Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-13 18:03:50 | 2025-06-13 18:34:36 | 1846 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,163 [root] INFO: Date set to: 20250613T10:36:48, timeout set to: 1800 2025-06-13 11:36:49,131 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8 2025-06-13 11:36:49,131 [root] DEBUG: Storing results at: C:\SQcwbVxajY 2025-06-13 11:36:49,131 [root] DEBUG: Pipe server name: \\.\PIPE\NetpWnMlHU 2025-06-13 11:36:49,131 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-13 11:36:49,131 [root] INFO: analysis running as an admin 2025-06-13 11:36:49,131 [root] INFO: analysis package specified: "exe" 2025-06-13 11:36:49,131 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-13 11:36:49,365 [root] DEBUG: imported analysis package "exe" 2025-06-13 11:36:49,365 [root] DEBUG: initializing analysis package "exe"... 2025-06-13 11:36:49,365 [lib.common.common] INFO: wrapping 2025-06-13 11:36:49,365 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-13 11:36:49,365 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\notepad.exe 2025-06-13 11:36:49,365 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-13 11:36:49,381 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-13 11:36:49,381 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-13 11:36:49,381 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-13 11:36:49,709 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-13 11:36:49,741 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-13 11:36:49,772 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-13 11:36:49,772 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-13 11:36:49,787 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-13 11:36:49,787 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-13 11:36:49,787 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-13 11:36:49,803 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-13 11:36:49,803 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-13 11:36:49,803 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-13 11:36:49,803 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-13 11:36:49,803 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-13 11:36:49,803 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-13 11:36:49,803 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-13 11:36:49,803 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-13 11:36:49,803 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-13 11:36:49,803 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-13 11:36:49,803 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-13 11:36:49,944 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-13 11:36:49,944 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-13 11:36:49,944 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-13 11:36:49,944 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-13 11:36:49,944 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-13 11:36:49,944 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-13 11:36:49,944 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-13 11:36:49,944 [modules.auxiliary.disguise] INFO: Disguising GUID to fe9dc86e-e550-46e2-9a20-11fd7e56e883 2025-06-13 11:36:49,944 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-13 11:36:49,944 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-13 11:36:49,944 [root] DEBUG: attempting to configure 'Human' from data 2025-06-13 11:36:49,944 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-13 11:36:49,944 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-13 11:36:49,959 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-13 11:36:49,959 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-13 11:36:49,959 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-13 11:36:49,959 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-13 11:36:49,959 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-13 11:36:49,959 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-13 11:36:49,959 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-13 11:36:49,959 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-13 11:36:49,959 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-13 11:36:49,959 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-13 11:36:49,959 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-13 11:36:49,959 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-13 11:36:49,991 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini 2025-06-13 11:36:49,991 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-13 11:36:49,991 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-13 11:36:49,991 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-13 11:36:49,991 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-13 11:36:49,991 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-13 11:36:49,991 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-13 11:36:49,991 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\ObHfqd.dll, loader C:\tmp_gell1p8\bin\bcnwRwnA.exe 2025-06-13 11:36:50,068 [root] DEBUG: Loader: IAT patching disabled. 2025-06-13 11:36:50,068 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\ObHfqd.dll. 2025-06-13 11:36:50,084 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-13 11:36:50,084 [root] INFO: Disabling sleep skipping. 2025-06-13 11:36:50,084 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-13 11:36:50,084 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-13 11:36:50,084 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-13 11:36:50,084 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-13 11:36:50,084 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-13 11:36:50,100 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-13 11:36:50,100 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-13 11:36:50,100 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-13 11:36:50,100 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF824820000, thread 1060, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-13 11:36:50,100 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-13 11:36:50,115 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-13 11:36:50,115 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-13 11:36:50,115 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\ObHfqd.dll. 2025-06-13 11:36:50,131 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-13 11:36:50,131 [root] <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-13 18:03:50 | 2025-06-13 18:34:17 | none |
File Details
| File Name |
notepad.exe
|
|---|---|
| File Type | PE32+ executable (GUI) x86-64, for MS Windows |
| File Size | 254464 bytes |
| MD5 | 782877b30735abd1eae241f13145f664 |
| SHA1 | 60733de225b5c4bfc42fb79e5d1a4f6683243e4a |
| SHA256 | e46b3ca5a0ebb4a6979f852f50e22bd08c9f2d0206cc04383978be0172ac88ee [VT] [MWDB] [Bazaar] |
| SHA3-384 | 77d036139752f3c3e7ae736f364008f5995d7054d30c8a64184d99e39a62d9f25aefaf09ab952294a1a131d0e149aa49 |
| CRC32 | ED81CAE9 |
| TLSH | T16444BF0173A804E9EA3A9578CD524767EBB3B8212B2157CF1220D17C5F276E6BE3E351 |
| Ssdeep | 3072:9lYcXcm6M8Poo69k7t+eJ3h4x7rDpljMceSJvkwEpNSLyhYsJLgf7nDVF6PUp1YY:9lumDoz7PDO7pljMsfd455gfzDVlVXg |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
lfQuality
2 !h#
:({?<#k
@.data
SequenceNumber
SelectObject
CreateStatusWindowW
`A_A^A\_^[]
LocalAlloc
.idata$6
FileSaveCount
GetTextFaceW
<$.u fA
USVWAVH
.idata$4
WindowsCreateStringReference
#D$@H
w+H`+
Hc^YF3
{`w'-
FileOpenStart
fE9,pu
fA9<Bu
:qFBx
GetACP
<pN=3
GetStartupInfoW
ReleaseMutex
zx50J
9t$Pu
lfPitchAndFamily
SetWinEventHook
GetParent
.rdata$T$brc
GetTokenInformation
fD95d
PropVariantToStringVectorAlloc
L$ SUVWH
(_T-u
rcQfb
QV+ODc
3vmXN
Microsoft YaHei UI Bold
__dllonexit
iPointSize
Default
D$HE3
RegisterClassExW
5`4.J
CreateSemaphoreExW
p5-h-/z1~
FreshWindow
u*9Q<|%
lfStrikeOut
FileSaveAsCount
M'+U#+M
api-ms-win-core-com-l1-1-0.dll
HcD$`A
GetWindowTextLengthW
LocalSize
COMCTL32.dll
T$ Hc
EditGotoCount
Windows.Security.EnterpriseData.FileProtectionManager
CKYOv
FileVersion
L$xE3
t$fA;@
CreateWindowExW
SetThreadDpiAwarenessContext
gQkQml
HcD$ H
https://go.microsoft.com/fwlink/?LinkId=834783
DecryptFileW
EndDialog
|$hA;
$0< u;3
iswctype
SetCursor
RegSetValueExW
__C_specific_handler
PrintDlgExW
V4SYu
fSaveWindowPositions
StatusBar
(PMKH>;8))
T$ f9
by 4U
~nG%@
rY&'K
t|~FX
(caller: %p)
CreateDialogParamW
h;Z|?2
</security>
yz\yWlM~
t)HcT
WinSqmAddToStream
*!lTh
MoveWindow
oLW\f
fWrap
LoadAcceleratorsW
_callnewh
FileSize
Malgun Gothic
szTrailer
@W=7A=
RoInitialize
sI`f4
__set_app_type
GetProcessMitigationPolicy
~nnn^^TdUhUlWVkt
memcpy_s
wBQ{}
GIIEA<;;?332,'
Segoe UI Light
</dependentAssembly>
DeleteObject
USVWATAVAWH
<requestedPrivileges>
.text$mn$00
api-ms-win-core-string-l1-1-0.dll
t$ WH
IsTextUnicode
H>KKH;;8)$
VWAVH
FoldStringW
</windowsSettings>
LoadIconW
e+dh9
SetLastError
.rsrc$01
CallContext:[%hs]
Microsoft JhengHei UI Light
CompareStringOrdinal
DebugBreak
UE&c'O
'NHLF
<+v5*
wb^ee
040904B0
<application xmlns="urn:schemas-microsoft-com:asm.v3">
Microsoft Corporation
DuplicateEncryptionInfoFile
M09t$Lt
L$hf9
CheckMenuItem
A_A^A]A\_^[]
LoadLibraryExW
PathIsNetworkPathW
GLCL2
MML%BBBQ
D!t$$H
.rdata$zETW2
type="win32"
]I#!4!
!\$`3
\tyPF
_XcptFilter
J{L6nD
`lX06,?
CreateFileMappingW
MICROSOFTEDPENLIGHTENEDAPPINFO
X\?E/5
_lock
MessageBeep
T$HE3
name="Microsoft.Windows.Shell.notepad"
/>
Software\Microsoft\Notepad
WindowsCreateString
lstrcmpiW
WindowsDeleteString
ReleaseDC
IK\4b
swprintf_s
?IIIIILILL?GC?CC>GGGG>GCC?C,
m@XFR
EdpFileSaveCount
,w@tA
t^@8=+
HcA<H
CoTaskMemAlloc
A_A^A]A\_^]
CreateDCW
Kq{5>
\$\E3
@SUVWAVH
L9sHs@
u@;}8
ContentType
UnmapViewOfFile
CreateMutexExW
SetActiveWindow
cHRM
EdpFileOpenAttemptFailCount
mem2KJ
L$XL+
HTIO&
!d&)B
PeekMessageW
EventRegister
TextOutW
RedrawWindow
Microsoft.Notepad
DDEA<::?6
JHcH<
GlobalLock
PropVariantClear
SHLWAPI.dll
(^>7f
TranslateMessage
DeleteFileW
_initterm
CoInitializeEx
*<#O%
GDI32.dll
WINSPOOL.DRV
szHeader
.idata$5
@DIIIICCGIC3>3>2?2??2?C3G63G
$(SQO
SetAbortProc
GetClientRect
K*E{1
GXXXXXXXXXX
IsDialogMessageW
R;>if
InvalidateRect
sCN $A
GetDpiForWindow
Cucvp
HeapAlloc
su.!
-Wbqx
4vMHV
iWindowPosY
IsAdminMode
PROPSYS.dll
prop:System.Security.EncryptionOwners
ReadFile
|LVz>FE@
S~=5p
{bvOr
l$(fE
B/XoX_
WideCharToMultiByte
L$ SVWH
.pdata
NtQuerySystemInformation
RegQueryValueExW
;LTMMK>;8+$
@SVWH
Microsoft
SetRestrictedErrorInfo
VarFileInfo
iWindowPosX
{kru<
LHcH<
0M@f'
_fmode
Microsoft Corporation. All rights reserved.
5eR@PahB
.data$brc
_acmdln
L$PH3
FileNewCount
EditCutCount
entrypoint
_Wul-
H3E H3E
InternalName
GetDateFormatW
6XQi6O)
^Fbpi
0MQ6I
)#)(B
fD9,Hu
CommDlgExtendedError
X%+?n
.text$yd
~zxjhj
malloc
4543!! B
SetEndOfFile
Microsoft JhengHei UI
Ag<m2
DrawTextExW
1,>IM
DragFinish
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
\[]iq
_vsnwprintf
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-libraryloader-l1-2-0.dll
<IDAT
"cwa[
GetMessageW
~gQa8
</application>
.rsrc$02
LcA<E3
B@z<B
CreateFileW
_unlock
L9]0u8
SetWindowExtEx
GlobalAlloc
\CV;'
ew0hp
SetEvent
GetDC
@2`Xa
6d@u`+
lfClipPrecision
v=zK(
,k<.KQ
SleepConditionVariableSRW
_exit
xwxxx
YuU8]&ldx
fD9,Ou
m]#0D
en-US
Local\SM0:%d:%d:%hs
api-ms-win-core-winrt-l1-1-0.dll
@.rsrc
ieKe|A
ContextMenu
t|fA;@
L$PE3
yur:QNO[
AcquireSRWLockExclusive
.text$di
)TE@330."
FindClose
byjA`
api-ms-win-core-winrt-string-l1-1-0.dll
FormatMessageW
version="5.1.0.0"
">%I$
x8K{?3~4
LcD$pH
l$ E3
iMarginTop
fPasteOriginalEOL
%hs!%p:
EDPENLIGHTENEDAPPINFOID
<security>
VWATAVAWH
D$xD3
MulDiv
</requestedPrivileges>
fWrapAround
yT"F]g
LegalCopyright
CoUninitialize
f4Og|
<!-- Copyright (c) Microsoft Corporation -->
0A_A^A\_^
a!p~B
t6fD9
y&3mf
EditReplaceCount
A_A^A]A\_
|$`E3
CoCreateFreeThreadedMarshaler
Windows.ApplicationModel.DataTransfer.Clipboard
10.0.17763.1 (WinBuild.160101.0800)
GetCurrentProcessId
CKGGGGGGDCCCCCGGG
jZZ \ZdZ^nN
SHCreateItemFromParsingName
GetSaveFileNameW
sQPI[5T
84c%ez
[d=s*
Malgun Gothic Semilight
,B>DY
.rdata$zETW0
GetWindowLongW
RaiseException
FindMimeFromData
xxxxx
<description>Windows Shell</description>
BB 9)
2hb6YX
<dependentAssembly>
RtlCaptureContext
P[a(,E
2JdTi
<assemblyIdentity
\bVnU
UmGN@
.tls$ZZZ
LDNa<
zuWL9
CoCreateInstance
d@3Da
lfFaceName
EDPPERMISSIVEAPPINFOID
GetCommandLineW
D$`L9o
;zk3t
VbU8s
V.xOx_T
0A^_^][
Ly^X`
language="*"
gbXOOLOZ[dbp
q8SyF
d|BNeU
WaitForSingleObjectEx
.CRT$XLA
b+--*
@A_A^A]A\_^]
ohhhh
q27:^u
L$0H3
GetFileAttributesW
GetCursorPos
UnhookWinEvent
.P!DB
FAIL/Error
4VD9=
UTCReplace_AppSessionGuid
cnB"L
EditPasteCount
}W:aV
7f^@B
CG1\U
Yu Gothic UI Semibold
61P)8
.rdata$zzzdbg
GsS!t"
CharUpperW
GetDeviceCaps
RegCreateKeyW
LoadStringW
LLLLLILKK
WAxK0i
WAVAWH
PSGetPropertyDescriptionListFromString
D$@9D$L
.CRT$XIA
.rdata
L$H9L$@vQH
EndDoc
/d )8
api-ms-win-core-errorhandling-l1-1-0.dll
zB5LG
CoTaskMemFree
FilePrintCount
CloseClipboard
SlipUpAcc
processorArchitecture="amd64"
FZdQ&r
mOon{
DispatchMessageW
api-ms-win-core-rtlsupport-l1-1-0.dll
publicKeyToken="6595b64144ccf1df"
SaveStart
Da6N^
A_A^_
PathFindExtensionW
%UM;%
Microsoft JhengHei UI Bold
.CRT$XIZ
notepad.pdb
%.!$-T
L@|Ky
ShellAboutW
D$$I;
DragQueryFileW
?#Q@i(2YD
<p:H"
HELP_ENTRY_ID_NOTEPAD_HELP
<assemblyIdentity
apta&
WriteFile
fD9,Au
J} ^t
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
8VTMLH>;.(
FileDescription
!This program cannot be run in DOS mode.
9D$huGH
Msg:[%ws]
urlmon.dll
WaitForSingleObject
+EpD3
DestroyWindow
f9=B!
EditMenu
y~qpz:
|$`I;
D$0H;
ul%G1
@%H|V
Lct$$H
CecFx
}&i'k
D$LH;
4++'&
\$ VWAVH
OpenProcessToken
api-ms-win-core-processthreads-l1-1-0.dll
UWATAVAWH
;;;;4;3423332
oW!D[
GetLocaleInfoW
.WF"hB
)#?;t
commdlg_help
NOTEPAD.EXE
(@!h(d
replaceString
hasQueryText
GetModuleFileNameA
AppExit
bgOne
L9]0u\
L9K@t
DIILOOO
?80s~
|JsT@
6A%4O
[vn+=
Windows.Security.EnterpriseData.ProtectionPolicyManager
OpenPrinterW
ntdll.dll
MessageBoxW
4+++*(
ChildWindowFromPoint
commdlg_FindReplace
QHcP<
SetWindowTextW
USER32.dll
#zfU%
MICROSOFTEDPPERMISSIVEAPPINFO
/.SETUP
LocalLock
api-ms-win-core-sysinfo-l1-1-0.dll
^BNQ,^
10.0.17763.1
|$`A;
SetWindowPlacement
h~~~x
WakeAllConditionVariable
t"D8=
IDATx^
@"`?@
|$`H;
LPtoDP
DeleteDC
Yu Gothic UI Light
api-ms-win-core-synch-l1-1-0.dll
memcpy
.idata$3
D$ fD
GetForegroundWindow
GlobalAcc
SetWindowLongW
L9{@u
OpenSemaphoreW
EditUndoCount
M6W}6kY
ReleaseSRWLockExclusive
LaunchNotepadComplete
EnableMenuItem
LoadCursorW
EnumFontsW
tJ95X
CoWaitForMultipleHandles
NPCTXT
CreateFontIndirectW
version="6.0.0.0"
HeapSetInformation
\$(E3
RtlLookupFunctionEntry
SetErrorMode
f9H\u
e &!h+
EditCopyCount
L9u0uF
.CRT$XCU
SQRQPNNDDD??,((,(,,+33222',6
internal\sdk\inc\wil\resource.h
!!!!!!
RtlDllShutdownInProgress
>m5l-B
o3noje
D$(E3
ReplaceTextW
PathIsFileSpecW
[%hs(%hs)]
ew|>&=4_
QueryPerformanceCounter
LoadImageW
Jx$7}H
Windows.ApplicationModel.Resources.Core.ResourceManager
0A_A^_^]
+T$HH
t$0E3
oon;M=
LOLSI
g6dxC
dB!dB!hB
u@ @p=
Notepad
SendDlgItemMessageW
msvcrt.dll
VY$[X
\$ UVWATAUAVAWH
StringFileInfo
%hs(%d) tid(%x) %08X %ws
H_^[]
C>_J*A
t$ WAVAWH
.rdata$zETW9
_|_0r
JN}<:5
+r![s
J!:+_m
Microsoft YaHei UI
GetCurrentProcess
UVWAVAWH
(_^][
L$0E3
gxI3!'
lfEscapement
__setusermatherr
y[y}g
Software\Microsoft\Notepad\DefaultFonts
UATAUAVAWH
Leelawadee UI Semilight
GetMenu
HeapFree
p~unM
5(/Vk
9D$hu"9U
Malgun Gothic Bold
y2(A*
9{8d93
GetOpenFileNameW
713$=
GetTickCount
},YOP
ClosePrinter
Vving1
t$XD9-
A_A^A\_]
J-=\C
Microsoft YaHei UI Light
lfWeight
t8fA;@
$>b~t
7T})gW
.text$mn
j1'"Z
3Ow~>
LocalFree
}^=47"
.CRT$XIY
TDjjr
D$8E3
/2/22222////2
GlobalUnlock
TerminateProcess
L$@H3
PostMessageW
type="win32"/>
</assembly>
PageSetupDlgW
HvIOK
I@3$d
z-m~~
Translation
ScreenToClient
D$x9|$<
D9t$h
aP?9'
fMatchCase
RoUninitialize
UWAVH
Ja\-6G
MultiByteToWideChar
WilError_02
EventWriteTransfer
GetDlgCtrlID
T$8H!t$8H
0pSS^
hwp1p0
SetViewportExtEx
!({.}Q0H!
C!,[%
iWindowPosDY
))#("
*e!f'
EventSetInformation
T$@E3
E@+U@H
22UVA
D$p+D$h9D$xu]L
8KH11.%"
L$`H3
AbortDoc
ProductVersion
WinSta0
9D$hu$D9U
!@z`7
D$@E3
UWAUAVAWH
.text$x
GetFileInformationByHandle
LocalReAlloc
T$ E3
OutputDebugStringW
`._W@
?0,AX
`/A8~
EdpFileOpenCount
UpdateWindow
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
MNNEDDDDDI,2,,2233232,2,,2C+
9D$hu%9U
vfql:>C
23T%#
OX @5
t$8f9
SetDlgItemTextW
ktFlL
__CxxFrameHandler3
xx8rrk3+
fWindowsOnlyEOL
ShowWindow
ReturnHr
_onexit
SHELL32.dll
L$HH3
WindowsGetStringRawBuffer
lfOrientation
.CRT$XIAA
SHStrDupW
$)IA%:
GetModuleHandleW
Segoe UI
GetTimeFormatW
wcsnlen
& 4 10O
?&&@8
|r8kr33.33m
1o?-XfF
GetKeyboardLayout
Windows
SaveComplete
9D$huGL
SetScrollPos
TranslateAcceleratorW
@A^_]
IsDebuggerPresent
|$hE3
.CRT$XLZ
0y;:]Z
xywSIpg
dx.Rl
N|mlD
EditDeleteCount
.giats
kernelbase.dll
.rdata$zETW1
H~bXGB
Files/Resources/notepad.exe.mui
m;xDv)
_ismbblead
bJYL^T
L^3g
lfUnderline
D$0E3
:?c~f
XPL<b
lfCharSet
iMarginRight
CoCreateGuid
6RichQ)
RtlVirtualUnwind
.idata$2
Jvz:OO
StartDocW
api-ms-win-core-winrt-error-l1-1-0.dll
GetTextMetricsW
|$ UH
x AVH
GetModuleFileNameW
APkP<&
lfItalic
Yu Gothic UI
0A_A^_
OriginalFilename
WATAUAVAWH
RaiseFailFastException
h2PVo
+dBVY
api-ms-win-core-processthreads-l1-1-1.dll
|*+@F!
A^_^[]
ShellExecuteW
f_UUURTP
|8?99zEc
LocalUnlock
(WVTMK>;8+
EndPage
0A^_^[]
.tls$
;K631-."
FB({(
.>S!p
3.r6x.3+,+.0+*!
Hcdc}
RSDS,
A_A^A]A\_
.CRT$XCA
.CRT$XCAA
.xdata
w9X!P/
EditFindCount
processorArchitecture="*"
lstrcmpW
.gfids
774_kki
DragAcceptFiles
RoGetActivationFactory
searchString
'2+8Ly
KERNEL32.dll
\$ UH
Windows.Storage.StorageFile
fD94Au
Segoe Pseudo
fD91u
<@:?k
ADVAPI32.dll
<windowsSettings>
GetSubMenu
%hs(%d)\%hs!%p:
GetFullPathNameW
L-^,3
ycn3)io
fMLE_is_broken
Operating System
0A_A^A\_^[]
test/log
MainAcc
L9{0t#H
.00cfg
SetBkMode
L-|9.
DNEE<<??>22+(&&&'3
_wcsicmp
EnableWindow
iWindowPosDX
T$8H!\$8
FWph?r
UnhandledExceptionFilter
W[g7W
<:KmJ*0
DialogBoxParamW
FreeLibrary
GetModuleHandleExW
[qA*68
wwwwx
iMarginBottom
GetWindowTextW
y5>O&
FailFast
DefWindowProcW
UVWATAUAVAWH
EventUnregister
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
_cexit
FindTextW
CloseHandle
L$8E3
Security-SPP-GenuineLocalStatus
'R{=f
Segoe UI SemiBold
IHR 7
T$dE3
GetLocalTime
@.reloc
Gmqxg"
VG2/iI
MapViewOfFile
;;;;4:
T?20r
8v}Xn
CompanyName
4cJ%8
hgtlCm
,fAVM
VS_VERSION_INFO
VL `wZd~
GetWindowPlacement
%s%c*.txt%c%s%c*.*%c
t$ WATAUAVAWH
_purecall
*.txt
9t$0t)959
GetLastError
GetCurrentThreadId
@USVWATAUAVAWH
_commode
api-ms-win-core-synch-l1-2-0.dll
LLLLIIIILIC
6H.J~
&@@>x
D9K(t
GetSystemTimeAsFileTime
__getmainargs
tz80&a%
x UATAUAVAWH
</dependency>
<dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2</dpiAwareness>
8AhYt
,>d=MT
A_A^_^]
LogHr
IsWordWrap
T$p+T$hL
_amsg_exit
IsIconic
.CRT$XCZ
?2{-N
!lX')
FileOpenComplete
?terminate@@YAXXZ
u HcA<H
}x5Jbf
PostQuitMessage
@?=,+/
9D$hu'D9U
D`lq]
fReverse
<dependency>
GetPrinterDriverW
V&Xax)
KHFE@330.
Exception
GetProcessHeap
3A%$[w
xv#?H
)KK1.-%
Sleep
Unknown
xr3.t
wf"fO
StatusBarVisibility
+D$h+
SendMessageW
305.1i
RegisterWindowMessageW
@J`O)
USVWH
[-XJ!
lfOutPrecision
CharNextW
SearchBingInvoked
Leelawadee UI Bold
SetUnhandledExceptionFilter
https://go.microsoft.com/fwlink/p/?linkid=838060
@>!;_
.data
GetTextExtentPoint32W
SetMapMode
wcscmp
GetFocus
iMarginLeft
GlobalFree
B!U~8Hg
z?801i:It6
%%!!!!!%0
X&9Lx"
|?=<@
t?fA;@
name="Microsoft.Windows.Common-Controls"
t$ UWATAVAWH
GetUserDefaultUILanguage
OpenClipboard
oUbp*
||Zhx
Leelawadee UI
8m6AX
T$$D!t$ H
api-ms-win-core-winrt-error-l1-1-1.dll
PathFileExistsW
A_A^A]A\]
D$ E3
.text
L9]0uQ
A_A^A]_]
L$hA3
COMDLG32.dll
wf!>Tg
#zd.J
FindNLSString
FormatFontCount
Lucida Console
414;;4
ChooseFontW
StartPage
memset
EdpPasteToNoContextCount
LaunchNotepadStart
[%hs]
`.rdata
SHAddToRecentDocs
SRRQPE@??>2,,('''',+233
_wtol
GetFileTitleW
bWti^
Re.!D:
.rdata$brc
RegOpenKeyExW
GetFileAttributesExW
RegCloseKey
SetWindowPos
ReleaseSemaphore
IsNetworkPath
SetFocus
IsClipboardFormatAvailable
0A_A^A\_]
GetSystemMenu
YvSfyw/
,(S!Y(Cf
!@!$*B
RoGetMatchingRestrictedErrorInfo
\$ UVWAVAWH
GetProcAddress
CreateEventExW
GetDlgItemTextW
0Hc|$`3
o_=%8
|$01u"
WinHelpW
l6s+o
SessionId
$KB>;88$
</trustInfo>
'141133!/!(!(!""/""
ProductName
FindFirstFileW
"O,T!
/|2ea
0TeD{
===111*!
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x0001ac50 | 0x0004d15f | 0x0004d15f | 10.0 | notepad.pdb | 1996-11-26 04:52:33 | c8922be3dcdfeb5994c9eee7745dc22e |  |
ee73206ec757f3eec7d99c1f83830996 | 17590693a3af6aeef43bd191be753c69 | f8f9f8dcd8c8c040 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Notepad |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | Notepad |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | NOTEPAD.EXE |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0001aa35 | 0x0001ac00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.34 |
| .rdata | 0x0001b000 | 0x0001c000 | 0x0000797a | 0x00007a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.08 |
| .data | 0x00022a00 | 0x00024000 | 0x00002dd4 | 0x00000c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 1.83 |
| .pdata | 0x00023600 | 0x00027000 | 0x00000990 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.04 |
| .rsrc | 0x00024000 | 0x00028000 | 0x00019ce0 | 0x00019e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.36 |
| .reloc | 0x0003de00 | 0x00042000 | 0x00000230 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 3.46 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| EDPENLIGHTENEDAPPINFOID | 0x000289d8 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 1.00 | None |
| EDPPERMISSIVEAPPINFOID | 0x000289e0 | 0x00000002 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 1.00 | None |
| MUI | 0x00041b98 | 0x00000148 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.03 | None |
| RT_ICON | 0x000289e8 | 0x00000668 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.15 | None |
| RT_ICON | 0x00029050 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.46 | None |
| RT_ICON | 0x00029338 | 0x000001e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.42 | None |
| RT_ICON | 0x00029520 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.19 | None |
| RT_ICON | 0x00029648 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.34 | None |
| RT_ICON | 0x0002a4f0 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.89 | None |
| RT_ICON | 0x0002ad98 | 0x000006c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.78 | None |
| RT_ICON | 0x0002b460 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.50 | None |
| RT_ICON | 0x0002b9c8 | 0x00011958 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.93 | None |
| RT_ICON | 0x0003d320 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.92 | None |
| RT_ICON | 0x0003f8c8 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.51 | None |
| RT_ICON | 0x00040970 | 0x00000988 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.69 | None |
| RT_ICON | 0x000412f8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.43 | None |
| RT_GROUP_ICON | 0x00041760 | 0x000000bc | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.08 | None |
| RT_VERSION | 0x00041820 | 0x00000374 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.45 | None |
| RT_MANIFEST | 0x00028530 | 0x000004a3 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.97 | None |
Imports
| Name | Address |
|---|---|
| OpenProcessToken | 0x14001c6b0 |
| GetTokenInformation | 0x14001c6b8 |
| DuplicateEncryptionInfoFile | 0x14001c6c0 |
| RegSetValueExW | 0x14001c6c8 |
| RegQueryValueExW | 0x14001c6d0 |
| RegCreateKeyW | 0x14001c6d8 |
| RegCloseKey | 0x14001c6e0 |
| RegOpenKeyExW | 0x14001c6e8 |
| EventSetInformation | 0x14001c6f0 |
| EventRegister | 0x14001c6f8 |
| EventUnregister | 0x14001c700 |
| EventWriteTransfer | 0x14001c708 |
| IsTextUnicode | 0x14001c710 |
| DecryptFileW | 0x14001c718 |
| Name | Address |
|---|---|
| StartPage | 0x14001c790 |
| StartDocW | 0x14001c798 |
| SetAbortProc | 0x14001c7a0 |
| DeleteDC | 0x14001c7a8 |
| CreateDCW | 0x14001c7b0 |
| AbortDoc | 0x14001c7b8 |
| EndPage | 0x14001c7c0 |
| GetTextMetricsW | 0x14001c7c8 |
| SetBkMode | 0x14001c7d0 |
| LPtoDP | 0x14001c7d8 |
| SetWindowExtEx | 0x14001c7e0 |
| SetViewportExtEx | 0x14001c7e8 |
| SetMapMode | 0x14001c7f0 |
| GetTextExtentPoint32W | 0x14001c7f8 |
| TextOutW | 0x14001c800 |
| EnumFontsW | 0x14001c808 |
| GetTextFaceW | 0x14001c810 |
| SelectObject | 0x14001c818 |
| DeleteObject | 0x14001c820 |
| CreateFontIndirectW | 0x14001c828 |
| GetDeviceCaps | 0x14001c830 |
| EndDoc | 0x14001c838 |
| Name | Address |
|---|---|
| _lock | 0x14001cf08 |
| _commode | 0x14001cf10 |
| _fmode | 0x14001cf18 |
| _acmdln | 0x14001cf20 |
| __dllonexit | 0x14001cf28 |
| __setusermatherr | 0x14001cf30 |
| _onexit | 0x14001cf38 |
| memcpy | 0x14001cf40 |
| _cexit | 0x14001cf48 |
| _exit | 0x14001cf50 |
| exit | 0x14001cf58 |
| __set_app_type | 0x14001cf60 |
| __getmainargs | 0x14001cf68 |
| _amsg_exit | 0x14001cf70 |
| _XcptFilter | 0x14001cf78 |
| free | 0x14001cf80 |
| memcpy_s | 0x14001cf88 |
| iswctype | 0x14001cf90 |
| wcsnlen | 0x14001cf98 |
| _wcsicmp | 0x14001cfa0 |
| __C_specific_handler | 0x14001cfa8 |
| _wtol | 0x14001cfb0 |
| swprintf_s | 0x14001cfb8 |
| _vsnwprintf | 0x14001cfc0 |
| ?terminate@@YAXXZ | 0x14001cfc8 |
| memset | 0x14001cfd0 |
| _unlock | 0x14001cfd8 |
| _ismbblead | 0x14001cfe0 |
| _initterm | 0x14001cfe8 |
| _callnewh | 0x14001cff0 |
| malloc | 0x14001cff8 |
| _purecall | 0x14001d000 |
| __CxxFrameHandler3 | 0x14001d008 |
| wcscmp | 0x14001d010 |
| Name | Address |
|---|---|
| CoCreateGuid | 0x14001cd58 |
| CoTaskMemFree | 0x14001cd60 |
| CoTaskMemAlloc | 0x14001cd68 |
| CoCreateInstance | 0x14001cd70 |
| CoInitializeEx | 0x14001cd78 |
| CoUninitialize | 0x14001cd80 |
| CoCreateFreeThreadedMarshaler | 0x14001cd88 |
| CoWaitForMultipleHandles | 0x14001cd90 |
| PropVariantClear | 0x14001cd98 |
| Name | Address |
|---|---|
| WakeAllConditionVariable | 0x14001ce68 |
| SleepConditionVariableSRW | 0x14001ce70 |
| Sleep | 0x14001ce78 |
| Name | Address |
|---|---|
| RtlLookupFunctionEntry | 0x14001ce10 |
| RtlVirtualUnwind | 0x14001ce18 |
| RtlCaptureContext | 0x14001ce20 |
| Name | Address |
|---|---|
| UnhandledExceptionFilter | 0x14001cda8 |
| RaiseException | 0x14001cdb0 |
| SetUnhandledExceptionFilter | 0x14001cdb8 |
| Name | Address |
|---|---|
| TerminateProcess | 0x14001cde0 |
| Name | Address |
|---|---|
| AcquireSRWLockExclusive | 0x14001ce40 |
| CreateEventExW | 0x14001ce48 |
| ReleaseSRWLockExclusive | 0x14001ce50 |
| SetEvent | 0x14001ce58 |
| Name | Address |
|---|---|
| QueryPerformanceCounter | 0x14001ce00 |
| Name | Address |
|---|---|
| GetSystemTimeAsFileTime | 0x14001ce88 |
| GetTickCount | 0x14001ce90 |
| Name | Address |
|---|---|
| GetModuleFileNameW | 0x14001cdc8 |
| LoadLibraryExW | 0x14001cdd0 |
| Name | Address |
|---|---|
| GetProcessMitigationPolicy | 0x14001cdf0 |
| Name | Address |
|---|---|
| WindowsCreateString | 0x14001cee0 |
| WindowsGetStringRawBuffer | 0x14001cee8 |
| WindowsDeleteString | 0x14001cef0 |
| WindowsCreateStringReference | 0x14001cef8 |
| Name | Address |
|---|---|
| SetRestrictedErrorInfo | 0x14001cea0 |
| Name | Address |
|---|---|
| CompareStringOrdinal | 0x14001ce30 |
| Name | Address |
|---|---|
| RoInitialize | 0x14001cec0 |
| RoGetActivationFactory | 0x14001cec8 |
| RoUninitialize | 0x14001ced0 |
| Name | Address |
|---|---|
| RoGetMatchingRestrictedErrorInfo | 0x14001ceb0 |
| Name | Address |
|---|---|
| CreateStatusWindowW | 0x14001c728 |
| Name | Address |
|---|---|
| FindTextW | 0x14001c740 |
| PageSetupDlgW | 0x14001c748 |
| GetSaveFileNameW | 0x14001c750 |
| GetOpenFileNameW | 0x14001c758 |
| CommDlgExtendedError | 0x14001c760 |
| GetFileTitleW | 0x14001c768 |
| ChooseFontW | 0x14001c770 |
| PrintDlgExW | 0x14001c778 |
| ReplaceTextW | 0x14001c780 |
| Name | Address |
|---|---|
| WinSqmAddToStream | 0x14001d020 |
| Name | Address |
|---|---|
| PropVariantToStringVectorAlloc | 0x14001ca60 |
| PSGetPropertyDescriptionListFromString | 0x14001ca68 |
| Name | Address |
|---|---|
| ShellAboutW | 0x14001ca78 |
| DragQueryFileW | 0x14001ca80 |
| SHAddToRecentDocs | 0x14001ca88 |
| DragFinish | 0x14001ca90 |
| DragAcceptFiles | 0x14001ca98 |
| ShellExecuteW | 0x14001caa0 |
| SHCreateItemFromParsingName | 0x14001caa8 |
| Name | Address |
|---|---|
| SHStrDupW | 0x14001cab8 |
| PathFileExistsW | 0x14001cac0 |
| PathIsNetworkPathW | 0x14001cac8 |
| PathFindExtensionW | 0x14001cad0 |
| PathIsFileSpecW | 0x14001cad8 |
| Name | Address |
|---|---|
| ClosePrinter | 0x14001cd38 |
| GetPrinterDriverW | 0x14001cd40 |
| OpenPrinterW | 0x14001cd48 |
| Name | Address |
|---|---|
| FindMimeFromData | 0x14001d030 |
Usage
Processing ( 10.85 seconds )
- 10.273 ProcessMemory
- 0.544 CAPE
- 0.025 BehaviorAnalysis
- 0.007 AnalysisInfo
- 0.001 Debug
Signatures ( 0.06 seconds )
- 0.008 ransomware_files
- 0.006 antiav_detectreg
- 0.005 antianalysis_detectfile
- 0.005 ransomware_extensions
- 0.003 infostealer_ftp
- 0.003 territorial_disputes_sigs
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_bitcoin
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
- 0.001 lokibot_mutexes
Reporting ( 0.01 seconds )
- 0.007 CAPASummary
- 0.002 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: notepad.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
The binary likely contains encrypted or compressed data
section: {'name': '.rsrc', 'raw_address': '0x00024000', 'virtual_address': '0x00028000', 'virtual_size': '0x00019ce0', 'size_of_data': '0x00019e00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.36'}
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 6212 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
\Device\CNG
C:\Windows\System32\kernel.appcore.dll
C:\Users\Packager\AppData\Local\Temp\resources.pri
C:\Users\Packager\AppData\Local\Temp\notepad.exe
C:\Windows\System32\kernel.appcore.dll
C:\Users\Packager\AppData\Local\Temp\resources.pri
C:\Users\Packager\AppData\Local\Temp\notepad.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Mrt\_Merged
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Mrt\_Merged
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Local\SM0:6212:304:WilStaging_02
Local\SM0:6212:120:WilError_03
Local\SM0:6212:120:WilError_03
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.