Analysis Report · ACUBE Sandbox

Status: Clean

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)	MalScore
FILE	exe	2025-12-08 16:27:50	2025-12-08 16:29:31	101 seconds	Show Options	Show Analysis Log	1.2

vnc_port=5901

2025-12-06 19:18:15,596 [root] INFO: Date set to: 20251208T08:27:49, timeout set to: 180
2025-12-08 08:27:49,004 [root] DEBUG: Starting analyzer from: C:\tmpubkdhhhl
2025-12-08 08:27:49,004 [root] DEBUG: Storing results at: C:\lMRwBWwV
2025-12-08 08:27:49,004 [root] DEBUG: Pipe server name: \\.\PIPE\iAUZHSdD
2025-12-08 08:27:49,004 [root] DEBUG: Python path: C:\Python38
2025-12-08 08:27:49,004 [root] INFO: analysis running as an admin
2025-12-08 08:27:49,004 [root] INFO: analysis package specified: "exe"
2025-12-08 08:27:49,004 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-12-08 08:27:49,035 [root] DEBUG: imported analysis package "exe"
2025-12-08 08:27:49,035 [root] DEBUG: initializing analysis package "exe"...
2025-12-08 08:27:49,035 [lib.common.common] INFO: wrapping
2025-12-08 08:27:49,035 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-08 08:27:49,035 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\notepad.exe
2025-12-08 08:27:49,035 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-12-08 08:27:49,035 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-12-08 08:27:49,035 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-12-08 08:27:49,035 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-12-08 08:27:49,113 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-12-08 08:27:49,113 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain"
2025-12-08 08:27:49,129 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-12-08 08:27:49,145 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script"
2025-12-08 08:27:49,145 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks"
2025-12-08 08:27:49,145 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx"
2025-12-08 08:27:49,145 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-12-08 08:27:49,160 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script"
2025-12-08 08:27:49,176 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-12-08 08:27:49,176 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-12-08 08:27:49,176 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-12-08 08:27:49,176 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon"
2025-12-08 08:27:49,176 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-12-08 08:27:49,176 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage"
2025-12-08 08:27:49,176 [root] DEBUG: Initialized auxiliary module "Browser"
2025-12-08 08:27:49,176 [root] DEBUG: attempting to configure 'Browser' from data
2025-12-08 08:27:49,176 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-12-08 08:27:49,176 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-12-08 08:27:49,207 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-12-08 08:27:49,207 [root] DEBUG: Initialized auxiliary module "Curtain"
2025-12-08 08:27:49,207 [root] DEBUG: attempting to configure 'Curtain' from data
2025-12-08 08:27:49,207 [root] DEBUG: module Curtain does not support data configuration, ignoring
2025-12-08 08:27:49,207 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"...
2025-12-08 08:27:49,207 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain
2025-12-08 08:27:49,207 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-12-08 08:27:49,207 [root] DEBUG: attempting to configure 'Disguise' from data
2025-12-08 08:27:49,207 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-12-08 08:27:49,207 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-12-08 08:27:49,207 [modules.auxiliary.disguise] INFO: Disguising GUID to 8e52622e-848f-44cf-901c-b7caad4ec512
2025-12-08 08:27:49,207 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-12-08 08:27:49,207 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks"
2025-12-08 08:27:49,207 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data
2025-12-08 08:27:49,207 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring
2025-12-08 08:27:49,207 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"...
2025-12-08 08:27:49,207 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe
2025-12-08 08:27:49,207 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks
2025-12-08 08:27:49,207 [root] DEBUG: Initialized auxiliary module "Evtx"
2025-12-08 08:27:49,207 [root] DEBUG: attempting to configure 'Evtx' from data
2025-12-08 08:27:49,207 [root] DEBUG: module Evtx does not support data configuration, ignoring
2025-12-08 08:27:49,207 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"...
2025-12-08 08:27:49,223 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
2025-12-08 08:27:49,223 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx
2025-12-08 08:27:49,223 [root] DEBUG: Initialized auxiliary module "Human"
2025-12-08 08:27:49,223 [root] DEBUG: attempting to configure 'Human' from data
2025-12-08 08:27:49,223 [root] DEBUG: module Human does not support data configuration, ignoring
2025-12-08 08:27:49,223 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-12-08 08:27:49,223 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-12-08 08:27:49,223 [root] DEBUG: Initialized auxiliary module "Pre_script"
2025-12-08 08:27:49,223 [root] DEBUG: attempting to configure 'Pre_script' from data
2025-12-08 08:27:49,223 [root] DEBUG: module Pre_script does not support data configuration, ignoring
2025-12-08 08:27:49,223 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"...
2025-12-08 08:27:49,223 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script
2025-12-08 08:27:49,223 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-12-08 08:27:49,223 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-12-08 08:27:49,223 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-12-08 08:27:49,223 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-12-08 08:27:49,238 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-12-08 08:27:49,238 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-12-08 08:27:49,238 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-12-08 08:27:49,238 [root] DEBUG: attempting to configure 'Sysmon' from data
2025-12-08 08:27:49,238 [root] DEBUG: module Sysmon does not support data configuration, ignoring
2025-12-08 08:27:49,238 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"...
2025-12-08 08:27:49,535 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
2025-12-08 08:27:49,629 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
2025-12-08 08:27:49,645 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.
2025-12-08 08:27:49,645 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-12-08 08:27:49,645 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-12-08 08:27:49,645 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-12-08 08:27:49,645 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-12-08 08:27:49,645 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 716
2025-12-08 08:27:49,645 [lib.api.process] INFO: Monitor config for <Process 716 lsass.exe>: C:\tmpubkdhhhl\dll\716.ini
2025-12-08 08:27:49,645 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-12-08 08:27:49,660 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpubkdhhhl\dll\WwJABbH.dll, loader C:\tmpubkdhhhl\bin\NgqxSvQO.exe
2025-12-08 08:27:49,801 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
2025-12-08 08:27:49,973 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable
2025-12-08 08:27:50,004 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe
2025-12-08 08:27:50,051 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable
2025-12-08 08:27:50,145 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe
2025-12-08 08:27:50,145 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
2025-12-08 08:27:50,207 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
2025-12-08 08:27:50,254 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe
2025-12-08 08:27:50,270 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
2025-12-08 08:27:50,301 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
2025-12-08 08:27:50,332 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe
2025-12-08 08:27:50,364 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
2025-12-08 08:27:50,410 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
2025-12-08 08:27:50,457 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
2025-12-08 08:27:50,504 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
2025-12-08 08:27:50,504 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f
2025-12-08 08:27:50,535 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable
2025-12-08 08:27:50,551 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
2025-12-08 08:27:50,567 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable
2025-12-08 08:27:50,582 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
2025-12-08 08:27:50,598 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
2025-12-08 08:27:50,629 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable
2025-12-08 08:27:50,660 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
2025-12-08 08:27:50,707 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
2025-12-08 08:27:50,739 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
2025-12-08 08:27:50,770 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable
2025-12-08 08:27:50,801 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
2025-12-08 08:27:50,832 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
2025-12-08 08:27:50,864 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
2025-12-08 08:27:50,879 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
2025-12-08 08:27:50,910 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
2025-12-08 08:27:50,973 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
2025-12-08 08:27:50,988 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
2025-12-08 08:27:51,020 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
2025-12-08 08:27:51,051 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
2025-12-08 08:27:51,067 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
2025-12-08 08:27:51,113 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
2025-12-08 08:27:51,145 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
2025-12-08 08:27:51,176 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
2025-12-08 08:27:51,207 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
2025-12-08 08:27:51,238 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
2025-12-08 08:27:51,270 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
2025-12-08 08:27:51,301 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
2025-12-08 08:27:51,317 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
2025-12-08 08:27:51,348 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
2025-12-08 08:27:51,379 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
2025-12-08 08:27:51,410 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable
2025-12-08 08:27:51,442 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
2025-12-08 08:27:51,457 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
2025-12-08 08:27:51,488 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
2025-12-08 08:27:51,520 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2025-12-08 08:27:51,535 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2025-12-08 08:27:51,567 [modules.auxiliary.evtx] DEBUG: Wiping Application
2025-12-08 08:27:51,598 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents
2025-12-08 08:27:51,629 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer
2025-12-08 08:27:51,645 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service
2025-12-08 08:27:51,676 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts
2025-12-08 08:27:51,707 [modules.auxiliary.evtx] DEBUG: Wiping Security
2025-12-08 08:27:51,738 [modules.auxiliary.evtx] DEBUG: Wiping Setup
2025-12-08 08:27:51,770 [modules.auxiliary.evtx] DEBUG: Wiping System
2025-12-08 08:27:51,801 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell
2025-12-08 08:27:51,832 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational
2025-12-08 08:28:13,675 [root] DEBUG: Loader: Injecting process 716 with C:\tmpubkdhhhl\dll\WwJABbH.dll.
2025-12-08 08:28:37,716 [root] DEBUG: 716: Python path set to 'C:\Python38'.
2025-12-08 08:28:37,716 [root] INFO: Disabling sleep skipping.
2025-12-08 08:28:37,716 [root] DEBUG: 716: TLS secret dump mode enabled.
2025-12-08 08:28:37,716 [root] DEBUG: 716: GetAddressByYara: ModuleBase 0x00007FFCDC350000 FunctionName RtlInsertInvertedFunctionTable
2025-12-08 08:28:37,716 [root] DEBUG: 716: RtlInsertInvertedFunctionTable 0x00007FFCDC37BBFA, LdrpInvertedFunctionTableSRWLock 0x00007FFCDC4D70F0
2025-12-08 08:28:37,716 [root] DEBUG: 716: Monitor initialised: 64-bit capemon loaded in process 716 at 0x00007FFCAE740000, thread 1944, image base 0x00007FF6BC8A0000, stack from 0x0000001E0C174000-0x0000001E0C180000
2025-12-08 08:28:37,716 [root] DEBUG: 716: Commandline: C:\Windows\system32\lsass.exe
2025-12-08 08:28:37,716 [root] DEBUG: 716: Hooked 5 out of 5 functions
2025-12-08 08:28:37,716 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-08 08:28:37,716 [root] DEBUG: Successfully injected DLL C:\tmpubkdhhhl\dll\WwJABbH.dll.
2025-12-08 08:28:37,732 [lib.api.process] INFO: Injected into 64-bit <Process 716 lsass.exe>
2025-12-08 08:28:37,732 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-12-08 08:28:37,732 [root] DEBUG: Initialized auxiliary module "Usage"
2025-12-08 08:28:37,732 [root] DEBUG: attempting to configure 'Usage' from data
2025-12-08 08:28:37,732 [root] DEBUG: module Usage does not support data configuration, ignoring
2025-12-08 08:28:37,732 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"...
2025-12-08 08:28:37,732 [root] DEBUG: Started auxiliary module modules.auxiliary.usage
2025-12-08 08:28:37,732 [root] DEBUG: Initialized auxiliary module "During_script"
2025-12-08 08:28:37,732 [root] DEBUG: attempting to configure 'During_script' from data
2025-12-08 08:28:37,732 [root] DEBUG: module During_script does not support data configuration, ignoring
2025-12-08 08:28:37,732 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"...
2025-12-08 08:28:37,732 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script
2025-12-08 08:28:40,405 [root] INFO: Restarting WMI Service
2025-12-08 08:28:42,467 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2025-12-08 08:28:42,467 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2025-12-08 08:28:42,467 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-08 08:29:06,503 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\notepad.exe" with arguments "" with pid 7020
2025-12-08 08:29:06,503 [lib.api.process] INFO: Monitor config for <Process 7020 notepad.exe>: C:\tmpubkdhhhl\dll\7020.ini
2025-12-08 08:29:06,503 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpubkdhhhl\dll\WwJABbH.dll, loader C:\tmpubkdhhhl\bin\NgqxSvQO.exe
2025-12-08 08:29:06,503 [root] DEBUG: Loader: Injecting process 7020 (thread 3104) with C:\tmpubkdhhhl\dll\WwJABbH.dll.
2025-12-08 08:29:06,503 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-08 08:29:06,503 [root] DEBUG: Successfully injected DLL C:\tmpubkdhhhl\dll\WwJABbH.dll.
2025-12-08 08:29:06,503 [lib.api.process] INFO: Injected into 64-bit <Process 7020 notepad.exe>
2025-12-08 08:29:08,518 [lib.api.process] INFO: Successfully resumed <Process 7020 notepad.exe>
2025-12-08 08:29:08,518 [root] DEBUG: 7020: Python path set to 'C:\Python38'.
2025-12-08 08:29:08,518 [root] INFO: Disabling sleep skipping.
2025-12-08 08:29:08,518 [root] DEBUG: 7020: Dropped file limit defaulting to 100.
2025-12-08 08:29:08,518 [root] DEBUG: 7020: YaraInit: Compiled 41 rule files
2025-12-08 08:29:08,518 [root] DEBUG: 7020: YaraInit: Compiled rules saved to file C:\tmpubkdhhhl\data\yara\capemon.yac
2025-12-08 08:29:08,518 [root] DEBUG: 7020: GetAddressByYara: ModuleBase 0x00007FFCDC350000 FunctionName RtlInsertInvertedFunctionTable
2025-12-08 08:29:08,534 [root] DEBUG: 7020: RtlInsertInvertedFunctionTable 0x00007FFCDC37BBFA, LdrpInvertedFunctionTableSRWLock 0x00007FFCDC4D70F0
2025-12-08 08:29:08,534 [root] DEBUG: 7020: YaraScan: Scanning 0x00007FF76F420000, size 0x372d6
2025-12-08 08:29:08,534 [root] DEBUG: 7020: AmsiDumper initialised.
2025-12-08 08:29:08,534 [root] DEBUG: 7020: Monitor initialised: 64-bit capemon loaded in process 7020 at 0x00007FFCAE740000, thread 3104, image base 0x00007FF76F420000, stack from 0x00000071E8C6F000-0x00000071E8C80000
2025-12-08 08:29:08,534 [root] DEBUG: 7020: Commandline: "C:\Users\user\AppData\Local\Temp\notepad.exe"
2025-12-08 08:29:08,550 [root] DEBUG: 7020: hook_api: LdrpCallInitRoutine export address 0x00007FFCDC378634 obtained via GetFunctionAddress
2025-12-08 08:29:08,550 [root] DEBUG: 7020: hook_api: Warning - CoCreateInstance export address 0x00007FFCDBCB7EF9 differs from GetProcAddress -> 0x00007FFCDBD92050 (combase.dll::0x42050)
2025-12-08 08:29:08,550 [root] DEBUG: 7020: hook_api: Warning - CoCreateInstanceEx export address 0x00007FFCDBCB7F38 differs from GetProcAddress -> 0x00007FFCDBD6CC40 (combase.dll::0x1cc40)
2025-12-08 08:29:08,550 [root] DEBUG: 7020: hook_api: Warning - CoGetClassObject export address 0x00007FFCDBCB84C8 differs from GetProcAddress -> 0x00007FFCDBE19870 (combase.dll::0xc9870)
2025-12-08 08:29:08,550 [root] DEBUG: 7020: hook_api: Warning - CLSIDFromProgID export address 0x00007FFCDBCB7744 differs from GetProcAddress -> 0x00007FFCDBD6E410 (combase.dll::0x1e410)
2025-12-08 08:29:08,550 [root] DEBUG: 7020: hook_api: Warning - CLSIDFromProgIDEx export address 0x00007FFCDBCB7781 differs from GetProcAddress -> 0x00007FFCDBF10280 (combase.dll::0x1c0280)
2025-12-08 08:29:08,550 [root] WARNING: b'Unable to place hook on LockResource'
2025-12-08 08:29:08,550 [root] DEBUG: 7020: set_hooks: Unable to hook LockResource
2025-12-08 08:29:08,550 [root] DEBUG: 7020: Hooked 605 out of 606 functions
2025-12-08 08:29:08,565 [root] DEBUG: 7020: Syscall hook installed, syscall logging level 1
2025-12-08 08:29:08,565 [root] INFO: Loaded monitor into process with pid 7020
2025-12-08 08:29:08,565 [root] DEBUG: 7020: caller_dispatch: Added region at 0x00007FF76F420000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF76F4439C9, thread 3104).
2025-12-08 08:29:08,565 [root] DEBUG: 7020: YaraScan: Scanning 0x00007FF76F420000, size 0x372d6
2025-12-08 08:29:08,565 [root] DEBUG: 7020: ProcessImageBase: Main module image at 0x00007FF76F420000 unmodified (entropy change 0.000000e+00)
2025-12-08 08:29:08,565 [root] DEBUG: 7020: DLL loaded at 0x00007FFCD9BA0000: C:\Windows\System32\bcryptPrimitives (0x7a000 bytes).
2025-12-08 08:29:08,565 [root] DEBUG: 7020: set_hooks_by_export_directory: Hooked 0 out of 606 functions
2025-12-08 08:29:08,565 [root] DEBUG: 7020: DLL loaded at 0x00007FFCD86C0000: C:\Windows\SYSTEM32\kernel.appcore (0x18000 bytes).
2025-12-08 08:29:08,565 [root] DEBUG: 7020: DLL loaded at 0x00007FFCD6BB0000: C:\Windows\system32\uxtheme (0xab000 bytes).
2025-12-08 08:29:08,565 [root] DEBUG: 7020: DLL loaded at 0x00007FFCDC0E0000: C:\Windows\System32\clbcatq (0xb0000 bytes).
2025-12-08 08:29:08,581 [root] DEBUG: 7020: DLL loaded at 0x00007FFCCB2E0000: C:\Windows\System32\MrmCoreR (0x118000 bytes).
2025-12-08 08:29:08,596 [root] DEBUG: 7020: NtTerminateProcess hook: Attempting to dump process 7020
2025-12-08 08:29:08,596 [root] DEBUG: 7020: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-08 08:29:08,612 [root] INFO: Process with pid 7020 has terminated
2025-12-08 08:29:14,581 [root] INFO: Process list is empty, terminating analysis
2025-12-08 08:29:15,583 [root] INFO: Created shutdown mutex
2025-12-08 08:29:16,599 [root] INFO: Shutting down package
2025-12-08 08:29:16,599 [root] INFO: Stopping auxiliary modules
2025-12-08 08:29:16,599 [root] INFO: Stopping auxiliary module: Browser
2025-12-08 08:29:16,599 [root] INFO: Stopping auxiliary module: Curtain
2025-12-08 08:29:16,645 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1765211356.6459289.curtain.log; Size is 36; Max size: 100000000
2025-12-08 08:29:16,645 [root] INFO: Stopping auxiliary module: End_noisy_tasks
2025-12-08 08:29:16,645 [root] INFO: Stopping auxiliary module: Evtx
2025-12-08 08:29:16,661 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump
2025-12-08 08:29:16,661 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\HardwareEvents.evtx to zip dump
2025-12-08 08:29:16,661 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Internet Explorer.evtx to zip dump
2025-12-08 08:29:16,661 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Key Management Service.evtx to zip dump
2025-12-08 08:29:16,661 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Microsoft-Windows-Sysmon%4Operational.evtx to zip dump
2025-12-08 08:29:16,677 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\OAlerts.evtx to zip dump
2025-12-08 08:29:16,677 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Security.evtx to zip dump
2025-12-08 08:29:16,692 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Setup.evtx to zip dump
2025-12-08 08:29:16,692 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\System.evtx to zip dump
2025-12-08 08:29:16,692 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Windows PowerShell.evtx to zip dump
2025-12-08 08:29:16,786 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host
2025-12-08 08:29:16,786 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 287293; Max size: 100000000
2025-12-08 08:29:16,786 [root] INFO: Stopping auxiliary module: Human
2025-12-08 08:29:21,664 [root] INFO: Stopping auxiliary module: Pre_script
2025-12-08 08:29:21,664 [root] INFO: Stopping auxiliary module: Screenshots
2025-12-08 08:29:21,664 [root] INFO: Stopping auxiliary module: Usage
2025-12-08 08:29:21,961 [root] INFO: Stopping auxiliary module: During_script
2025-12-08 08:29:21,961 [root] INFO: Finishing auxiliary modules
2025-12-08 08:29:21,961 [root] INFO: Shutting down pipe server and dumping dropped files
2025-12-08 08:29:21,961 [root] WARNING: Folder at path "C:\lMRwBWwV\debugger" does not exist, skipping
2025-12-08 08:29:21,961 [root] WARNING: Folder at path "C:\lMRwBWwV\tlsdump" does not exist, skipping
2025-12-08 08:29:21,961 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win11-64bit-tiny-3	win11-64bit-tiny-3	KVM	2025-12-08 16:27:50	2025-12-08 16:29:30	inetsim

File Details

File Name	notepad.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	200704 bytes
MD5	bd4718db42d3ac15939d51d8f7fd0330
SHA1	31315201b97b1eb85bb602dcb586c3a1a7b5dbf7
SHA256	cb448ea83bcf46a21aa9a9b258f39c85df962b18ae3682f2aaac9d79e2c04ebd [VT] [MWDB] [Bazaar]
SHA3-384	2a896d565d4204d07b2d15d427981c1518766bb8c759f35104bb2676ce5ce9daba791c3b1a3546d16cc0d6ca1aadfbed
CRC32	5731AD47
TLSH	T16714382D22EE10E5E47B917CDD524256E6B27431132262EF16E0C57C8F23AEDBA78F41
Ssdeep	3072:JfDg8iAAFxfJZwjPCSm3tK69oUnTYS/7zk+XDBG8BNJtALCgEvkwi6/LPlcF/NL:JriAAFr7vz9oUn8AoSDBrSLCXfFz2F
PE	File Strings BinGraph Vba2Graph

FailFast

NtQuerySystemInformation

EndDialog

GetModuleFileNameA

EncodingSelection

VWATAUAWH

SetThreadpoolTimer

RegDeleteKeyExW

version="5.1.0.0"

S~=5p

api-ms-win-crt-string-l1-1-0.dll

fE9,Pu

GlobalCollection

ShellExecuteW

D$PH;

\$ UVWAVAWH

Segoe UI

\Notepad

\$ UH

GetACP

sQPI[5T

LocalUnlock

SetAbortProc

CloseClipboard

OriginalFilename

GetCurrentThreadId

.gehcont

ntelA

RegSetValueExW

Ly^X`

RaiseFailFastException

.CRT$XIZ

CoWaitForMultipleHandles

ADVAPI32.dll

EndDoc

tCfA;@

Microsoft JhengHei UI

pA_A^A]A\_^]

SHELL32.dll

GlobalAcc

@USVWATAUAVAWH

Leelawadee UI Semilight

fSaveWindowPositions

FindFirstFileW

WAVAWH

_register_thread_local_exe_atexit_callback

fD9$Xu

xv#?H

GetMessageW

MICROSOFTEDPENLIGHTENEDAPPINFO

USVWATAUAVAWH

f9,zu

HeapFree

DebugBreak

L$8E3

FoldStringW

api-ms-win-core-synch-l1-2-0.dll

<assemblyIdentity

f95:>

VWAVH

D!t$$H

o\$PH

_o__cexit

Leelawadee UI Bold

ReadFile

|$(A_

EnableMenuItem

HL$xH

WINSPOOL.DRV

},YOP

IsTextUnicode

SHCreateItemFromParsingName

DispatchMessageW

fD9%d

SaveComplete

.rdata$zETW2

CloseThreadpoolTimer

RtlSubscribeWnfStateChangeNotification

.CRT$XCA

api-ms-win-core-winrt-string-l1-1-0.dll

ReleaseSemaphore

Unknown

T$PL;

GetWindowTextW

RtlCaptureContext

<$.u#fA

h UAVAWH

RtlRegisterFeatureConfigurationChangeNotification

api-ms-win-core-sysinfo-l1-1-0.dll

</trustInfo>

lfStrikeOut

l$(E3

\$(E3

%hs(%u)\%hs!%p:

Assert

NPCTXT

memset

CreateFontIndirectW

t;E8(t6H

imageName

GetTickCount

@SUVWATAVAWH

k UAVAWH

A_A^A\_^[]

StringFileInfo

PropVariantToStringVectorAlloc

d$PE3

ReplaceTextW

PA_A^A\_^][

A_A^A\

9L$Tu

timestamp

imageSize

.CRT$XCU

wcsnlen

__C_specific_handler

RegisterWindowMessageW

api-ms-win-core-errorhandling-l1-1-0.dll

GetCurrentProcessId

GetForegroundWindow

0Hc|$`3

.?AVexception@std@@

Software\Microsoft\Notepad\DefaultFonts

processorArchitecture="*"

UnhandledExceptionFilter

L$0E3

USVWAVH

F0D8#ubD8c

RtlDllShutdownInProgress

.?AVbad_array_new_length@std@@

FreeLibrary

0A_A^_

T$XE3

T$0E3

https://go.microsoft.com/fwlink/?LinkId=834783

LoadCursorW

bad allocation

UWAVH

gxI3!'

A_A^A\_^

DefWindowProcW

lfFaceName

AbortDoc

lfWeight

COMCTL32.dll

HeapAlloc

@A_A^A]A\_^]

_o_free

RtlQueryFeatureConfiguration

ew0hp

@SVWH

version="6.0.0.0"

l$0E3

RoGetActivationFactory

commdlg_FindReplace

LoadIconW

fD95dJ

|$pD3

f4Og|

%hs!%p:

M H1E

D$0E3

FAIL/Error

EDPPERMISSIVEAPPINFOID

iWindowPosY

api-ms-win-core-processthreads-l1-1-1.dll

w9X!P/

_o_terminate

GetProcessMitigationPolicy

memmove

DuplicateEncryptionInfoFile

RoGetMatchingRestrictedErrorInfo

.text$mn

%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X

_CxxThrowException

DragAcceptFiles

VG2/iI

}<HcD$ L

|$01u"

(_^][

RestartByRestartManager:

/.SETUP

FileSaveAsCount

T$@H!t$@H

__CxxFrameHandler3

$>b~t

VarFileInfo

pA_A^A\_^[]

Security-SPP-GenuineLocalStatus

LegalCopyright

t"fA;@

FileOpenComplete

_c_exit

<ws2:dpiAwareness>PerMonitorV2</ws2:dpiAwareness>

D+D$xH

api-ms-win-core-string-l1-1-0.dll

D$ L;

T$(A+

_o__exit

SelectObject

A_A^A]_]

t$ WH

L$ H;

uq@85

MapViewOfFile

SetWindowPos

GetKeyboardLayout

D$hI;

api-ms-win-core-libraryloader-l1-2-0.dll

Msg:[%ws]

MessageBoxW

`A_A^A]A\_^]

.rsrc

RoInitialize

SetThreadDpiAwarenessContext

SetEndOfFile

ModuleCollection

_o__set_new_mode

Malgun Gothic Semilight

L$ SUVWH

probe.autosave

UVWAVAWH

L$ SVWH

l6s+o

PeekMessageW

\$ WH

.rdata$zETW1

type="win32"

DD$h3

GetLocalTime

D$`D#

iWindowPosDX

TimeDateInvoked

Yu Gothic UI Semibold

uzH9A

RegCreateKeyW

byjA`

GetSubMenu

ntdll.dll

urlmon.dll

StartDocW

lfCharSet

T$8H!\$8

PropVariantClear

T$@E3

\$(uMH

api-ms-win-core-processthreads-l1-1-0.dll

UVWATAUAVAWH

COMDLG32.dll

USVWATAVAWH

CallContext:[%hs]

Lc\$xE

CoCreateGuid

3D$8%x

shell\osshell\accesory\notepad\filesystemhelpers.h

fD9%%

Files/Resources/notepad.exe.mui

SendDlgItemMessageW

CoInitializeEx

.didat$6

fMLE_is_broken

GenuD

Microsoft JhengHei UI Light

RegisterApplicationRestart

.idata$5

.CRT$XIAA

LoadImageW

RtlUnregisterFeatureConfigurationChangeNotification

_o_iswdigit

RaiseException

t*JcT

l$xE3

hasQueryText

.CRT$XIC

D$ E3

SHAddToRecentDocs

lfUnderline

lfClipPrecision

fMatchCase

fD9$Hu

JHcH<

D$PL;

assertVersion

fReverse

d$@E3

EventUnregister

LHcH<

d$XE3

SetRestrictedErrorInfo

t!fD9't

DeleteFileW

f9tC0u

SetLastError

OpenClipboard

z?801i:It6

DragQueryFileW

FileVersion

D$hE3

%i,%s

l$ VWATAVAWH

InitializeSListHead

D$x9t$8

LeaveCriticalSection

VWATAVAWH

MultiByteToWideChar

MessageBeep

_o__get_wide_winmain_command_line

L$@E3

.rtc$TZZ

.data$r$brc

H_^[]

Microsoft

L$ UVWATAUAVAWH

A_A^A]A\_^]

WindowsCreateStringReference

Windows.Storage.StorageFile

L$XE3

t"D8=

.CRT$XTA

NtUpdateWnfStateData

CreateMutexExW

A8_8t

L$`H3

.rtc$IAA

UATAUAVAWH

EventWriteTransfer

bad array new length

D$ fD

</requestedPrivileges>

WaitForSingleObjectEx

10.0.19041.3996

EditFindCount

_o___std_exception_copy

DecryptFileW

EnableWindow

Encoding

prop:System.Security.EncryptionOwners

t$XfD9n

GetProcAddress

DeleteObject

MoveWindow

api-ms-win-core-rtlsupport-l1-1-0.dll

\$pA3

totalHits

SetScrollPos

StatusBar

feedback-hub://?tabid=2&contextid=1010

shell\osshell\accesory\notepad\nprestart.cpp

H!\$0H!\$8D

IsWordWrap

api-ms-win-crt-private-l1-1-0.dll

szHeader

A^_^[]

IsClipboardFormatAvailable

Microsoft YaHei UI Light

CoTaskMemFree

EditPasteCount

.didat$3

GetUserDefaultUILanguage

KERNEL32.dll

.rsrc$01

t$ UWAUAVAWH

SessionId

GetModuleHandleW

WaitForSingleObject

_o__purecall

api-ms-win-core-profile-l1-1-0.dll

ew|>&=4_

Windows.Security.EnterpriseData.ProtectionPolicyManager

RtlNtStatusToDosErrorNoTeb

7T})gW

GetWindowTextLengthW

GetLastError

.?AVbad_alloc@std@@

+\$`H

.CRT$XPZ

TranslateAcceleratorW

_o_exit

count

HasHeaderOrFooter

api-ms-win-shcore-obsolete-l1-1-0.dll

CreateWindowExW

language="*"

.CRT$XIA

MH+UD+M@

RtlDisownModuleHeapAllocation

EndPage

api-ms-win-core-synch-l1-1-0.dll

Windows.ApplicationModel.DataTransfer.Clipboard

EditUndoCount

u(D9M

CommDlgExtendedError

HA_A^A]A\_^[]

FindMimeFromData

IsLogEntry

GetTokenInformation

api-ms-win-core-winrt-error-l1-1-1.dll

GetTimeFormatW

D9-0,

WAxK0i

1o?-XfF

ProductVersion

D$4E3

D$p9D$t

u$D9M

EventSetInformation

GetClientRect

.rdata$brc

t$ WAVAWH

FindNLSString

CompareStringOrdinal

_initterm

.didat$4

0A_A^_^]

A_A^A\_^

SequenceNumber

EditCutCount

td@8=

GetTextMetricsW

L9o@t

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp

notepad.pdb

RegOpenKeyExW

api-ms-win-crt-runtime-l1-1-0.dll

</dependency>

AcquireSRWLockShared

_o__wcsicmp

A_A^A]A\_

D$PE3

https://go.microsoft.com/fwlink/p/?linkid=838060

#D$@H

L$0H3

L$`H;

Microsoft.Notepad

OpenPrinterW

LoadLibraryExW

l$(E#

CoUninitialize

VS_VERSION_INFO

|$(E#

test/log

FileNewCount

.idata$3

?L!|$ L

FileSize

InitializeCriticalSectionEx

GetTextExtentPoint32W

InvalidateRect

SetWindowTextW

oLW\f

l$ E3

d|BNeU

T$0H!t$0H

Local\SM0:%d:%d:%hs

</application>

OpenProcessToken

d$XD9d$Hu

T$$D!t$ H

$(SQO

PrintDlgExW

Sleep

<description>Windows Shell</description>

D$T9p

FormatMessageW

t#E9V0t

iWindowPosDY

.gfids

LocalReAlloc

\$XE3

UAVAWH

A_A^A]A\_

PathFindExtensionW

</windowsSettings>

GB18030

SetWindowExtEx

QueryPerformanceCounter

B8<)u

!\$`3

ViewHelp

.CRT$XCAA

EnumFontsW

MonitorFromWindow

iMarginBottom

WinSta0

tYD9%

VY$[X

x ATAVAWH

UWAUAVAWH

api-ms-win-core-interlocked-l1-1-0.dll

replaceString

HeapSetInformation

A_A^A]A\_^[]

D9%,E

@USWH

.rdata$zETW9

RtlVirtualUnwind

t@fE9(t:H

LaunchNotepadStart

PROPSYS.dll

_o___p__commode

wcscmp

_o__set_fmode

GetWindowLongW

szTrailer

CharUpperW

ReleaseDC

A_A^_^]

api-ms-win-core-com-l1-1-0.dll

A_A^]

<WD9%

`A_A^A\_^[]

bgOne

.?AVtype_info@@

EnterCriticalSection

GetTextFaceW

,B>DY

.didat$5

api-ms-win-eventing-provider-l1-1-0.dll

\$ UVWH

OpenSemaphoreW

PathIsFileSpecW

T$HE3

publicKeyToken="6595b64144ccf1df"

Microsoft Corporation

.rdata

.rdata$zzzdbg

!L$8H

SetDlgItemTextW

T$hE3

PostQuitMessage

ContextMenu

GlobalAlloc

UnmapViewOfFile

[%hs]

L$pH3

X\?E/5

EditDeleteCount

type="win32"/>

.CRT$XTZ

UnhookWinEvent

Microsoft YaHei UI

SaveStart

AcquireSRWLockExclusive

ED$`H

FileOpenStart

GetCurrentProcess

CheckMenuItem

%UM;%

f94Gu

_o__initialize_wide_environment

WATAUAVAWH

SetWindowLongW

%s%c*.txt%c%s%c*.*%c

onecore\internal\sdk\inc\wil\opensource/wil/filesystem.h

_o_toupper

LocalLock

ResolveDelayLoadedAPI

RegQueryValueExW

PageSetupUpdated

Software\Microsoft\Notepad

0A^_^][

H;L$hv

Segoe Pseudo

Yu Gothic UI

Microsoft JhengHei UI Bold

SHGetKnownFolderPath

PathFileExistsW

@W=7A=

</security>

iWindowPosX

SendMessageW

0A_A^A\_^

MainAcc

040904B0

.idata$6

.rdata$zETW0

|$T!L$0

RtlUnsubscribeWnfNotificationWaitForCompletion

CharNextW

Windows.ApplicationModel.Resources.Core.ResourceManager

_o___stdio_common_vswprintf

ShellAboutW

</assembly>

797t3A

</dependentAssembly>

$Rich

GetModuleFileNameW

|$4fA9

Segoe UI Light

L$ E3

fD9&u#L

GetCommandLineW

fD9$Au

CreateDialogParamW

.rtc$TAA

u0HcH<H

MICROSOFTEDPPERMISSIVEAPPINFO

CloseHandle

FormatFontCount

}0H+}(H

IsAdminMode

GetMenu

D$HD+D$xH

EditReplaceCount

StartPage

L$pE3

.text$yd

tBE8(t=H

LoadStringW

api-ms-win-shcore-scaling-l1-1-1.dll

fWindowsOnlyEOL

GlobalFree

AppExit

A_A^A\_]

.CRT$XPA

0A^_^

D$@E3

D$@fD

A_A^A]A\]

SetWindowPlacement

Lucida Console

d$pD9e

A_A]A\_^

fD9,Cu

.rsrc$02

GetModuleHandleExW

WriteFile

GlobalUnlock

EventRegister

GetFileTitleW

u$9T$ht

USER32.dll

rY&'K

ul%G1

tJfA;@

StatusBarVisibility

L$(H;

RegQueryInfoKeyW

E\$HH

LaunchNotepadComplete

_o__register_onexit_function

D$(E3

C D8U@u

FindTextW

EditGotoCount

fE9,hu

Notepad

RtlLookupFunctionEntry

api-ms-win-core-winrt-error-l1-1-0.dll

_o___std_exception_destroy

TextOutW

[%hs(%hs)]

searchString

ShowWindow

TerminateProcess

[ UVWAVAWH

f94Yu

(caller: %p)

memcmp

D8%\\

T$`E3

WindowsCreateString

.idata$2

LoadAcceleratorsW

@.didat

_o__errno

\$(D#

DelayLoadFailureHook

Microsoft YaHei UI Bold

D9l$0u

LocalFree

USVWH

GetDC

onecore\internal\sdk\inc\wil\opensource\wil\resource.h

GetOpenFileNameW

LocalSize

name="Microsoft.Windows.Common-Controls"

onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h

memcpy

TelemetryAssertDiagTrack

IsDebuggerPresent

fD9#t

SearchBingInvoked

t$0E3

FreshWindow

%s\%s

+T$HH

D$p+D$h9D$xuoL

\$ L;

WilError_03

@.data

onecore\internal\sdk\inc\wil/Staging.h

L$PD9

.text$mn$00

GetDiskFreeSpaceExW

_o__initialize_onexit_table

_o__callnewh

|$(D#

Segoe UI SemiBold

GetLocaleInfoW

D$DL;

.00cfg

Software\Microsoft\Notepad\Autosave

Default

*.txt

D9d$h

_o__configure_wide_argv

hwp1p0

bWti^

.xdata

GetPrinterDriverW

CreateDirectoryW

Unknown exception

Malgun Gothic

'R{=f

GetSaveFileNameW

NHcH<

SetViewportExtEx

.rdata$r

p WAVAWH

SlipUpAcc

m]#0D

DialogBoxParamW

EditCopyCount

UWATAVAWH

L$PH3

ReleaseSRWLockExclusive

A_A^_

api-ms-win-core-winrt-l1-1-0.dll

EventProviderEnabled

GetDlgCtrlID

HcD$`A

DeleteCriticalSection

FilePrintCount

.data$brc

L$HH3

RegisterClassExW

t)fA;@

RegCreateKeyExW

ClosePrinter

MulDiv

L$ USVWATAUAVAWH

.data

_o_malloc

_o__crt_atexit

Exception

RoUninitialize

LogHr

lfOrientation

HcD$ H

PSGetPropertyDescriptionListFromString

u@;}8

+dBVY

SetCursor

CompanyName

fD90t,

f9<Au

GetProcessHeap

_initterm_e

L$@H3

@A^_^

NOTEPAD.EXE

CreateFileW

TranslateMessage

zudL9

PageSetupDlgW

FileSaveCount

EDPENLIGHTENEDAPPINFOID

IsDialogMessageW

GetFileAttributesW

GetDlgItemTextW

.pdata

name="Microsoft.Windows.Shell.notepad"

@.reloc

oL$0f

LocalAlloc

GetFileAttributesExW

SetUnhandledExceptionFilter

0A^_^[]

oT$@f

f9,^u

L$XL+

.didat$2

CreateThreadpoolTimer

t$hD#

SetFocus

H!_(H!_0H!_8H!_@3

x AVH

{ ATAVAWH

iPointSize

tOfD9

SetActiveWindow

UpdateWindow

Leelawadee UI

FWph?r

lfQuality

fWrap

ReturnHr

GetFileInformationByHandle

CoCreateInstance

10.0.19041.3996 (WinBuild.160101.0800)

D;l$xr

_o__wtol

.text

CreateSemaphoreExW

WindowsDeleteString

oD$ f

Lct$$H

GDI32.dll

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

RedrawWindow

DrawTextExW

WilStaging_02

CreateEventExW

GetStartupInfoW

.CRT$XCZ

MH+UD+M@D

L$H9L$@v\H

Da6N^

SHStrDupW

iMarginLeft

.xdata$x

FileExtension

WideCharToMultiByte

PostMessageW

.text$di

iMarginRight

E8,8u

GetSystemMenu

ReleaseMutex

@USVWATAVAWH

H)t$xH

EdpPasteToNoContextCount

RegCloseKey

Operating System

_o__configthreadlocale

GetDeviceCaps

_o__seh_filter_exe

NtQueryWnfStateData

CoTaskMemAlloc

lfPitchAndFamily

GetSystemTimeAsFileTime

kernelbase.dll

PA_A^A\_^[]

GetFocus

Vving1

.idata$4

zufL9

GetWindowPlacement

.CRT$XIAC

Translation

rMfD9?w

` UAVAWH

.giats

SetEvent

.text$x

t$4E3

hgtlCm

FindClose

CreateFileMappingW

WindowsGetStringRawBuffer

x UAVAWH

.didat$7

D9t$8

IsProcessorFeaturePresent

D$0H;

pA_A^_^]

lfItalic

api-ms-win-core-shlwapi-legacy-l1-1-0.dll

x UATAUAVAWH

E9V0u

fD9$Ou

lfEscapement

ProductName

GetFullPathNameW

A_A^_

ContentType

D$HD#

CoCreateFreeThreadedMarshaler

SetWinEventHook

fE9,Fu

L$@I+

WaitForThreadpoolTimerCallbacks

305.1i

DestroyWindow

DragFinish

InternalName

.rtc$IZZ

DeleteDC

Windows.Security.EnterpriseData.FileProtectionManager

SetMapMode

RtlNotifyFeatureUsage

en-US

EditMenu

_o__invalid_parameter_noinfo

fD9$su

D$HE3

GetDateFormatW

C9fD9?u-

lfOutPrecision

iDefaultEncoding

@SUVWAVH

EdpFileOpenCount

Windows

T$ f9

\$8L;

LPtoDP

%hs(%d) tid(%x) %08X %ws

|$ UATAUAVAWH

D$0H9D$(utH

entrypoint

CreateStatusWindowW

EdpFileOpenAttemptFailCount

D9%Iw

|$0E3

processorArchitecture="amd64"

EdpFileSaveCount

shell\osshell\accesory\notepad\notepad.cpp

CreateDCW

lstrcmpiW

!This program cannot be run in DOS mode.

IsIconic

fWrapAround

ReleaseSRWLockShared

iMarginTop

^BNQ,^

TelemetryAssert

ChooseFontW

<assemblyIdentity

fPasteOriginalEOL

RegEnumValueW

IsNetworkPath

GlobalLock

SetBkMode

|$ UH

x AW3

f9|$@u

commdlg_help

_o__set_app_type

GetDpiForMonitor

L$`E3

`.rdata

FileDescription

H3E H3E

Yu Gothic UI Light

Malgun Gothic Bold

GetDpiForWindow

fD91u

T$p+T$hL

%s\%s.autosave

OutputDebugStringW

api-ms-win-shcore-path-l1-1-0.dll

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x00023b60	0x0003f436	0x0003f436	10.0	notepad.pdb	2000-11-09 23:45:06	09ed737a03db7295bf734a9953f6eb5e

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Notepad
FileVersion	10.0.19041.3996 (WinBuild.160101.0800)
InternalName	Notepad
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	NOTEPAD.EXE
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.19041.3996
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0002441f	0x00024600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.27
.rdata	0x00024a00	0x00026000	0x000092a8	0x00009400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.94
.data	0x0002de00	0x00030000	0x00002718	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.80
.pdata	0x0002ec00	0x00033000	0x000010e0	0x00001200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.94
.didat	0x0002fe00	0x00035000	0x00000178	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.52
.rsrc	0x00030000	0x00036000	0x00000bd8	0x00000c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.61
.reloc	0x00030c00	0x00037000	0x000002d8	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.13

Name	Offset	Size	Language	Sub-language	Entropy	File type
EDPENLIGHTENEDAPPINFOID	0x00036710	0x00000002	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.00	None
EDPPERMISSIVEAPPINFOID	0x00036718	0x00000002	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.00	None
MUI	0x00036a98	0x00000140	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_VERSION	0x00036720	0x00000374	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.52	None
RT_MANIFEST	0x00036260	0x000004af	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.99	None

Imports

Name	Address
GetProcAddress	0x1400268b8
CreateMutexExW	0x1400268c0
AcquireSRWLockShared	0x1400268c8
DeleteCriticalSection	0x1400268d0
GetCurrentProcessId	0x1400268d8
GetProcessHeap	0x1400268e0
GetModuleHandleW	0x1400268e8
DebugBreak	0x1400268f0
IsDebuggerPresent	0x1400268f8
GlobalFree	0x140026900
GetLocaleInfoW	0x140026908
CreateFileW	0x140026910
ReadFile	0x140026918
GetACP	0x140026920
MulDiv	0x140026928
GetCurrentProcess	0x140026930
GetCommandLineW	0x140026938
HeapSetInformation	0x140026940
FreeLibrary	0x140026948
LocalFree	0x140026950
LocalAlloc	0x140026958
FindFirstFileW	0x140026960
FindClose	0x140026968
FoldStringW	0x140026970
GetModuleFileNameW	0x140026978
GetUserDefaultUILanguage	0x140026980
HeapFree	0x140026988
HeapAlloc	0x140026990
GetTimeFormatW	0x140026998
WideCharToMultiByte	0x1400269a0
WriteFile	0x1400269a8
GetFileAttributesW	0x1400269b0
LocalLock	0x1400269b8
LocalUnlock	0x1400269c0
DeleteFileW	0x1400269c8
SetEndOfFile	0x1400269d0
GetFileAttributesExW	0x1400269d8
GetFileInformationByHandle	0x1400269e0
CreateFileMappingW	0x1400269e8
MapViewOfFile	0x1400269f0
MultiByteToWideChar	0x1400269f8
LocalReAlloc	0x140026a00
UnmapViewOfFile	0x140026a08
GetFullPathNameW	0x140026a10
LocalSize	0x140026a18
GetStartupInfoW	0x140026a20
lstrcmpiW	0x140026a28
FindNLSString	0x140026a30
GlobalLock	0x140026a38
GlobalUnlock	0x140026a40
GlobalAlloc	0x140026a48
GetDiskFreeSpaceExW	0x140026a50
CreateDirectoryW	0x140026a58
RegisterApplicationRestart	0x140026a60
CreateSemaphoreExW	0x140026a68
CreateThreadpoolTimer	0x140026a70
ReleaseSRWLockShared	0x140026a78
SetThreadpoolTimer	0x140026a80
CloseHandle	0x140026a88
OpenSemaphoreW	0x140026a90
WaitForSingleObjectEx	0x140026a98
AcquireSRWLockExclusive	0x140026aa0
CloseThreadpoolTimer	0x140026aa8
OutputDebugStringW	0x140026ab0
ReleaseSRWLockExclusive	0x140026ab8
GetLastError	0x140026ac0
FormatMessageW	0x140026ac8
ReleaseMutex	0x140026ad0
GetCurrentThreadId	0x140026ad8
WaitForSingleObject	0x140026ae0
WaitForThreadpoolTimerCallbacks	0x140026ae8
InitializeCriticalSectionEx	0x140026af0
LeaveCriticalSection	0x140026af8
GetModuleHandleExW	0x140026b00
ReleaseSemaphore	0x140026b08
EnterCriticalSection	0x140026b10
GetDateFormatW	0x140026b18
SetLastError	0x140026b20
GetLocalTime	0x140026b28
ResolveDelayLoadedAPI	0x140026b30
DelayLoadFailureHook	0x140026b38
GetModuleFileNameA	0x140026b40

Name	Address
CreateDCW	0x140026800
StartPage	0x140026808
StartDocW	0x140026810
SetAbortProc	0x140026818
DeleteDC	0x140026820
EndDoc	0x140026828
AbortDoc	0x140026830
EndPage	0x140026838
GetTextMetricsW	0x140026840
SetBkMode	0x140026848
LPtoDP	0x140026850
SetWindowExtEx	0x140026858
SetViewportExtEx	0x140026860
SetMapMode	0x140026868
GetTextExtentPoint32W	0x140026870
TextOutW	0x140026878
EnumFontsW	0x140026880
GetTextFaceW	0x140026888
SelectObject	0x140026890
DeleteObject	0x140026898
CreateFontIndirectW	0x1400268a0
GetDeviceCaps	0x1400268a8

Name	Address
PostMessageW	0x140026b50
MessageBoxW	0x140026b58
GetMenu	0x140026b60
CheckMenuItem	0x140026b68
GetSubMenu	0x140026b70
EnableMenuItem	0x140026b78
ShowWindow	0x140026b80
GetDC	0x140026b88
ReleaseDC	0x140026b90
SetCursor	0x140026b98
GetDpiForWindow	0x140026ba0
SetActiveWindow	0x140026ba8
LoadStringW	0x140026bb0
DefWindowProcW	0x140026bb8
IsIconic	0x140026bc0
SetFocus	0x140026bc8
PostQuitMessage	0x140026bd0
DestroyWindow	0x140026bd8
MessageBeep	0x140026be0
GetForegroundWindow	0x140026be8
GetDlgCtrlID	0x140026bf0
SetWindowPos	0x140026bf8
RedrawWindow	0x140026c00
GetKeyboardLayout	0x140026c08
CharNextW	0x140026c10
SetWinEventHook	0x140026c18
GetMessageW	0x140026c20
TranslateAcceleratorW	0x140026c28
IsDialogMessageW	0x140026c30
TranslateMessage	0x140026c38
DispatchMessageW	0x140026c40
UnhookWinEvent	0x140026c48
SetWindowTextW	0x140026c50
OpenClipboard	0x140026c58
IsClipboardFormatAvailable	0x140026c60
CloseClipboard	0x140026c68
SetDlgItemTextW	0x140026c70
GetDlgItemTextW	0x140026c78
EndDialog	0x140026c80
SendDlgItemMessageW	0x140026c88
SetScrollPos	0x140026c90
InvalidateRect	0x140026c98
UpdateWindow	0x140026ca0
GetWindowPlacement	0x140026ca8
SetWindowPlacement	0x140026cb0
CharUpperW	0x140026cb8
GetSystemMenu	0x140026cc0
LoadAcceleratorsW	0x140026cc8
SetWindowLongW	0x140026cd0
CreateWindowExW	0x140026cd8
MonitorFromWindow	0x140026ce0
RegisterWindowMessageW	0x140026ce8
LoadCursorW	0x140026cf0
RegisterClassExW	0x140026cf8
GetWindowTextLengthW	0x140026d00
GetWindowLongW	0x140026d08
PeekMessageW	0x140026d10
GetWindowTextW	0x140026d18
EnableWindow	0x140026d20
CreateDialogParamW	0x140026d28
DrawTextExW	0x140026d30
LoadIconW	0x140026d38
LoadImageW	0x140026d40
DialogBoxParamW	0x140026d48
SetThreadDpiAwarenessContext	0x140026d50
SendMessageW	0x140026d58
MoveWindow	0x140026d60
GetClientRect	0x140026d68
GetFocus	0x140026d70

Name	Address
memset	0x140027088
wcsnlen	0x140027090
wcscmp	0x140027098

Name	Address
_c_exit	0x140027060
_register_thread_local_exe_atexit_callback	0x140027068
_initterm_e	0x140027070
_initterm	0x140027078

Name	Address
_o__callnewh	0x140026f40
_o__cexit	0x140026f48
_o__configthreadlocale	0x140026f50
_o__configure_wide_argv	0x140026f58
_o__crt_atexit	0x140026f60
_o__errno	0x140026f68
_o__exit	0x140026f70
_o__get_wide_winmain_command_line	0x140026f78
_o__initialize_onexit_table	0x140026f80
_o__initialize_wide_environment	0x140026f88
_o__invalid_parameter_noinfo	0x140026f90
_o__purecall	0x140026f98
_o__register_onexit_function	0x140026fa0
_o__seh_filter_exe	0x140026fa8
_o__set_app_type	0x140026fb0
_o__set_fmode	0x140026fb8
_o__set_new_mode	0x140026fc0
_o__wcsicmp	0x140026fc8
_o__wtol	0x140026fd0
_o_exit	0x140026fd8
_o_free	0x140026fe0
_o_iswdigit	0x140026fe8
_o_malloc	0x140026ff0
_o_terminate	0x140026ff8
_o_toupper	0x140027000
__CxxFrameHandler3	0x140027008
_CxxThrowException	0x140027010
_o___std_exception_destroy	0x140027018
_o___std_exception_copy	0x140027020
_o___p__commode	0x140027028
_o___stdio_common_vswprintf	0x140027030
__C_specific_handler	0x140027038
memcmp	0x140027040
memcpy	0x140027048
memmove	0x140027050

Name	Address
CoWaitForMultipleHandles	0x140026d80
CoUninitialize	0x140026d88
PropVariantClear	0x140026d90
CoTaskMemFree	0x140026d98
CoTaskMemAlloc	0x140026da0
CoCreateFreeThreadedMarshaler	0x140026da8
CoCreateInstance	0x140026db0
CoInitializeEx	0x140026db8
CoCreateGuid	0x140026dc0

Name	Address
PathIsFileSpecW	0x140026e68
PathFindExtensionW	0x140026e70
PathFileExistsW	0x140026e78

Name	Address
SHStrDupW	0x1400270b8

Name	Address

Name	Address
GetDpiForMonitor	0x1400270d8

Name	Address
RtlLookupFunctionEntry	0x140026e48
RtlCaptureContext	0x140026e50
RtlVirtualUnwind	0x140026e58

Name	Address
SetUnhandledExceptionFilter	0x140026dd0
UnhandledExceptionFilter	0x140026dd8
RaiseException	0x140026de0

Name	Address
TerminateProcess	0x140026e10

Name	Address
GetProcessMitigationPolicy	0x140026e20
IsProcessorFeaturePresent	0x140026e28

Name	Address
QueryPerformanceCounter	0x140026e38

Name	Address
GetTickCount	0x140026ec0
GetSystemTimeAsFileTime	0x140026ec8

Name	Address
InitializeSListHead	0x140026df0

Name	Address
LoadLibraryExW	0x140026e00

Name	Address
WindowsCreateString	0x140026f18
WindowsDeleteString	0x140026f20
WindowsGetStringRawBuffer	0x140026f28
WindowsCreateStringReference	0x140026f30

Name	Address
SetEvent	0x140026e98
CreateEventExW	0x140026ea0

Name	Address
SetRestrictedErrorInfo	0x140026ed8

Name	Address
CompareStringOrdinal	0x140026e88

Name	Address
RoInitialize	0x140026ef8
RoUninitialize	0x140026f00
RoGetActivationFactory	0x140026f08

Name	Address
RoGetMatchingRestrictedErrorInfo	0x140026ee8

Name	Address
EventProviderEnabled	0x1400270a8

Name	Address
Sleep	0x140026eb0

Name	Address
CreateStatusWindowW	0x1400267e8

Reports: JSON HTML Lite

Mitre ATT&CK

Command and Control	Defense Evasion
T1071 - Application Layer Protocol static_pe_pdbpath static_pe_anomaly	T1027 - Obfuscated Files or Information packer_unknown_pe_section_name T1027.002 - Software Packing packer_unknown_pe_section_name

Statistics (1.21)

Usage

Processing ( 1.15 seconds )

0.706 Heatmap
0.437 CAPE
0.005 BehaviorAnalysis
0.003 AnalysisInfo

Signatures ( 0.02 seconds )

0.003 ransomware_files
0.002 antianalysis_detectfile
0.002 antiav_detectreg
0.002 ransomware_extensions
0.001 antianalysis_detectreg
0.001 antiav_detectfile
0.001 antivm_vbox_files
0.001 browser_security
0.001 infostealer_bitcoin
0.001 infostealer_ftp
0.001 infostealer_im
0.001 poullight_files
0.001 territorial_disputes_sigs
0.001 ursnif_behavior

Reporting ( 0.04 seconds )

0.041 ReportHTML
0.002 MITRE_TTPS
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: notepad.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x0002fe00', 'virtual_address': '0x00035000', 'virtual_size': '0x00000178', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '2.52'}

Checks for presence of debugger via IsDebuggerPresent

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Session Playback

No playback available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\SrpDevice
C:\Users\user\AppData\Local\Temp\resources.pri
C:\Users\user\AppData\Local\Temp\notepad.exe

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Mrt\_Merged
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2527171340-3306644326-1278290521-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2527171340-3306644326-1278290521-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DataDrive
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\OSDataDrive
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2527171340-3306644326-1278290521-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DataDrive
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\OSDataDrive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public

Local\SM0:7020:304:WilStaging_02

No results

Sorry! No behavior.

Sorry! No tracee.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.