Analysis Report · ACUBE Sandbox

Status: Clean

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)	MalScore
FILE	exe	2025-12-09 15:40:59	2025-12-09 15:43:27	148 seconds	Show Options	Show Analysis Log	1.0

vnc_port=5900

2025-12-06 18:57:52,806 [root] INFO: Date set to: 20251209T07:37:12, timeout set to: 180
2025-12-09 07:37:12,010 [root] DEBUG: Starting analyzer from: C:\tmp7h0mcxom
2025-12-09 07:37:12,010 [root] DEBUG: Storing results at: C:\EojiTF
2025-12-09 07:37:12,010 [root] DEBUG: Pipe server name: \\.\PIPE\wiKGUPrQIV
2025-12-09 07:37:12,010 [root] DEBUG: Python path: C:\Python38
2025-12-09 07:37:12,010 [root] INFO: analysis running as an admin
2025-12-09 07:37:12,010 [root] INFO: analysis package specified: "exe"
2025-12-09 07:37:12,010 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-12-09 07:37:12,040 [root] DEBUG: imported analysis package "exe"
2025-12-09 07:37:12,040 [root] DEBUG: initializing analysis package "exe"...
2025-12-09 07:37:12,040 [lib.common.common] INFO: wrapping
2025-12-09 07:37:12,040 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:37:12,056 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\notepad.exe
2025-12-09 07:37:12,056 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-12-09 07:37:12,056 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-12-09 07:37:12,056 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-12-09 07:37:12,056 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-12-09 07:37:12,119 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-12-09 07:37:12,135 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain"
2025-12-09 07:37:12,150 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-12-09 07:37:12,150 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script"
2025-12-09 07:37:12,150 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks"
2025-12-09 07:37:12,150 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx"
2025-12-09 07:37:12,166 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-12-09 07:37:12,166 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script"
2025-12-09 07:37:12,166 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-12-09 07:37:12,166 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-12-09 07:37:12,166 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-12-09 07:37:12,166 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon"
2025-12-09 07:37:12,166 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-12-09 07:37:12,166 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage"
2025-12-09 07:37:12,166 [root] DEBUG: Initialized auxiliary module "Browser"
2025-12-09 07:37:12,166 [root] DEBUG: attempting to configure 'Browser' from data
2025-12-09 07:37:12,166 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-12-09 07:37:12,166 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-12-09 07:37:12,181 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-12-09 07:37:12,181 [root] DEBUG: Initialized auxiliary module "Curtain"
2025-12-09 07:37:12,181 [root] DEBUG: attempting to configure 'Curtain' from data
2025-12-09 07:37:12,181 [root] DEBUG: module Curtain does not support data configuration, ignoring
2025-12-09 07:37:12,181 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"...
2025-12-09 07:37:12,181 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain
2025-12-09 07:37:12,181 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-12-09 07:37:12,181 [root] DEBUG: attempting to configure 'Disguise' from data
2025-12-09 07:37:12,181 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-12-09 07:37:12,181 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-12-09 07:37:12,181 [modules.auxiliary.disguise] INFO: Disguising GUID to 311c8d13-642d-47db-bbe3-eb3ba3bf3458
2025-12-09 07:37:12,181 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-12-09 07:37:12,181 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks"
2025-12-09 07:37:12,181 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data
2025-12-09 07:37:12,181 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring
2025-12-09 07:37:12,181 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"...
2025-12-09 07:37:12,197 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe
2025-12-09 07:37:12,197 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks
2025-12-09 07:37:12,197 [root] DEBUG: Initialized auxiliary module "Evtx"
2025-12-09 07:37:12,197 [root] DEBUG: attempting to configure 'Evtx' from data
2025-12-09 07:37:12,197 [root] DEBUG: module Evtx does not support data configuration, ignoring
2025-12-09 07:37:12,197 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"...
2025-12-09 07:37:12,197 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
2025-12-09 07:37:12,197 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx
2025-12-09 07:37:12,197 [root] DEBUG: Initialized auxiliary module "Human"
2025-12-09 07:37:12,197 [root] DEBUG: attempting to configure 'Human' from data
2025-12-09 07:37:12,197 [root] DEBUG: module Human does not support data configuration, ignoring
2025-12-09 07:37:12,197 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-12-09 07:37:12,213 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-12-09 07:37:12,213 [root] DEBUG: Initialized auxiliary module "Pre_script"
2025-12-09 07:37:12,213 [root] DEBUG: attempting to configure 'Pre_script' from data
2025-12-09 07:37:12,213 [root] DEBUG: module Pre_script does not support data configuration, ignoring
2025-12-09 07:37:12,213 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"...
2025-12-09 07:37:12,213 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script
2025-12-09 07:37:12,213 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-12-09 07:37:12,213 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-12-09 07:37:12,213 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-12-09 07:37:12,213 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-12-09 07:37:12,213 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-12-09 07:37:12,213 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-12-09 07:37:12,213 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-12-09 07:37:12,213 [root] DEBUG: attempting to configure 'Sysmon' from data
2025-12-09 07:37:12,213 [root] DEBUG: module Sysmon does not support data configuration, ignoring
2025-12-09 07:37:12,213 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"...
2025-12-09 07:37:12,400 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
2025-12-09 07:37:12,525 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
2025-12-09 07:37:12,572 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.
2025-12-09 07:37:12,572 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-12-09 07:37:12,572 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-12-09 07:37:12,572 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-12-09 07:37:12,572 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-12-09 07:37:12,572 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 720
2025-12-09 07:37:12,572 [lib.api.process] INFO: Monitor config for <Process 720 lsass.exe>: C:\tmp7h0mcxom\dll\720.ini
2025-12-09 07:37:12,603 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
2025-12-09 07:37:12,697 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable
2025-12-09 07:37:12,728 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe
2025-12-09 07:37:12,838 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable
2025-12-09 07:37:12,900 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe
2025-12-09 07:37:12,931 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
2025-12-09 07:37:13,025 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
2025-12-09 07:37:13,041 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe
2025-12-09 07:37:13,103 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
2025-12-09 07:37:13,150 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
2025-12-09 07:37:13,150 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe
2025-12-09 07:37:13,230 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
2025-12-09 07:37:13,308 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
2025-12-09 07:37:13,370 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f
2025-12-09 07:37:13,386 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
2025-12-09 07:37:13,433 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
2025-12-09 07:37:13,433 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
2025-12-09 07:37:13,480 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable
2025-12-09 07:37:13,495 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
2025-12-09 07:37:13,511 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable
2025-12-09 07:37:13,574 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
2025-12-09 07:37:13,590 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-12-09 07:37:13,590 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp7h0mcxom\dll\JlbyYtQh.dll, loader C:\tmp7h0mcxom\bin\oCgymihO.exe
2025-12-09 07:37:13,684 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable
2025-12-09 07:37:13,731 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
2025-12-09 07:37:13,747 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
2025-12-09 07:37:13,777 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
2025-12-09 07:37:13,809 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable
2025-12-09 07:37:13,856 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
2025-12-09 07:37:13,887 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
2025-12-09 07:37:13,902 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
2025-12-09 07:37:13,934 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:37:13,965 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
2025-12-09 07:37:13,997 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
2025-12-09 07:37:14,043 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
2025-12-09 07:37:14,059 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
2025-12-09 07:37:14,090 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
2025-12-09 07:37:14,122 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
2025-12-09 07:37:14,152 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
2025-12-09 07:37:14,184 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
2025-12-09 07:37:14,199 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
2025-12-09 07:37:14,231 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
2025-12-09 07:37:14,262 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
2025-12-09 07:37:14,293 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
2025-12-09 07:37:14,324 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
2025-12-09 07:37:14,372 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
2025-12-09 07:37:14,402 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
2025-12-09 07:37:14,449 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
2025-12-09 07:37:14,481 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable
2025-12-09 07:37:14,512 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
2025-12-09 07:37:14,574 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
2025-12-09 07:37:14,590 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
2025-12-09 07:37:14,622 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2025-12-09 07:37:14,652 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2025-12-09 07:37:14,684 [modules.auxiliary.evtx] DEBUG: Wiping Application
2025-12-09 07:37:14,715 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents
2025-12-09 07:37:14,731 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer
2025-12-09 07:37:14,762 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service
2025-12-09 07:37:14,793 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts
2025-12-09 07:37:14,824 [modules.auxiliary.evtx] DEBUG: Wiping Security
2025-12-09 07:37:14,856 [modules.auxiliary.evtx] DEBUG: Wiping Setup
2025-12-09 07:37:14,872 [modules.auxiliary.evtx] DEBUG: Wiping System
2025-12-09 07:37:14,902 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell
2025-12-09 07:37:14,934 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational
2025-12-09 07:37:37,625 [root] DEBUG: Loader: Injecting process 720 with C:\tmp7h0mcxom\dll\JlbyYtQh.dll.
2025-12-09 07:38:01,679 [root] DEBUG: 720: Python path set to 'C:\Python38'.
2025-12-09 07:38:01,679 [root] INFO: Disabling sleep skipping.
2025-12-09 07:38:01,679 [root] DEBUG: 720: TLS secret dump mode enabled.
2025-12-09 07:38:01,679 [root] DEBUG: 720: GetAddressByYara: ModuleBase 0x00007FF8E5730000 FunctionName RtlInsertInvertedFunctionTable
2025-12-09 07:38:01,679 [root] DEBUG: 720: RtlInsertInvertedFunctionTable 0x00007FF8E575BBFA, LdrpInvertedFunctionTableSRWLock 0x00007FF8E58B70F0
2025-12-09 07:38:01,679 [root] DEBUG: 720: Monitor initialised: 64-bit capemon loaded in process 720 at 0x00007FF8B7600000, thread 920, image base 0x00007FF6E3C60000, stack from 0x000000DE97B74000-0x000000DE97B80000
2025-12-09 07:38:01,679 [root] DEBUG: 720: Commandline: C:\Windows\system32\lsass.exe
2025-12-09 07:38:01,679 [root] DEBUG: 720: Hooked 5 out of 5 functions
2025-12-09 07:38:01,679 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-09 07:38:01,679 [root] DEBUG: Successfully injected DLL C:\tmp7h0mcxom\dll\JlbyYtQh.dll.
2025-12-09 07:38:01,695 [lib.api.process] INFO: Injected into 64-bit <Process 720 lsass.exe>
2025-12-09 07:38:01,695 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-12-09 07:38:01,695 [root] DEBUG: Initialized auxiliary module "Usage"
2025-12-09 07:38:01,695 [root] DEBUG: attempting to configure 'Usage' from data
2025-12-09 07:38:01,695 [root] DEBUG: module Usage does not support data configuration, ignoring
2025-12-09 07:38:01,695 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"...
2025-12-09 07:38:01,695 [root] DEBUG: Started auxiliary module modules.auxiliary.usage
2025-12-09 07:38:01,695 [root] DEBUG: Initialized auxiliary module "During_script"
2025-12-09 07:38:01,695 [root] DEBUG: attempting to configure 'During_script' from data
2025-12-09 07:38:01,695 [root] DEBUG: module During_script does not support data configuration, ignoring
2025-12-09 07:38:01,695 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"...
2025-12-09 07:38:01,695 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script
2025-12-09 07:38:04,320 [root] INFO: Restarting WMI Service
2025-12-09 07:38:06,382 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2025-12-09 07:38:06,382 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2025-12-09 07:38:06,382 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-09 07:38:30,418 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\notepad.exe" with arguments "" with pid 2508
2025-12-09 07:38:30,418 [lib.api.process] INFO: Monitor config for <Process 2508 notepad.exe>: C:\tmp7h0mcxom\dll\2508.ini
2025-12-09 07:38:30,418 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp7h0mcxom\dll\xtCZZNy.dll, loader C:\tmp7h0mcxom\bin\mmWeAtv.exe
2025-12-09 07:38:54,482 [root] DEBUG: Loader: Injecting process 2508 (thread 7128) with C:\tmp7h0mcxom\dll\xtCZZNy.dll.
2025-12-09 07:38:54,482 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-09 07:38:54,482 [root] DEBUG: Successfully injected DLL C:\tmp7h0mcxom\dll\xtCZZNy.dll.
2025-12-09 07:38:54,482 [lib.api.process] INFO: Injected into 32-bit <Process 2508 notepad.exe>
2025-12-09 07:38:56,498 [lib.api.process] INFO: Successfully resumed <Process 2508 notepad.exe>
2025-12-09 07:39:20,564 [root] DEBUG: 2508: Python path set to 'C:\Python38'.
2025-12-09 07:39:20,564 [root] INFO: Disabling sleep skipping.
2025-12-09 07:39:20,564 [root] DEBUG: 2508: Dropped file limit defaulting to 100.
2025-12-09 07:39:20,564 [root] DEBUG: 2508: YaraInit: Compiled 41 rule files
2025-12-09 07:39:20,564 [root] DEBUG: 2508: YaraInit: Compiled rules saved to file C:\tmp7h0mcxom\data\yara\capemon.yac
2025-12-09 07:39:20,579 [root] DEBUG: 2508: YaraScan: Scanning 0x000F0000, size 0x2d426
2025-12-09 07:39:20,579 [root] DEBUG: 2508: AmsiDumper initialised.
2025-12-09 07:39:20,579 [root] DEBUG: 2508: Monitor initialised: 32-bit capemon loaded in process 2508 at 0x710b0000, thread 7128, image base 0xf0000, stack from 0x254f000-0x2560000
2025-12-09 07:39:20,579 [root] DEBUG: 2508: Commandline: "C:\Users\user\AppData\Local\Temp\notepad.exe"
2025-12-09 07:39:20,579 [root] DEBUG: 2508: GetAddressByYara: ModuleBase 0x77AF0000 FunctionName LdrpCallInitRoutine
2025-12-09 07:39:20,595 [root] DEBUG: 2508: hook_api: LdrpCallInitRoutine export address 0x77B666A0 obtained via GetFunctionAddress
2025-12-09 07:39:20,595 [root] DEBUG: 2508: hook_api: Warning - CreateRemoteThreadEx export address 0x75FC9A4C differs from GetProcAddress -> 0x76FFDDB0 (KERNELBASE.dll::0x11ddb0)
2025-12-09 07:39:20,595 [root] DEBUG: 2508: hook_api: Warning - CoCreateInstance export address 0x77890FEB differs from GetProcAddress -> 0x7724FF70 (combase.dll::0xdff70)
2025-12-09 07:39:20,595 [root] DEBUG: 2508: hook_api: Warning - CoCreateInstanceEx export address 0x7789102A differs from GetProcAddress -> 0x7729CCF0 (combase.dll::0x12ccf0)
2025-12-09 07:39:20,595 [root] DEBUG: 2508: hook_api: Warning - CoGetClassObject export address 0x778915BA differs from GetProcAddress -> 0x77212BD0 (combase.dll::0xa2bd0)
2025-12-09 07:39:20,595 [root] DEBUG: 2508: hook_api: Warning - UpdateProcThreadAttribute export address 0x75FD18BA differs from GetProcAddress -> 0x7702BD10 (KERNELBASE.dll::0x14bd10)
2025-12-09 07:39:20,595 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-09 07:39:20,595 [root] DEBUG: 2508: set_hooks: Unable to hook GetCommandLineA
2025-12-09 07:39:20,595 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-09 07:39:20,595 [root] DEBUG: 2508: set_hooks: Unable to hook GetCommandLineW
2025-12-09 07:39:20,595 [root] DEBUG: 2508: hook_api: Warning - CLSIDFromProgID export address 0x77890824 differs from GetProcAddress -> 0x771E54C0 (combase.dll::0x754c0)
2025-12-09 07:39:20,595 [root] DEBUG: 2508: hook_api: Warning - CLSIDFromProgIDEx export address 0x77890861 differs from GetProcAddress -> 0x771DFF40 (combase.dll::0x6ff40)
2025-12-09 07:39:20,595 [root] DEBUG: 2508: Hooked 611 out of 613 functions
2025-12-09 07:39:20,595 [root] DEBUG: 2508: Syscall hook installed, syscall logging level 1
2025-12-09 07:39:20,595 [root] DEBUG: 2508: WoW64fix: Windows version 10.0 not supported.
2025-12-09 07:39:20,595 [root] INFO: Loaded monitor into process with pid 2508
2025-12-09 07:39:20,595 [root] DEBUG: 2508: InstrumentationCallback: Added region at 0x75F30000 to tracked regions list (thread 7128).
2025-12-09 07:39:20,611 [root] DEBUG: 2508: caller_dispatch: Added region at 0x000F0000 to tracked regions list (ntdll::memcpy returns to 0x0011166E, thread 7128).
2025-12-09 07:39:20,611 [root] DEBUG: 2508: YaraScan: Scanning 0x000F0000, size 0x2d426
2025-12-09 07:39:20,611 [root] DEBUG: 2508: ProcessImageBase: Main module image at 0x000F0000 unmodified (entropy change 0.000000e+00)
2025-12-09 07:39:20,611 [root] DEBUG: 2508: DLL loaded at 0x77560000: C:\Windows\System32\bcryptPrimitives (0x62000 bytes).
2025-12-09 07:39:20,611 [root] DEBUG: 2508: set_hooks_by_export_directory: Hooked 0 out of 613 functions
2025-12-09 07:39:20,611 [root] DEBUG: 2508: DLL loaded at 0x755C0000: C:\Windows\SYSTEM32\kernel.appcore (0x13000 bytes).
2025-12-09 07:39:20,611 [root] DEBUG: 2508: DLL loaded at 0x753D0000: C:\Windows\system32\uxtheme (0x7f000 bytes).
2025-12-09 07:39:20,626 [root] DEBUG: 2508: DLL loaded at 0x76E50000: C:\Windows\System32\clbcatq (0x82000 bytes).
2025-12-09 07:39:20,626 [root] DEBUG: 2508: DLL loaded at 0x70FD0000: C:\Windows\System32\MrmCoreR (0xdb000 bytes).
2025-12-09 07:39:20,641 [root] DEBUG: 2508: NtTerminateProcess hook: Attempting to dump process 2508
2025-12-09 07:39:20,641 [root] DEBUG: 2508: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-09 07:39:20,657 [root] INFO: Process with pid 2508 has terminated
2025-12-09 07:39:25,802 [root] INFO: Process list is empty, terminating analysis
2025-12-09 07:39:26,817 [root] INFO: Created shutdown mutex
2025-12-09 07:39:27,833 [root] INFO: Shutting down package
2025-12-09 07:39:27,833 [root] INFO: Stopping auxiliary modules
2025-12-09 07:39:27,833 [root] INFO: Stopping auxiliary module: Browser
2025-12-09 07:39:27,833 [root] INFO: Stopping auxiliary module: Curtain
2025-12-09 07:39:27,880 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1765294767.880699.curtain.log; Size is 36; Max size: 100000000
2025-12-09 07:39:27,880 [root] INFO: Stopping auxiliary module: End_noisy_tasks
2025-12-09 07:39:27,880 [root] INFO: Stopping auxiliary module: Evtx
2025-12-09 07:39:27,880 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump
2025-12-09 07:39:27,880 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\HardwareEvents.evtx to zip dump
2025-12-09 07:39:27,880 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Internet Explorer.evtx to zip dump
2025-12-09 07:39:27,880 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Key Management Service.evtx to zip dump
2025-12-09 07:39:27,896 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Microsoft-Windows-Sysmon%4Operational.evtx to zip dump
2025-12-09 07:39:27,896 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\OAlerts.evtx to zip dump
2025-12-09 07:39:27,896 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Security.evtx to zip dump
2025-12-09 07:39:27,911 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Setup.evtx to zip dump
2025-12-09 07:39:27,927 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\System.evtx to zip dump
2025-12-09 07:39:27,927 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Windows PowerShell.evtx to zip dump
2025-12-09 07:39:27,958 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host
2025-12-09 07:39:27,958 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 348305; Max size: 100000000
2025-12-09 07:39:27,958 [root] INFO: Stopping auxiliary module: Human
2025-12-09 07:39:31,178 [root] INFO: Stopping auxiliary module: Pre_script
2025-12-09 07:39:31,178 [root] INFO: Stopping auxiliary module: Screenshots
2025-12-09 07:39:31,178 [root] INFO: Stopping auxiliary module: Usage
2025-12-09 07:39:32,164 [root] INFO: Stopping auxiliary module: During_script
2025-12-09 07:39:32,164 [root] INFO: Finishing auxiliary modules
2025-12-09 07:39:32,164 [root] INFO: Shutting down pipe server and dumping dropped files
2025-12-09 07:39:32,164 [root] WARNING: Folder at path "C:\EojiTF\debugger" does not exist, skipping
2025-12-09 07:39:32,164 [root] WARNING: Folder at path "C:\EojiTF\tlsdump" does not exist, skipping
2025-12-09 07:39:32,164 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win11-64bit-tiny-1	win11-64bit-tiny-1	KVM	2025-12-09 15:40:59	2025-12-09 15:43:26	inetsim

File Details

File Name	notepad.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	165888 bytes
MD5	e92d3a824a0578a50d2dd81b5060145f
SHA1	50ef7c645fd5cbb95d50fbaddf6213800f9296ec
SHA256	87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661 [VT] [MWDB] [Bazaar]
SHA3-384	31aad8c54d7e63d90640580e4977a42ed52ce96794ae581e7ad2d10b803f892df560979bf2d00be9111fcda9d1119a93
CRC32	2436CD95
TLSH	T177F36C23E6C050B2F9BB243806B97FAEA579DC300B1124DB66904D38DD257D29D3EB5B
Ssdeep	3072:GLLvkpY5SnMwbv5RkorwMLuflibzL/cNArhCAEf7ngKpIcXNokJrzOxEPcZA8TJa:E6USNVRkIHXO7RN/1y6PcOwej/Hv
PE	File Strings BinGraph Vba2Graph

FailFast

NtQuerySystemInformation

SSh.Q@

GetModuleFileNameA

uZSW3

EncodingSelection

Vj7j8h

SetThreadpoolTimer

RegDeleteKeyExW

EndDialog

version="5.1.0.0"

4$4*40464@4K4Q4W4]4c4v4

S~=5p

?H?S?u?

3%3M3U3i3

api-ms-win-crt-string-l1-1-0.dll

516p6

D$4Ph

;1;f;

QSVW3

GlobalCollection

SleepConditionVariableCS

ShellExecuteW

464G4e4s4

Segoe UI

\Notepad

GetACP

sQPI[5T

LocalUnlock

SetAbortProc

E(SVW

CloseClipboard

GetCurrentThreadId

353N3D4K4R4Z4t4

OriginalFilename

RegSetValueExW

Ly^X`

@h L@

RaiseFailFastException

u9SSS

.CRT$XIZ

=#=k=

CoWaitForMultipleHandles

ADVAPI32.dll

EndDoc

Microsoft JhengHei UI

SHELL32.dll

D$DPj

2:2@2R2

WSh@`@

=9=@=F=l=

GlobalAcc

: :&:9:L:S:n:u:{:

WWPRWQ

Leelawadee UI Semilight

fSaveWindowPositions

:2:@:N:`:i:{:

FindFirstFileW

: ;+;9;V;c;

Pj XP

_register_thread_local_exe_atexit_callback

xv#?H

GetMessageW

5S5m5

8!8/848A8Q8V8c8r8x8

MICROSOFTEDPENLIGHTENEDAPPINFO

DebugBreak

HeapFree

<assemblyIdentity

api-ms-win-core-synch-l1-2-0.dll

FoldStringW

414L4[4u4

5K5_5f5

Leelawadee UI Bold

_o__cexit

ReadFile

EnableMenuItem

WINSPOOL.DRV

},YOP

IsTextUnicode

SHCreateItemFromParsingName

^Wh`M@

DispatchMessageW

y=Wh<L@

<)=4=Z=

SaveComplete

.rdata$zETW2

CloseThreadpoolTimer

? ?=?

RtlSubscribeWnfStateChangeNotification

<%<+<9<?<F<R<Z<`<h<u<

.CRT$XCA

api-ms-win-core-winrt-string-l1-1-0.dll

tGVVVW

ReleaseSemaphore

Unknown

GetWindowTextW

0PPVhD%@

RtlRegisterFeatureConfigurationChangeNotification

api-ms-win-core-sysinfo-l1-1-0.dll

</trustInfo>

lfStrikeOut

40444D4H4P4h4x4|4

%hs(%u)\%hs!%p:

?!?(?J?n?

Assert

849H9R9

020B0G0V0_0e0v0

NPCTXT

memset

CreateFontIndirectW

0I0e0

SVWj7j8

imageName

1#101I1h1p1

j@Sh0YB

;5xYB

GetTickCount

=0=7=B=I=p=w=

2=3D3W3^3q3x3

StringFileInfo

PropVariantToStringVectorAlloc

PSSSSSS

="=(=.=4=:=z=

ReplaceTextW

wcsnlen

timestamp

imageSize

.CRT$XCU

Sh<L@

RegisterWindowMessageW

api-ms-win-core-errorhandling-l1-1-0.dll

GetCurrentProcessId

GetForegroundWindow

.?AVexception@std@@

3[4a4j4

Software\Microsoft\Notepad\DefaultFonts

processorArchitecture="*"

UnhandledExceptionFilter

3$3I3P3j3p3

8*8?8_8n8w8

RtlDllShutdownInProgress

L$|_^[3

>'>>>K>Y>g>

.?AVbad_array_new_length@std@@

<"<,<7<G<T<Y<c<l<r<

FreeLibrary

>W?v?|?

=4=8=l=

5"6:6@6b6z6

https://go.microsoft.com/fwlink/?LinkId=834783

LoadCursorW

2(2C2P2Y2b2k2t2}2

bad allocation

gxI3!'

8"8.84898F8Z8

SVWj\3

DefWindowProcW

lfFaceName

AbortDoc

lfWeight

COMCTL32.dll

HeapAlloc

Y__^[

version="6.0.0.0"

_o_free

RtlQueryFeatureConfiguration

ew0hp

3.343=3M3S3Y3_3p3

=N>U>

Notepad

RoGetActivationFactory

commdlg_FindReplace

LoadIconW

FAIL/Error

%hs!%p:

f4Og|

?%?3?9?G?M?[?a?o?x?

<'<-<`<

EDPPERMISSIVEAPPINFOID

iWindowPosY

api-ms-win-core-processthreads-l1-1-1.dll

w9X!P/

_o_terminate

GetProcessMitigationPolicy

0 1q1

memmove

2s2|2

DuplicateEncryptionInfoFile

RoGetMatchingRestrictedErrorInfo

.text$mn

5"5S5o5y5

%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X

_CxxThrowException

t(PPh

DragAcceptFiles

VG2/iI

4-5<5P5V5

6(7:7i7

263=3S3Z3s3

9%9?9K9X9

RestartByRestartManager:

/.SETUP

FileSaveAsCount

__CxxFrameHandler3

VarFileInfo

$>b~t

InitializeCriticalSectionAndSpinCount

?-?I?_?w?

Security-SPP-GenuineLocalStatus

LegalCopyright

FileOpenComplete

_c_exit

<ws2:dpiAwareness>PerMonitorV2</ws2:dpiAwareness>

273F3[3a3g3

2 222?2H2V2z2

6,626@6_6

5O5U5

_o__exit

SelectObject

8A8]8k8

GetKeyboardLayout

MapViewOfFile

api-ms-win-core-libraryloader-l1-2-0.dll

SetWindowPos

636:6]6t6z6

1;1P1l1

Msg:[%ws]

MessageBoxW

7I7o7

667<7D7Z7`7f7m7u7

L$4^3

?!?&?2?\?v?

.rsrc

RoInitialize

SetThreadDpiAwarenessContext

<#<8<G<V<a<m<t<{<

SetEndOfFile

ModuleCollection

_o__set_new_mode

Malgun Gothic Semilight

probe.autosave

l6s+o

PeekMessageW

.rdata$zETW1

3 3$3(3,3034383<3@3D3H3L3P3T3X3\3

type="win32"

Wh0CB

6:7H7T7_7o7|7

0(1O1

GetLocalTime

iWindowPosDX

;';/;8;h;

TimeDateInvoked

Yu Gothic UI Semibold

<!<8<><K<Q<X<s<y<

RegCreateKeyW

xIQQj

byjA`

GetSubMenu

urlmon.dll

StartDocW

5#5,5B5K5]5f5{5

y/VhT

lfCharSet

PropVariantClear

api-ms-win-core-processthreads-l1-1-0.dll

COMDLG32.dll

8A9K9X9

4b4i4

CallContext:[%hs]

>&>0>C>V>g>q>

t$<WP

CoCreateGuid

>uU;T>

;2;A;

ResetEvent

7%797g7w7

shell\osshell\accesory\notepad\filesystemhelpers.h

j7j8h

Files/Resources/notepad.exe.mui

SendDlgItemMessageW

CoInitializeEx

.didat$6

fMLE_is_broken

?(?3?K?Q?Z?s?y?

D$$VP

Microsoft JhengHei UI Light

RegisterApplicationRestart

.idata$5

6<6C6W6^6q6x6

.CRT$XIAA

;=|YB

LoadImageW

3 3$3*3.3B3F3Q3a3~3

0 0(00080h0n0

9!9&90999>9C9J9P9V9[9a9f9m9w9}9

RtlUnregisterFeatureConfigurationChangeNotification

_o_iswdigit

RaiseException

hasQueryText

7B8H8n8

.CRT$XIC

SHAddToRecentDocs

lfUnderline

lfClipPrecision

fMatchCase

fReverse

assertVersion

X[_^]

processorArchitecture="x86"

EventUnregister

SVj`3

_WSWh

SetRestrictedErrorInfo

DeleteFileW

D$HSV

=/=B=Q=v=

SetLastError

<C=J=

OpenClipboard

z?801i:It6

;58NB

DragQueryFileW

1:1T1y1

%i,%s

FileVersion

<"<4<><

InitializeSListHead

7*<1<X<_<

LeaveCriticalSection

MultiByteToWideChar

_o__get_wide_winmain_command_line

MessageBeep

6"6(6.656;6G6M6k6q6

.rtc$TZZ

.data$r$brc

1%141O1V1w1

Microsoft

.CRT$XLZ

WindowsCreateStringReference

PQSVW

Windows.Storage.StorageFile

.CRT$XTA

NtUpdateWnfStateData

QWPWh

CreateMutexExW

>'>->4>A>G>M>m>t>

.rtc$IAA

9V9]9

j5j6h N@

EventWriteTransfer

bad array new length

</requestedPrivileges>

WaitForSingleObjectEx

4,4L4]4d4{4

EditFindCount

_o___std_exception_copy

DecryptFileW

j XVW

EnableWindow

Encoding

Whd'@

L$4_^[3

818J8P9W9^9f9

prop:System.Security.EncryptionOwners

GetProcAddress

DeleteObject

MoveWindow

SetScrollPos

totalHits

<!=^=

1#2n2

;*<4<O<_<k<r<}<

767]7

feedback-hub://?tabid=2&contextid=1010

StatusBar

shell\osshell\accesory\notepad\nprestart.cpp

?;?A?I?f?k?z?

IsWordWrap

u$WSQ

api-ms-win-crt-private-l1-1-0.dll

szHeader

.tls$

IsClipboardFormatAvailable

Microsoft YaHei UI Light

t'j Xf9

CoTaskMemFree

EditPasteCount

.didat$3

GetUserDefaultUILanguage

KERNEL32.dll

.rsrc$01

GetModuleHandleW

SessionId

t4QQj

ew|>&=4_

t f;B

WaitForSingleObject

_o__purecall

9(9N9i9r9{9

RtlNtStatusToDosErrorNoTeb

7T})gW

GetWindowTextLengthW

Windows.Security.EnterpriseData.ProtectionPolicyManager

.?AVbad_alloc@std@@

GetLastError

6#6)6/6M6W6r6}6

8-9l9

tsj&Yf;

.CRT$XPZ

t1f;B

TranslateAcceleratorW

_o_exit

>0><>

count

HasHeaderOrFooter

7!7'747:7G7M7Z7`7m7s7

1_2p2

9\9z9

api-ms-win-shcore-obsolete-l1-1-0.dll

CreateWindowExW

language="*"

.CRT$XIA

EndPage

RtlDisownModuleHeapAllocation

api-ms-win-core-synch-l1-1-0.dll

Windows.ApplicationModel.DataTransfer.Clipboard

EditUndoCount

CommDlgExtendedError

FindMimeFromData

2I3m3

2&2O2W2^2d2n2x2

IsLogEntry

GetTokenInformation

api-ms-win-core-winrt-error-l1-1-1.dll

GetTimeFormatW

757V7e7x7~7

7!7.767_7e7

WAxK0i

1o?-XfF

f90^t

<H=N=

0"0;0 1V1_1w1

:=:l:u:}:

ProductVersion

?'?4?=?H?P?Z?b?m?s?y?

EventSetInformation

3,6W6f6s6

:S:Z::;A;

> >$>(>0>D>

GetClientRect

4(474@4F4N4]4f4k4z4

.rdata$brc

8&8-858>8Q8`8g8l8s8

677>7U7

FindNLSString

CompareStringOrdinal

?'?C?I?\?f?

_initterm

`.data

_o__controlfp_s

.didat$4

;&;9;L;z;

SequenceNumber

EditCutCount

GetTextMetricsW

</dependency>

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp

notepad.pdb

RegOpenKeyExW

api-ms-win-crt-runtime-l1-1-0.dll

AcquireSRWLockShared

81868;8A8G8h8q8x8

_o__wcsicmp

;%;E;K;[;c;m;u;

>*?;?G?R?d?

https://go.microsoft.com/fwlink/p/?linkid=838060

8=8L8

Microsoft.Notepad

j(hxOB

OpenPrinterW

LoadLibraryExW

7+7I7b7y7

CoUninitialize

VS_VERSION_INFO

QRPhH.B

test/log

FileNewCount

9_(s-j

.idata$3

98:V:|:

FileSize

InitializeCriticalSectionEx

PWVhd!@

GetTextExtentPoint32W

8"858M8t8

InvalidateRect

?.?3?9?J?W?z?

SetWindowTextW

oLW\f

d|BNeU

Local\SM0:%d:%d:%hs

WakeAllConditionVariable

PWVh8#@

</application>

OpenProcessToken

<description>Windows Shell</description>

$(SQO

5/565A5H5Z5a5s5z5

PrintDlgExW

Sleep

FormatMessageW

D$(SVW

;o?w?

iWindowPosDY

.gfids

LocalReAlloc

?(?p?

9=HOB

0)090\0

</windowsSettings>

PathFindExtensionW

iMarginBottom

SetWindowExtEx

QueryPerformanceCounter

EnumFontsW

.CRT$XCAA

ViewHelp

fPasteOriginalEOL

MonitorFromWindow

WinSta0

VY$[X

:7;>;

0&1-1K1[1p1

1E1j1

<SVW3

PWVh8!@

>D>[>

api-ms-win-core-interlocked-l1-1-0.dll

replaceString

HeapSetInformation

5(5,545L5T5X5\5`5d5h5l5p5t5x5|5

.rdata$zETW9

j&Yf;

LaunchNotepadStart

PROPSYS.dll

30_0i0~0

_o___p__commode

_o__set_fmode

GetWindowLongW

0*0Y0t0

szTrailer

CharUpperW

:":):0:7:>:E:M:U:]:h:m:s:}:

ReleaseDC

api-ms-win-core-com-l1-1-0.dll

6&656N6i6

t$$SP

=*>3><>N>]>g>r>

1$1<1B1P1V1]1b1q1v1|1

6-6C6I6O6U6_6d6k6p6u6

4!5o5

=,=?=u=

:*;>;R;s;z;

:-:4:B:I:P:[:d:z:

bgOne

.?AVtype_info@@

697@7n7

EnterCriticalSection

GetTextFaceW

:9:[:g:n:

,B>DY

.didat$5

api-ms-win-eventing-provider-l1-1-0.dll

OpenSemaphoreW

PathIsFileSpecW

publicKeyToken="6595b64144ccf1df"

;"<)<<<C<V<]<h<o<

2E3e3

.rdata

5#5-575A5K5U5_5i5s5}5

.rdata$zzzdbg

Microsoft Corporation

SetDlgItemTextW

PostQuitMessage

j Xj`W

PWVhl"@

ContextMenu

GlobalAlloc

UnmapViewOfFile

PWVhT"@

7b9j9

[%hs]

j"F[f;

:3;@;Q;W;

X\?E/5

?6?[?t?{?

EditDeleteCount

type="win32"/>

Wh0EB

.CRT$XTZ

UnhookWinEvent

2q3z3

=M=~=

SaveStart

AcquireSRWLockExclusive

Microsoft YaHei UI

FileOpenStart

4*444_4f4

GetCurrentProcess

CheckMenuItem

>1><>K>n>

SVWPh

6R6l6

1O2o2y2

;7;Q;Y;p;x;

%UM;%

324@4H4\4g4

35@LB

3E4K4Q4X4_4h4

_o__initialize_wide_environment

SetWindowLongW

9;9Q9s9

%s%c*.txt%c%s%c*.*%c

onecore\internal\sdk\inc\wil\opensource/wil/filesystem.h

_o_toupper

LocalLock

:&;,;9;?;P;m;

ResolveDelayLoadedAPI

RegQueryValueExW

<[<g<o<

.rdata$r$brc

8'80898?8D8X8a8m8u8

PageSetupUpdated

Software\Microsoft\Notepad

Segoe Pseudo

Yu Gothic UI

Microsoft JhengHei UI Bold

_^[Y]

SHGetKnownFolderPath

PathFileExistsW

1(1=1N1S1Y1n1

@W=7A=

</security>

4$5*505:5F5T5r5v5z5~5

iWindowPosX

Wh<L@

SendMessageW

6'6K6n6v6

7!8(8L8S8e8l8~8

MainAcc

10.0.19041.1

040904B0

.idata$6

.rdata$zETW0

8/969i9

RtlUnsubscribeWnfNotificationWaitForCompletion

CharNextW

?0X0b0

Windows.ApplicationModel.Resources.Core.ResourceManager

_o___stdio_common_vswprintf

ShellAboutW

</assembly>

</dependentAssembly>

=#=-=?=\=b=k=w=

>>>L>Z>y>

GetModuleFileNameW

:$:+:

Segoe UI Light

1"1N1

10.0.19041.1 (WinBuild.160101.0800)

GetCommandLineW

:-:G:e:

D$(PQ

CreateDialogParamW

2!2K2l2t2

.rtc$TAA

0!010I0d0

MICROSOFTEDPPERMISSIVEAPPINFO

CloseHandle

kernel32.dll

FormatFontCount

374J4W4s4

IsAdminMode

5ineI

GetMenu

404G4`4i4p4

EditReplaceCount

x*!\$

StartPage

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0l0p0t0x0|0

0/262\2c2

.text$yd

LoadStringW

api-ms-win-shcore-scaling-l1-1-1.dll

fWindowsOnlyEOL

GlobalFree

4.4B4H4c4i4}4

9%:,:r:y:

9(959>9I9Q9\9d9i9t9|9

AppExit

4<4Y4v4

uNPPV

1M1d1j1p1

7%7*7/7P7U7b7

.tls$ZZZ

.CRT$XPA

VWj43

6X7j7

=+>0>Z>n>}>

3e3p3u3

SetWindowPlacement

<9=P=X=r=

141\1

Lucida Console

GetModuleHandleExW

.rsrc$02

WriteFile

GlobalUnlock

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

EventRegister

GetFileTitleW

9&9-949;9C9K9S9_9h9m9s9}9

???F?b?|?

USER32.dll

rY&'K

ul%G1

StatusBarVisibility

RegQueryInfoKeyW

L$ j1

LaunchNotepadComplete

_o__register_onexit_function

9&909:9D9N9X9b9o9}9

=.>9>>>I>O>V>a>i>z>

0 0$0(0,0004080<0@0D0L0P0T0X0\0`0d0h0l0t0x0

FindTextW

EditGotoCount

VSSSh`&@

686@6H6P6X6^6x6

.rdata$T$brc

7<7X7n7

api-ms-win-core-winrt-error-l1-1-0.dll

_o___std_exception_destroy

TextOutW

99:L:u:{:

[%hs(%hs)]

searchString

ShowWindow

TerminateProcess

;J;Q;

(caller: %p)

1(121J1p1x1

memcmp

6S6\6(7Z7b7

.rdata$sxdata

WindowsCreateString

.idata$2

LoadAcceleratorsW

@.didat

_o__errno

DelayLoadFailureHook

3#30393G3M3X3^3i3p3u3{3

Microsoft YaHei UI Bold

LocalFree

GetDC

onecore\internal\sdk\inc\wil\opensource\wil\resource.h

203F3U3_3j3z3

GetOpenFileNameW

LocalSize

name="Microsoft.Windows.Common-Controls"

onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h

memcpy

5!5(595?5E5^5e5l5v5|5

PWVh$#@

TelemetryAssertDiagTrack

IsDebuggerPresent

8"9,989c9l9

WSh`&@

SearchBingInvoked

FreshWindow

%s\%s

T$0QQV

:":):@:j:w:

WilError_03

7-7C7M7g7

onecore\internal\sdk\inc\wil/Staging.h

9&929:9[9p9~9

QQSW3

uISVj

GetDiskFreeSpaceExW

_o__initialize_onexit_table

_o__callnewh

494@4G4N4i4

4&4/4H4

Segoe UI SemiBold

GetLocaleInfoW

.00cfg

1,2Q2a2r2v2|2

Software\Microsoft\Notepad\Autosave

Default

;';?;X;f;

*.txt

2 2G2S2b2p2v2

_o__configure_wide_argv

hwp1p0

Vh<L@

bWti^

GetPrinterDriverW

CreateDirectoryW

2)222A2w2

Unknown exception

Malgun Gothic

363e3

'R{=f

Lh L@

GetSaveFileNameW

SetViewportExtEx

1<2B2a2g2

1>1E1a1y1

2h3z3

0%0+010=0C0J0O0U0a0g0r0x0~0

8(80888E8]8q8

m]#0D

=*=0=7===E=K=P=c=

DialogBoxParamW

EditCopyCount

5&5-5]5d5u5

ReleaseSRWLockExclusive

L$$!D$8j/j0h

SlipUpAcc

0"0(0.060<0K0X0j0x0

2B2U2

api-ms-win-core-winrt-l1-1-0.dll

EventProviderEnabled

GetDlgCtrlID

DeleteCriticalSection

D$(Ph

FilePrintCount

.data$brc

G,PSWh

Rich>

RegisterClassExW

RegCreateKeyExW

MulDiv

ClosePrinter

.data

5ntel

_o_malloc

_o__crt_atexit

= >6><>F>K>Q>V>\>i>n>t>

'3.3d3k3Q4X4

Exception

5I5`5

RoUninitialize

:%;.;@;y;

LogHr

3ntdll.dll

QRPhh.B

lfOrientation

PSGetPropertyDescriptionListFromString

+dBVY

SetCursor

CompanyName

PWVhP#@

j"Xf9

GetProcessHeap

WWVhXAB

_initterm_e

? ?L?Y?

api-ms-win-core-profile-l1-1-0.dll

;U<w<

8A8H8N8[8d8s8|8

CreateFileW

8 8&8,82888>8D8J8P8

TranslateMessage

#D$4W

NOTEPAD.EXE

PageSetupDlgW

=R=m=

FileSaveCount

3-363=3L3U3\3k3t3{3

EDPENLIGHTENEDAPPINFOID

D$ Pj

IsDialogMessageW

;$;4;>;G;M;^;g;

GetFileAttributesW

GetDlgItemTextW

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0

81989O9z9

t[W@Pj@

name="Microsoft.Windows.Shell.notepad"

@.reloc

LocalAlloc

GetFileAttributesExW

SetUnhandledExceptionFilter

9#93999a9g9u9{9

425;5G5O5^5q5z5

3#3<3Z3{3

<;<A<P<k<q<|<

0/0w0

t.SSh

.didat$2

3-3?3G3\3f3n3

t%SSj

<)</<:<@<K<Q<Z<`<f<l<w<}<

t[j8Y

CreateThreadpoolTimer

D$pSV3

=$=+=3=M=f=

2,343<3B3H3N3S3f3x3

SetFocus

6'6.656J6\6k6v6

iPointSize

UpdateWindow

SetActiveWindow

5<8C8+9/939H9z9

0=0J0f0l0y0

Leelawadee UI

FWph?r

L$ QP

D$@j<SP

ReturnHr

#D$TW

lfQuality

GetFileInformationByHandle

CoCreateInstance

5B6S6c6u6

fWrap

_o__wtol

.text

D$(;D$

CreateSemaphoreExW

WindowsDeleteString

D$4PQQ

GDI32.dll

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

RedrawWindow

DrawTextExW

WilStaging_02

CreateEventExW

GetStartupInfoW

.CRT$XCZ

_except_handler4_common

:A:q:

Da6N^

9\$(u

SHStrDupW

iMarginLeft

.xdata$x

1=1m1

FileExtension

323o3

4$464n4

WideCharToMultiByte

PostMessageW

.text$di

1%1+11171@1U1[1a1j1p1v1

1!1h1n1

GetSystemMenu

iMarginRight

ReleaseMutex

EdpPasteToNoContextCount

RegCloseKey

Operating System

_o__configthreadlocale

GetDeviceCaps

_o__seh_filter_exe

: :^:g:

NtQueryWnfStateData

CoTaskMemAlloc

<?<n<}<

lfPitchAndFamily

GetSystemTimeAsFileTime

kernelbase.dll

GetFocus

:B:R:{:

?-?^?t?

Vving1

.idata$4

373%4/4

595b5k5v5

<$<+<=<D<V<]<w<~<

QRPRh

3 3r5z5

InitializeConditionVariable

GetWindowPlacement

.CRT$XIAC

Translation

SetEvent

.giats

.text$x

>#><>E>S>\>l>q>|>

hgtlCm

FindClose

CreateFileMappingW

WindowsGetStringRawBuffer

6&6;6U6^6

<H<a<

.CRT$XLA

.didat$7

IsProcessorFeaturePresent

lfItalic

api-ms-win-core-shlwapi-legacy-l1-1-0.dll

t+f;B

VQPWV

\$ Ph

lfEscapement

ProductName

GetFullPathNameW

ContentType

9b9|9

3$3.373=3C3O3U3\3b3n3

>'>D>T>d>t>

CoCreateFreeThreadedMarshaler

4I5[5i5x5

>#>)>7>C>`>e>

;[<s<

SetWinEventHook

2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2p2t2x2|2

:!:':/:5:=:C:K:Q:V:[:b:m:~:

>#>1><>D>P>U>`>f>q>w>~>

252;2E2r2~2

7$7}7

WaitForThreadpoolTimerCallbacks

<=<C<K<

305.1i

.idata

SPSVSSS

DestroyWindow

:(;.;3;S;Y;d;o;u;{;

DragFinish

9?:J:V:^:m:u:}:

.rtc$IZZ

DeleteDC

PWVh !@

Windows.Security.EnterpriseData.FileProtectionManager

CreateEventW

SetMapMode

InternalName

RtlNotifyFeatureUsage

en-US

EditMenu

:$:9:

_o__invalid_parameter_noinfo

PVVhlO@

PWVhP!@

SVWj@

GetDateFormatW

lfOutPrecision

=(=4=?=b=

EdpFileOpenCount

iDefaultEncoding

232=2L2

Windows

LPtoDP

7)7/757;7A7G7M7R7X7`7e7n7u7

1$2D2M2T2l2u2|2

%hs(%d) tid(%x) %08X %ws

entrypoint

CreateStatusWindowW

EdpFileOpenAttemptFailCount

525?5

4J4\4o4

4/454;4A4j4}4

EdpFileSaveCount

t$pVQ

shell\osshell\accesory\notepad\notepad.cpp

8&8,8?8R8Y8s8

VWj73

CreateDCW

35<LB

lstrcmpiW

6!6/6N6U6l6s6

!This program cannot be run in DOS mode.

IsIconic

fWrapAround

ReleaseSRWLockShared

iMarginTop

^BNQ,^

TelemetryAssert

ChooseFontW

<assemblyIdentity

5H5S5Y5^5d5j5o5u5{5

;";8;K;c;y;

RegEnumValueW

IsNetworkPath

tyf;B

PSSSSWS

GlobalLock

SetBkMode

2*292K2]2

1C2I2W2q2w2

8$8?8G8a8l8u8

=&=,=2=8=U=[=h=n=x=~=

commdlg_help

_o__set_app_type

GetDpiForMonitor

1 1f1

FileDescription

Yu Gothic UI Light

QQSVW

<><V<\<i<|<

GetDpiForWindow

;!;X;];p;

PhP^B

>:>V>d>k>

Malgun Gothic Bold

%s\%s.autosave

OutputDebugStringW

D$0SVW

api-ms-win-shcore-path-l1-1-0.dll

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x00400000	0x00021860	0x0002c834	0x0002c834	10.0	notepad.pdb	1971-01-29 08:00:01	291bf41874edcdb21d447b43ee0e6b1f

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Notepad
FileVersion	10.0.19041.1 (WinBuild.160101.0800)
InternalName	Notepad
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	NOTEPAD.EXE
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.19041.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x000223b8	0x00022400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.65
.data	0x00022800	0x00024000	0x00001f74	0x00000a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.11
.idata	0x00023200	0x00026000	0x0000214e	0x00002200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.31
.didat	0x00025400	0x00029000	0x000000bc	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.72
.rsrc	0x00025600	0x0002a000	0x00000bd8	0x00000c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.59
.reloc	0x00026200	0x0002b000	0x00002428	0x00002600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.69

Name	Offset	Size	Language	Sub-language	Entropy	File type
EDPENLIGHTENEDAPPINFOID	0x0002a710	0x00000002	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.00	None
EDPPERMISSIVEAPPINFOID	0x0002a718	0x00000002	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.00	None
MUI	0x0002aa98	0x00000140	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_VERSION	0x0002a720	0x00000374	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.44	None
RT_MANIFEST	0x0002a260	0x000004ad	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.99	None

Imports

Name	Address
GetProcAddress	0x426068
CreateMutexExW	0x42606c
AcquireSRWLockShared	0x426070
DeleteCriticalSection	0x426074
GetCurrentProcessId	0x426078
GetProcessHeap	0x42607c
GetModuleHandleW	0x426080
DebugBreak	0x426084
IsDebuggerPresent	0x426088
GlobalFree	0x42608c
GetLocaleInfoW	0x426090
CreateFileW	0x426094
ReadFile	0x426098
MulDiv	0x42609c
GetCurrentProcess	0x4260a0
GetCommandLineW	0x4260a4
HeapSetInformation	0x4260a8
FreeLibrary	0x4260ac
FindFirstFileW	0x4260b0
FindClose	0x4260b4
CompareStringOrdinal	0x4260b8
LocalAlloc	0x4260bc
LocalFree	0x4260c0
FoldStringW	0x4260c4
GetModuleFileNameW	0x4260c8
GetUserDefaultUILanguage	0x4260cc
GetLocalTime	0x4260d0
GetDateFormatW	0x4260d4
GetTimeFormatW	0x4260d8
WideCharToMultiByte	0x4260dc
WriteFile	0x4260e0
GetFileAttributesW	0x4260e4
LocalLock	0x4260e8
GetACP	0x4260ec
LocalUnlock	0x4260f0
DeleteFileW	0x4260f4
SetEndOfFile	0x4260f8
GetFileAttributesExW	0x4260fc
GetFileInformationByHandle	0x426100
CreateFileMappingW	0x426104
MapViewOfFile	0x426108
MultiByteToWideChar	0x42610c
LocalReAlloc	0x426110
UnmapViewOfFile	0x426114
GetFullPathNameW	0x426118
LocalSize	0x42611c
GetStartupInfoW	0x426120
lstrcmpiW	0x426124
FindNLSString	0x426128
GlobalLock	0x42612c
GlobalUnlock	0x426130
GlobalAlloc	0x426134
GetDiskFreeSpaceExW	0x426138
CreateDirectoryW	0x42613c
RegisterApplicationRestart	0x426140
CreateSemaphoreExW	0x426144
CreateThreadpoolTimer	0x426148
ReleaseSRWLockShared	0x42614c
SetThreadpoolTimer	0x426150
CloseHandle	0x426154
OpenSemaphoreW	0x426158
WaitForSingleObjectEx	0x42615c
AcquireSRWLockExclusive	0x426160
CloseThreadpoolTimer	0x426164
OutputDebugStringW	0x426168
ReleaseSRWLockExclusive	0x42616c
GetLastError	0x426170
FormatMessageW	0x426174
ReleaseMutex	0x426178
GetCurrentThreadId	0x42617c
WaitForSingleObject	0x426180
WaitForThreadpoolTimerCallbacks	0x426184
InitializeCriticalSectionEx	0x426188
LeaveCriticalSection	0x42618c
GetModuleHandleExW	0x426190
ReleaseSemaphore	0x426194
EnterCriticalSection	0x426198
SetLastError	0x42619c
HeapAlloc	0x4261a0
HeapFree	0x4261a4
ResolveDelayLoadedAPI	0x4261a8
DelayLoadFailureHook	0x4261ac
GetModuleFileNameA	0x4261b0

Name	Address
CreateDCW	0x42600c
StartPage	0x426010
StartDocW	0x426014
SetAbortProc	0x426018
DeleteDC	0x42601c
EndDoc	0x426020
AbortDoc	0x426024
EndPage	0x426028
GetTextMetricsW	0x42602c
SetBkMode	0x426030
LPtoDP	0x426034
SetWindowExtEx	0x426038
SetViewportExtEx	0x42603c
SetMapMode	0x426040
GetTextExtentPoint32W	0x426044
TextOutW	0x426048
EnumFontsW	0x42604c
GetTextFaceW	0x426050
SelectObject	0x426054
DeleteObject	0x426058
CreateFontIndirectW	0x42605c
GetDeviceCaps	0x426060

Name	Address
GetFocus	0x4261b8
PostMessageW	0x4261bc
GetMenu	0x4261c0
CheckMenuItem	0x4261c4
GetSubMenu	0x4261c8
EnableMenuItem	0x4261cc
ShowWindow	0x4261d0
GetDC	0x4261d4
ReleaseDC	0x4261d8
SetCursor	0x4261dc
GetDpiForWindow	0x4261e0
SetActiveWindow	0x4261e4
LoadStringW	0x4261e8
DefWindowProcW	0x4261ec
IsIconic	0x4261f0
SetFocus	0x4261f4
PostQuitMessage	0x4261f8
DestroyWindow	0x4261fc
MessageBeep	0x426200
GetForegroundWindow	0x426204
GetDlgCtrlID	0x426208
SetWindowPos	0x42620c
RedrawWindow	0x426210
GetKeyboardLayout	0x426214
CharNextW	0x426218
SetWinEventHook	0x42621c
GetMessageW	0x426220
TranslateAcceleratorW	0x426224
IsDialogMessageW	0x426228
TranslateMessage	0x42622c
DispatchMessageW	0x426230
UnhookWinEvent	0x426234
SetWindowTextW	0x426238
OpenClipboard	0x42623c
IsClipboardFormatAvailable	0x426240
CloseClipboard	0x426244
SetDlgItemTextW	0x426248
GetDlgItemTextW	0x42624c
EndDialog	0x426250
SendDlgItemMessageW	0x426254
SetScrollPos	0x426258
InvalidateRect	0x42625c
UpdateWindow	0x426260
GetWindowPlacement	0x426264
SetWindowPlacement	0x426268
CharUpperW	0x42626c
GetSystemMenu	0x426270
LoadAcceleratorsW	0x426274
SetWindowLongW	0x426278
CreateWindowExW	0x42627c
MonitorFromWindow	0x426280
RegisterWindowMessageW	0x426284
LoadCursorW	0x426288
RegisterClassExW	0x42628c
GetWindowTextLengthW	0x426290
GetWindowLongW	0x426294
PeekMessageW	0x426298
GetWindowTextW	0x42629c
EnableWindow	0x4262a0
CreateDialogParamW	0x4262a4
DrawTextExW	0x4262a8
LoadIconW	0x4262ac
LoadImageW	0x4262b0
DialogBoxParamW	0x4262b4
SetThreadDpiAwarenessContext	0x4262b8
SendMessageW	0x4262bc
MoveWindow	0x4262c0
GetClientRect	0x4262c4
MessageBoxW	0x4262c8

Name	Address
wcsnlen	0x42644c
memset	0x426450

Name	Address
_initterm_e	0x426438
_c_exit	0x42643c
_register_thread_local_exe_atexit_callback	0x426440
_initterm	0x426444

Name	Address
_o___stdio_common_vswprintf	0x4263a4
_o__callnewh	0x4263a8
_o__cexit	0x4263ac
_o__configthreadlocale	0x4263b0
_o__configure_wide_argv	0x4263b4
_o__controlfp_s	0x4263b8
_o__crt_atexit	0x4263bc
_o__errno	0x4263c0
_o__exit	0x4263c4
_o__get_wide_winmain_command_line	0x4263c8
_o__initialize_onexit_table	0x4263cc
_o__initialize_wide_environment	0x4263d0
_o__invalid_parameter_noinfo	0x4263d4
_o__purecall	0x4263d8
_o__register_onexit_function	0x4263dc
_o__seh_filter_exe	0x4263e0
_o__set_app_type	0x4263e4
_o__set_new_mode	0x4263e8
_o__wcsicmp	0x4263ec
_o__wtol	0x4263f0
_o_exit	0x4263f4
_o_free	0x4263f8
_o_iswdigit	0x4263fc
_o_malloc	0x426400
_o_terminate	0x426404
_o_toupper	0x426408
__CxxFrameHandler3	0x42640c
_except_handler4_common	0x426410
_CxxThrowException	0x426414
_o___p__commode	0x426418
_o___std_exception_destroy	0x42641c
_o___std_exception_copy	0x426420
_o__set_fmode	0x426424
memcmp	0x426428
memcpy	0x42642c
memmove	0x426430

Name	Address
CoCreateFreeThreadedMarshaler	0x4262d0
CoWaitForMultipleHandles	0x4262d4
PropVariantClear	0x4262d8
CoTaskMemFree	0x4262dc
CoTaskMemAlloc	0x4262e0
CoCreateInstance	0x4262e4
CoInitializeEx	0x4262e8
CoCreateGuid	0x4262ec
CoUninitialize	0x4262f0

Name	Address
PathFindExtensionW	0x426334
PathFileExistsW	0x426338
PathIsFileSpecW	0x42633c

Name	Address
SHStrDupW	0x426460

Name	Address

Name	Address
GetDpiForMonitor	0x426470

Name	Address
RaiseException	0x4262f8
SetUnhandledExceptionFilter	0x4262fc
UnhandledExceptionFilter	0x426300

Name	Address
TerminateProcess	0x426318

Name	Address
IsProcessorFeaturePresent	0x426320
GetProcessMitigationPolicy	0x426324

Name	Address
CreateEventExW	0x426344
CreateEventW	0x426348
ResetEvent	0x42634c
SetEvent	0x426350
InitializeCriticalSectionAndSpinCount	0x426354

Name	Address
QueryPerformanceCounter	0x42632c

Name	Address
GetTickCount	0x426364
GetSystemTimeAsFileTime	0x426368

Name	Address
InitializeSListHead	0x426308

Name	Address
LoadLibraryExW	0x426310

Name	Address
WindowsDeleteString	0x426390
WindowsCreateStringReference	0x426394
WindowsGetStringRawBuffer	0x426398
WindowsCreateString	0x42639c

Name	Address
SetRestrictedErrorInfo	0x426370

Name	Address
RoInitialize	0x426380
RoGetActivationFactory	0x426384
RoUninitialize	0x426388

Name	Address
RoGetMatchingRestrictedErrorInfo	0x426378

Name	Address
EventProviderEnabled	0x426458

Name	Address
Sleep	0x42635c

Name	Address
CreateStatusWindowW	0x426000

Reports: JSON HTML Lite

Mitre ATT&CK

Command and Control	Defense Evasion
T1071 - Application Layer Protocol static_pe_pdbpath static_pe_anomaly	T1027 - Obfuscated Files or Information packer_unknown_pe_section_name T1027.002 - Software Packing packer_unknown_pe_section_name

Statistics (3.94)

Usage

Processing ( 1.19 seconds )

0.757 Heatmap
0.426 CAPE
0.005 BehaviorAnalysis
0.003 AnalysisInfo
0.003 NetworkAnalysis

Signatures ( 0.02 seconds )

0.003 ransomware_files
0.002 antianalysis_detectfile
0.002 antiav_detectreg
0.002 ransomware_extensions
0.001 antianalysis_detectreg
0.001 antiav_detectfile
0.001 antivm_vbox_files
0.001 browser_security
0.001 infostealer_bitcoin
0.001 infostealer_ftp
0.001 infostealer_im
0.001 infostealer_mail
0.001 poullight_files
0.001 territorial_disputes_sigs
0.001 ursnif_behavior

Reporting ( 2.73 seconds )

2.688 MITRE_TTPS
0.041 ReportHTML
0.001 PCAP2CERT
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: notepad.pdb

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00025400', 'virtual_address': '0x00029000', 'virtual_size': '0x000000bc', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '1.72'}

Checks for presence of debugger via IsDebuggerPresent

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Session Playback

No playback available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\SrpDevice
C:\Users\user\AppData\Local\Temp\resources.pri
C:\Users\user\AppData\Local\Temp\notepad.exe

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Mrt\_Merged
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2527171340-3306644326-1278290521-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2527171340-3306644326-1278290521-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DataDrive
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\OSDataDrive
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2527171340-3306644326-1278290521-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DataDrive
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\OSDataDrive
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public

Local\SM0:2508:168:WilStaging_02

No results

Sorry! No behavior.

Sorry! No tracee.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.