000000010480000-memory.dmp

memory/2256-139-0x0000000010120000-0x000000001012A000-memory.dmp

memory/2256-140-0x0000000010480000-0x00000000104D6000-memory.dmp

C:\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

C:\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

C:\Windows\Temp\pnl.exe

MD5 48ef0378eb7d125c37a825e1727bf9c6
SHA1 beab162b64248eac8e070c23b706f6059ce5dcfa
SHA256 77afabdae4961cc055becf7ca7e696a62d32b02c8daa4fde81d0a2dc2b937aa7
SHA512 f6c1dd87a3f91991c699763ab890ca36be1f5b3ec160ffef49899971c90b5ff3f5dca3717f3db63998641d4ee77a08d55d3778537e5d77e752245a1193f2254a

C:\Windows\Temp\dowb.exe

MD5 d4c5a6b52a0360dd4c17ad9d32484477
SHA1 6f0a77dfac1ee96c696f19a3a041fd74b7cf7e24
SHA256 ea8ff91c2c4701ba0a0614fbf52ac96c3bc979cdd4b81da1d81f5340efd7f2d4
SHA512 d64eae4e417146b4f119c0df9cbdd1cebb141fd594920961d8e1b075a8c72db8541a0bb51b4e9136fffc7ae451c7e34841576d0e58dc9104c99a7dbbf3a79435

memory/4764-163-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/4764-164-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

C:\Windows\Temp\dowb.exe

MD5 d4c5a6b52a0360dd4c17ad9d32484477
SHA1 6f0a77dfac1ee96c696f19a3a041fd74b7cf7e24
SHA256 ea8ff91c2c4701ba0a0614fbf52ac96c3bc979cdd4b81da1d81f5340efd7f2d4
SHA512 d64eae4e417146b4f119c0df9cbdd1cebb141fd594920961d8e1b075a8c72db8541a0bb51b4e9136fffc7ae451c7e34841576d0e58dc9104c99a7dbbf3a79435

C:\Windows\Temp\dowb.exe

MD5 d4c5a6b52a0360dd4c17ad9d32484477
SHA1 6f0a77dfac1ee96c696f19a3a041fd74b7cf7e24
SHA256 ea8ff91c2c4701ba0a0614fbf52ac96c3bc979cdd4b81da1d81f5340efd7f2d4
SHA512 d64eae4e417146b4f119c0df9cbdd1cebb141fd594920961d8e1b075a8c72db8541a0bb51b4e9136fffc7ae451c7e34841576d0e58dc9104c99a7dbbf3a79435

memory/876-175-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/4764-176-0x0000000003260000-0x0000000003270000-memory.dmp

C:\Windows\Temp\vpxiis.exe

MD5 1339d9b2e6286b64fadaa6f8fad00091
SHA1 47585a5bd08ecd1f939ebd0c2e74504376855146
SHA256 1555d682a099098621079072db88e6cbd306f92b9ccd4db4ad6485dd6d81fe50
SHA512 572ff0bb039f77748ec36ac39e80e4f18af7364599b450a107345f608eef1587314ca50a82b4c35290107e881916dcbcc444b29692b59b3d73aa3f7f3c3ac570

memory/2256-181-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/876-177-0x00000000006E0000-0x0000000000DEC000-memory.dmp

C:\Windows\Temp\vpxiis.exe

MD5 1339d9b2e6286b64fadaa6f8fad00091
SHA1 47585a5bd08ecd1f939ebd0c2e74504376855146
SHA256 1555d682a099098621079072db88e6cbd306f92b9ccd4db4ad6485dd6d81fe50
SHA512 572ff0bb039f77748ec36ac39e80e4f18af7364599b450a107345f608eef1587314ca50a82b4c35290107e881916dcbcc444b29692b59b3d73aa3f7f3c3ac570

memory/4724-182-0x00000000009B0000-0x00000000018C4000-memory.dmp

memory/4724-183-0x0000000076930000-0x0000000076A20000-memory.dmp

C:\Windows\Temp\vpxiis.exe

MD5 1339d9b2e6286b64fadaa6f8fad00091
SHA1 47585a5bd08ecd1f939ebd0c2e74504376855146
SHA256 1555d682a099098621079072db88e6cbd306f92b9ccd4db4ad6485dd6d81fe50
SHA512 572ff0bb039f77748ec36ac39e80e4f18af7364599b450a107345f608eef1587314ca50a82b4c35290107e881916dcbcc444b29692b59b3d73aa3f7f3c3ac570

memory/4724-184-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/4724-185-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/876-186-0x00000000059D0000-0x00000000059E0000-memory.dmp

memory/4764-188-0x0000000003260000-0x0000000003270000-memory.dmp

memory/4764-187-0x0000000003260000-0x0000000003270000-memory.dmp

memory/4724-189-0x0000000077244000-0x0000000077246000-memory.dmp

memory/4724-192-0x00000000009B0000-0x00000000018C4000-memory.dmp

memory/4724-193-0x00000000009B0000-0x00000000018C4000-memory.dmp

memory/2256-195-0x0000000010470000-0x0000000010480000-memory.dmp

memory/4764-196-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/4724-198-0x00000000009B0000-0x00000000018C4000-memory.dmp

memory/4724-199-0x0000000076930000-0x0000000076A20000-memory.dmp

memory/876-200-0x0000000074730000-0x0000000074EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b5f5369274e3bfbc449588bbb57bd383
SHA1 58bb46d57bd70c1c0bcbad619353cbe185f34c3b
SHA256 4190bd2ec2c0c65a2b8b97782cd3ae1d6cead80242f3595f06ebc6648c3e3464
SHA512 04a3816af6c5a335cde99d97019a3f68ade65eba70e4667c4d7dd78f78910481549f1dad23a46ccf9efa2e25c6e7a7c78c592b6ace951e1aab106ba06a10fcd6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6073c7edf13321ba14e9fa0cb516d050
SHA1 873b6cd5c7c224987bf0fbefb3d684cd7b0d0060
SHA256 2f48d85e455aa90eaf6813cdcacb3d483155f1f8b5d07421258b09d4b7989ba5
SHA512 c39a015ff7815bebf24eebdf58410bd63d4f4729c229b4a1d1e31d61f23bf7c485beb83360b90524c9306fef49578b76980c443ded0f7b996995f2693279d768

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 19da0f49d905b576487c775f37e2bab7
SHA1 615f38e7bca9e524eeb5a8b155a9dcd5ebd51eee
SHA256 eb3fdbcc2a522f30928af14d0896f2310df00dfc15160aa80c2aa2946ff8e184
SHA512 57cf1f39083bcf58c879756767f15cf6aaffe938f93e78d640d8da4095a7362b49c0134c3806d39315e90441c948439047b6c33b35cb15c0a2acc338f64ca292

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 63e8173aa5f2be664a9e2b96c0d73027
SHA1 93e078d9897185d7e79ad666b21456279c87f47d
SHA256 35c61a8bde9d74e081dc0a410c1a7f1145ed399437cd05f6f1ae36d314f5fd28
SHA512 a06046310b9f411070bb617af04725148ea9cd219498d25515c073cb1d42bad2477c39942afa6655aa999f27b804854778b0e6f44597696b8fb779b1db37e7b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 29213338df67d29d6454ee5d61ad3970
SHA1 8c69ca76a2e639060d5ce835a9600e6ea3764a83
SHA256 d29fc0d97fa74d382d0f557ecea4e42b7d50dbce43915bfc0c114c16e532aa51
SHA512 14db25eba8a863d390b97fce4315402ed7c249598ff6c31d5a191b0f71c274eead42ba0658403e744110de072e6ff1cac3bccee1e48875bde6b1fe39a60d2407

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 5e24ea2883b1203bc670337568007e83
SHA1 4254f3cb556e228237e09b49c667992103a53067
SHA256 59a20340bc9a4fabc3bf980c06730c8d7c0213f0cbd2517f9c6352fd53caed7a
SHA512 2d9f214e7d948c01937978388b87f93128d88f94399b361470030a34a7677bd3c66468e50ff351a3b1da73e2cad36226701ce69049c894d4fabcec5156fbe0f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 afbac8db8576635858c3faca6d65ebc0
SHA1 fcd56acc260063187c3e3f095eac66ab628d1ac7
SHA256 038f9348ae55ee613f450a2e1f5c39c44c0a160db3053c4dfa1d81d285acafe9
SHA512 c504b39b9feb15cb249fbce9e52055b47999a87d542a2b0c5cc8ac9a43a2fd0d2a7517f6f6a6e1621f0ca3fefd5f86995e1145efde28a8327c145e42195c76e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 162883770ef220b0b350e7b73303408a
SHA1 6032860f359ce4b608a7dbe0a81c9e2c3f42a554
SHA256 6e8f3618b386ace91c948e9b33bca9719584adf3ce03bb2629ca5107be8b6d68
SHA512 c85556b7b52b2b7f669020e3011adcf83dd50a8739afee99214efb637ba442aefe364b2820c2f70513873312bdb5cbcf493de632e81d7dc162a58be7c10dde9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588eed.TMP

MD5 268610d7299d9a550fb45f0d0aa71822
SHA1 cdb63502f9c902833469b153510534d335214a97
SHA256 06638f5c7b574a14539c4ace50fb42edd5e1e6cb9c6b41a85d99fdd38566d087
SHA512 59e92b92927aebce70c385dd27fb1f5886a24d2ed97b3e9c9c24ee5ae338e934965551d0e8f4fcb9b515378eaa74eadb81b45cf736b22ea6d1d9e263573f20d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8ed8c64f319d5fd123a41784d8391e54
SHA1 11d1f60184af1ce66ef989ed3b436f793c4bff19
SHA256 cd31eb28ecacf807072d8319c9613005a2ee4ab724a3c0cb40b27962a879d03c
SHA512 e6c760b3269aa2566d6eafbde251fe2e995536a243db83153817a37688c471dc2bcb92953f8c55b216694305359ef1d56a1b35bbecb3f49f9a75d834e22506b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 690a0b117dce52f24c9748368f2627a6
SHA1 53d5eef83faf9321cab98f2b55e55af2cd7c59c2
SHA256 8934c4f89565e4ef55c13898fbcd261b0253c428d64385fe390c381eb341b3a2
SHA512 063df50fcd2fbb176564da70cfa9f773d5386ea787bda235ccbc31eed99bf76c181a44a6e2ad9f52f5caa25ff23a3db7305ee8179a6c5505dea05871816f5011

C:\Users\Admin\Downloads\Hype_RegeditNoRec.rar

MD5 5132a7af28488bb50504dc7a31ef52af
SHA1 edb5c28a8fe7223318f9594a0b0acf60219d2798
SHA256 67d51245f00911de82fa3c3d63c8dffc686c1117dcced7cf245cb5fc8609a7ae
SHA512 28c25524c9c5704a789e080dd6dff8b8e894d96416925fda17d9e40711338d3b4b48ebc8430d8eea03fed83d439856f64a0170e209b7b21f7ce915387f217e69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f90dac70d23f0ec1b7d5a6b891e3699b
SHA1 7e32dba63d0f9c524fcb82b1718b53df7b4c40fa
SHA256 3d8692fcfdbfeba8ccaa51306436e57a7713be8446e9d53eea5a84e78e5d6c35
SHA512 071aac7eaf06b35c73493551b6e1bfe59de3aa0500fad9121bee0d663537f1b7b20942621b8d85f0d71877fc2030e6b601935d7173bb49bfe361af42899a2247

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 1ea67e9a0503275657dc2dd270fc6f21
SHA1 d112f56991ff071e8ea9b1c811eb53d5ae667e1c
SHA256 034c7708df50ca31ff513ec15aae147e7b5f5dee86a690476098107062d7dfcf
SHA512 24851aa051ae3485f1e72633c0dccf8374eaba6b4040ba89f0f1e52cbd79d5e8e28fcc10e73115a944eae2c9fc5f9c6952906de1fad93825ccff4a40b2840cde

C:\Users\Admin\Downloads\Hype_RegeditNoRec\Hype Regedit.exe

MD5 da1cdcc5ab856cca418521fbc589afba
SHA1 0f76841091b15367b0252de66d6d2b5ca3302c0e
SHA256 03352db4ea4b1c233237b5124f6b3f0c70c35975057e226469a8d8e0751e5e1e
SHA512 d211d7188dd6f3b1d57aa79fb79ac1076bfbf306b0bf8500d222b66ab3c24acc76b6cc84df16fd7b2d85c6ac65a90494dd232c6f928c567a313b305184de272b

C:\Users\Admin\Downloads\Hype_RegeditNoRec\Hype Regedit.exe

MD5 da1cdcc5ab856cca418521fbc589afba
SHA1 0f76841091b15367b0252de66d6d2b5ca3302c0e
SHA256 03352db4ea4b1c233237b5124f6b3f0c70c35975057e226469a8d8e0751e5e1e
SHA512 d211d7188dd6f3b1d57aa79fb79ac1076bfbf306b0bf8500d222b66ab3c24acc76b6cc84df16fd7b2d85c6ac65a90494dd232c6f928c567a313b305184de272b

memory/4812-628-0x0000000074730000-0x0000000074EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 aae1da2c084faba043cdc73afc8e12ad
SHA1 13723363266006b58ccc45935608d03f59b62cca
SHA256 d406667e03832d0ce084ca1eacb443d73886e2005cc6ada5612d376980d36342
SHA512 f0225936b4758385a23b3a78f8e5b033a8b5ce93d21cf5142bd604f8cb7b79b5f4d5db62e4aa7b5458aaa80f8631f7a38bf04f680304edf801d12d785d448fbf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 db2d2a0e5c85a851d4952cd9806bdebd
SHA1 c999abd2877f430fd077a1d415f9f8b473463878
SHA256 d25fc4b5ad1d153407ee15c4a85629317e733ce9e5c764989b8957f10e398a45
SHA512 9fbff3b66d2f2def929323ec6aed6feb2abecb5fe788c169b6283bcdbb3272217dc8a21cdddeb2e1c5982f759058fd007d60edecf318da857864f10f252830a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a0bd233ccf559d8f0abd2bd776e9bf4e
SHA1 dd6de0090654377ba6ecc4e75f27264833c1d1c4
SHA256 d225955981fdfbab7ce145c738228c953ab48bdacd1230b134df2fbac511a771
SHA512 951efc0e70f479185cf01621c6050997504fbface83764550e96d19ae544bea47df5dd4656c49a4b8cbde6e9d4a5d2587ae3692cb61286c1b9bd71cea7d64b57

memory/4812-772-0x0000000010290000-0x00000000102A0000-memory.dmp

memory/4812-773-0x0000000074730000-0x0000000074EE0000-memory.dmp

C:\Windows\Temp\DotNetZip.dll

MD5 11bbdf80d756b3a877af483195c60619
SHA1 99aca4f325d559487abc51b0d2ebd4dca62c9462
SHA256 698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
SHA512 ad9c16481f95c0e7cf5158d4e921ca7534f580310270fa476e9ebd15d37eee2ab43e11c12d08846eae153f0b43fba89590d60ca00551f5096076d3cf6aa4ce29

C:\Windows\Temp\Guna.UI2.dll

MD5 f217e8054b7dbbcbd4ab10baf4750588
SHA1 b1c3089e6b895e6415c36beb82516746e19d2b55
SHA256 6a542d4e68417d91d0a21f9e5b85449959325b29e2410c3ef1df7526dd091194
SHA512 ba778f3c3819364954b6681bbdb87cf9ca2c34d8b0e6e76df665a2d93a94c9b421893a977960d24a908bc9b7209749fee65c930ef0776a0195265193846fe56e

memory/4812-776-0x0000000010290000-0x00000000102A0000-memory.dmp

memory/4812-777-0x0000000010290000-0x00000000102A0000-memory.dmp

memory/4812-778-0x0000000010290000-0x00000000102A0000-memory.dmp