b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9

Analysis

max time kernel
153s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
Size

2.9MB
MD5

845b03a8f6ec388e0f48cd9b4a5a34cd
SHA1

46eb8f831ea4344d0ca9988b59898781800026d3
SHA256

b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9
SHA512

b0dafb902e81732ccd5875877ff125f356e6cfa2577d73bfe465eb3912e5ec155450cb98891827c3465dca534005d23967c64a003f20436f85547dec29dc9f83
SSDEEP

49152:LgwRLML6727St6ROhoyFgrNu0ucsw0kRscQRgCVMoFs6zMGPJR0I3KVooUyEHIFx:LgwRw3DROho6oE06kqcG9vAKJR3aUyEY

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.execmd.exe

description	ioc	process
File opened for modification	C:\Program Files\Notepad3_x64\grepWinNP3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Notepad3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\minipath.ini	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\Themes\Dark.ini	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\Themes\Dark.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Notepad3.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\lng\zh-CN\np3lng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\lng\mplng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\Themes\Dark.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\minipath.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\Notepad3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\Notepad3.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng\zh-CN	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3\minipath.ini	cmd.exe
File created	C:\Program Files\Notepad3\StartMenuNew.xml	cmd.exe
File created	C:\Program Files\Notepad3_x86\卸载.cmd	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\用Notepad3打开.CMD	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Notepad3.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\grepWinNP3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\minipath.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Themes\Sombra.ini	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\np3lng.dll	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\Notepad3.exe	cmd.exe
File created	C:\Program Files\Notepad3_x86\Themes\Sombra.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\zh-CN\mplng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\minipath.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\卸载.cmd	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng\zh-CN\mplng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\Themes\Sombra.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\lng\zh-CN\np3lng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\zh-CN\np3lng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Notepad3.ini	cmd.exe
File opened for modification	C:\Program Files\Notepad3\AddShortCut.txt	cmd.exe
File created	C:\Program Files\Notepad3_x64\卸载.cmd	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Themes\Dark.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\Themes\Dark.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3\StartAPPShell.ps1	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\mplng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\minipath.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Themes\Sombra.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng\np3lng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\lng\mplng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Themes	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Themes\Obsidian.ini	cmd.exe
File created	C:\Program Files\Notepad3_x86\Themes\Obsidian.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\lng\zh-CN\mplng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Notepad3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\minipath.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\Themes\Obsidian.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\zh-CN	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\minipath.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng\mplng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Themes	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\minipath.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\lng\zh-CN\mplng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\grepWinNP3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\np3lng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\GREPWI~1.EXE	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\zh-CN\NP3LNG~1.MUI	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\minipath.exe	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\0DE1~1.CMD	cmd.exe
File created	C:\Program Files\Notepad3_x64\Notepad3.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4120 taskkill.exe

pid	process
4120	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeexplorer.exereg.exereg.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3357"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 = 86003100000000000c551b99110053544152544d7e3100006e0009000400efbe0c551999795536b82e00000087e10100000001000000000000000000440000000000242d46005300740061007200740020004d0065006e007500000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003600000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2648"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Open with Notepad3\command	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3357"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2226"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Open with Notepad3\Icon = "C:\\Program Files\\Notepad3\\Notepad3.exe,0"	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2590"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2875"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffc000000000000002000000e6070b004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c00000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000001353a4f62101d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e6070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001d00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000f16a79f62101d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e6070800420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007000000000000000000000000000000000000000000000000000000000000002ac982737faed80100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e60708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2648"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2648"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "820"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5600310000000000795535b81000526f616d696e6700400009000400efbe0c551999795536b82e00000083e101000000010000000000000000000000000000001a41580052006f0061006d0069006e006700000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6817"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2226"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7100"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000000c55199912004170704461746100400009000400efbe0c551999795536b82e00000082e10100000001000000000000000000000000000000bc3d97004100700070004400610074006100000016000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "6817"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2226"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Open with Notepad3	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0	explorer.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

308 PING.EXE
1272 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

2684 explorer.exe
652 explorer.exe

pid	process
308	PING.EXE
1272	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
968	powershell.exe
968	powershell.exe
2504	powershell.exe
2504	powershell.exe
4256	powershell.exe
4256	powershell.exe
4360	powershell.exe
4360	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

652 explorer.exe

pid	process
652	explorer.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exeexplorer.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

explorer.exe

pid	process
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

explorer.exe

pid	process
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

explorer.exeexplorer.exeStartMenuExperienceHost.exeexplorer.exeSearchApp.exe

pid	process
2684	explorer.exe
2684	explorer.exe
652	explorer.exe
652	explorer.exe
3844	StartMenuExperienceHost.exe
2088	explorer.exe
1820	SearchApp.exe
2088	explorer.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4900 wrote to memory of 2928	4900	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe	cmd.exe
PID 4900 wrote to memory of 2928	4900	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe	cmd.exe
PID 2928 wrote to memory of 5016	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 5016	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 1260	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 1260	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 4000	2928	cmd.exe	xcopy.exe
PID 2928 wrote to memory of 4000	2928	cmd.exe	xcopy.exe
PID 2928 wrote to memory of 2380	2928	cmd.exe	reg.exe
PID 2928 wrote to memory of 2380	2928	cmd.exe	reg.exe
PID 2928 wrote to memory of 1760	2928	cmd.exe	reg.exe
PID 2928 wrote to memory of 1760	2928	cmd.exe	reg.exe
PID 2928 wrote to memory of 652	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 652	2928	cmd.exe	cmd.exe
PID 652 wrote to memory of 364	652	cmd.exe	reg.exe
PID 652 wrote to memory of 364	652	cmd.exe	reg.exe
PID 2928 wrote to memory of 4812	2928	cmd.exe	mshta.exe
PID 2928 wrote to memory of 4812	2928	cmd.exe	mshta.exe
PID 2928 wrote to memory of 112	2928	cmd.exe	explorer.exe
PID 2928 wrote to memory of 112	2928	cmd.exe	explorer.exe
PID 2928 wrote to memory of 308	2928	cmd.exe	PING.EXE
PID 2928 wrote to memory of 308	2928	cmd.exe	PING.EXE
PID 2928 wrote to memory of 968	2928	cmd.exe	powershell.exe
PID 2928 wrote to memory of 968	2928	cmd.exe	powershell.exe
PID 2928 wrote to memory of 3824	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 3824	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 1880	2928	cmd.exe	cmd.exe
PID 2928 wrote to memory of 1880	2928	cmd.exe	cmd.exe
PID 1880 wrote to memory of 3600	1880	cmd.exe	findstr.exe
PID 1880 wrote to memory of 3600	1880	cmd.exe	findstr.exe
PID 2928 wrote to memory of 2504	2928	cmd.exe	powershell.exe
PID 2928 wrote to memory of 2504	2928	cmd.exe	powershell.exe
PID 2928 wrote to memory of 4256	2928	cmd.exe	powershell.exe
PID 2928 wrote to memory of 4256	2928	cmd.exe	powershell.exe
PID 2928 wrote to memory of 4120	2928	cmd.exe	taskkill.exe
PID 2928 wrote to memory of 4120	2928	cmd.exe	taskkill.exe
PID 2928 wrote to memory of 3136	2928	cmd.exe	attrib.exe
PID 2928 wrote to memory of 3136	2928	cmd.exe	attrib.exe
PID 2928 wrote to memory of 2088	2928	cmd.exe	explorer.exe
PID 2928 wrote to memory of 2088	2928	cmd.exe	explorer.exe
PID 2928 wrote to memory of 4360	2928	cmd.exe	powershell.exe
PID 2928 wrote to memory of 4360	2928	cmd.exe	powershell.exe
PID 2928 wrote to memory of 1488	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 1488	2928	cmd.exe	findstr.exe
PID 2928 wrote to memory of 5008	2928	cmd.exe	explorer.exe
PID 2928 wrote to memory of 5008	2928	cmd.exe	explorer.exe
PID 2928 wrote to memory of 1272	2928	cmd.exe	PING.EXE
PID 2928 wrote to memory of 1272	2928	cmd.exe	PING.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3136 attrib.exe

pid	process
3136	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
"C:\Users\Admin\AppData\Local\Temp\b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\用Notepad3打开.CMD" "
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
3⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo d"
3⤵
PID:1260

C:\Windows\system32\xcopy.exe
xcopy /h /e Themes "C:\Users\Admin\AppData\Roaming\Rizonesoft\Notepad3\Themes"
3⤵
PID:4000

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Classes\*\shell\Open with Notepad3" /f /v "Icon" /t REG_SZ /d "C:\Program Files\Notepad3\Notepad3.exe,0"
3⤵
- Modifies registry class
PID:2380

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Classes\*\shell\Open with Notepad3\command" /f /ve /t REG_SZ /d "\"C:\Program Files\Notepad3\Notepad3.exe\" \"%1\""
3⤵
- Modifies registry class
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Programs"
3⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Programs"
4⤵
PID:364

C:\Windows\system32\mshta.exe
mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad3.lnk""):b.TargetPath=""C:\Program Files\Notepad3\Notepad3.EXE"":b.WorkingDirectory=""C:\Program Files\Notepad3\"":b.Save:close")
3⤵
PID:4812

C:\Windows\explorer.exe
explorer.exe /n,"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
3⤵
PID:112

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
3⤵
- Runs ping.exe
PID:308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe Export-StartLayout ¿CPath StartMenu.xml
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\findstr.exe
findstr /c:"Start Menu\Programs\Notepad3.lnk" StartMenu.xml
3⤵
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /n ".*" StartMenu.xml
3⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\findstr.exe
findstr /n ".*" StartMenu.xml
4⤵
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -ExecutionPolicy Bypass -file "C:\Program Files\Notepad3\StartAPPShell.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe "& 'C:\Program Files\Notepad3\StartAPPShell.ps1'"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\system32\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\IconCache.db"
3⤵
- Views/modifies file attributes
PID:3136

C:\Windows\explorer.exe
explorer.exe
3⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe Export-StartLayout ¿CPath StartMenu.xml
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\findstr.exe
findstr /c:"Start Menu\Programs\Notepad3.lnk" StartMenu.xml
3⤵
PID:1488

C:\Windows\explorer.exe
explorer.exe /n,"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
3⤵
PID:5008

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
3⤵
- Runs ping.exe
PID:1272

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4792

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:1256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:420

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Notepad3\Notepad3.exe
Filesize
4.1MB

MD5
a515b278964f9cef43b57e7b347a5efb

SHA1
768dcdeea59589921c89d41ea745d1b93944e86c

SHA256
27d99690f13a25354b31765c5c9ac14ca5f746f021eef13c4b62aff90e595ac6

SHA512
ff0db02b77f4d60c7d8446988f9fbd1c4510f1a3c432660bcc23b18226b58b2c4659c869b36979df6c46b7f46ff07d21eafc27f9304583c0d8ebc7532d61b143

Download Submit
C:\Program Files\Notepad3\Notepad3.ini
Filesize
69B

MD5
4d74a089fe02a6866b8cb80ad7ffbd5d

SHA1
31678d444ce46bc1ee1f9d419c579cb324582b73

SHA256
8a6f2a39289798ed42b04189a7dc4426294bdbfb39ca14a52a8af45cfb3ba95e

SHA512
7a056e558be40b728a59153989904e131db1ce280dd34567f156342f88e0a83b711562984145d19b45bffd961e696bb78601aa9b328b454c2deaff13e650803c

Download Submit
C:\Program Files\Notepad3\StartAPPShell.ps1
Filesize
64B

MD5
1f7b26e4fd5dcf3f41601d7043e25247

SHA1
29ba227ecc69feddae0ddc502c6386c2263916a6

SHA256
d44aa0673078a767aac7167e0e2e3dabc129bad0d5607d6b2a39e307e6046aea

SHA512
294c0e6f2137cd1c01795e2efc17f73187f23b96151b3e45acdc092bc9bd107e4414f4981c5a6b57320c0e58dd083d99f9914be6b639abb4806a2b926f9d11fb

Download Submit
C:\Program Files\Notepad3\Themes\Dark.ini
Filesize
18KB

MD5
da74cf834e686c51ae6952d86c2f3a2b

SHA1
ecc20f62f35cb7fa4d4186bad30f5e18a3a3c3d9

SHA256
f49417e55e64b0649fa8308f3fe337cdf38589981fdf017240830ef9fe782380

SHA512
f780d4cd766227510f087438d155d7df36121671054d795abaedbae1b9f90ec0271caba518faef1684b300ffa66273f5895e07c31e8af2dbab2b96d27c522379

Download Submit
C:\Program Files\Notepad3\Themes\Obsidian.ini
Filesize
18KB

MD5
88f0328d12fc95ffdb03cb54104dd5ad

SHA1
2505e0383b11881b63606237f1cff7e4dfe3f6ac

SHA256
23df89332abd4803f37770793364357d050f32b7fe8607fc84fe1b299acf759e

SHA512
baa28fa95f3d17525288a11fd20f8ee7e201ee22347234f6e4774ab94c0a1db108457cdf4d14eddd53e7b982b46f4389e671a513fa69dc4fd6ab525643078314

Download Submit
C:\Program Files\Notepad3\Themes\Sombra.ini
Filesize
18KB

MD5
92e069b51a1367083e93ac8f9dc62355

SHA1
35b659c34ecae695e8cee868616c57c152b9c2b0

SHA256
0e254e9623f8256bb20fb8bfdcd73e94aab120bf3afb801155686f8e3c2412e4

SHA512
e9308e8cd1f2fc4a13944683e628ea954963069a5eb15e7198c3a5145bc0ac9dccc4fc5b72b0afdd30cd47dc52039bbb7a39117cfe4fb4d76c5fba2f1957b266

Download Submit
C:\Program Files\Notepad3\minipath.ini
Filesize
69B

MD5
1bcf9a255e8b7406aaa67bdd72cf8526

SHA1
9018a6a5888fa3177b66b3315a19d13fa0a6406d

SHA256
6a222ad9e109c32d7019df8ab7ba99c6eccc9d447255dfe6b34f7356bdf4f620

SHA512
cc2090df481acde8a2ce4b973bacc62978123d567385fa907047db09c0d10b5981d8817832252f7f1d75845a7f466738ffa1aac56bb551f6adfefbf7d690b448

Download Submit
C:\Program Files\Notepad3_x86\0DE1~1.CMD
Filesize
3KB

MD5
693b21d715d618712b2016b4b3bc456b

SHA1
c8dbbab692839f8f01b320fcd10c47259e8af1e3

SHA256
fb0f69c2295ffde66f5af7919c9069f0dde7e7f2730149380864d1b8f426b9ef

SHA512
95c9580c2ccc020cfbc3707dab903e4b64d97ce28ec88654d833864f3fee8756af9f27f28f2ad3ae2762d17863d333c04e5c30e6ccfa03a9b3b856a02d3d986e

Download Submit
C:\Program Files\Notepad3_x86\GREPWI~1.EXE
Filesize
1.1MB

MD5
e7fd612088003210d7c560fc1ae22ce7

SHA1
7f2d99eb93b77b6ef2eafebaed36d955466efdc4

SHA256
061e3c57c9ba346a108a8bbfbbf9916cff4114acf6ef90968408541148583165

SHA512
155200a1df7929b02257905656246d42c79f47f8269989064576170a186c3b70dbbc93ac713d10a579f1302e2b33a1db6d12caf368a597ee8f44ec25f4c2c068

Download Submit
C:\Program Files\Notepad3_x86\Notepad3.exe
Filesize
3.7MB

MD5
7b1fd97e51570bbe68d48151fcef0157

SHA1
2bbe9b61cd8607bf5f2b3fe8b336132bd17c9a89

SHA256
d1229a282ca69c4e8f0e6af5b392d53cec65cc7df53a158874d5b909372a3ce4

SHA512
8c8fc9c99dcb93436859831e607ecdc231095b7c8dc34b72ba307b53978ba1a7bb475499a97b18db0efd9ff31f88212e0589debb6ab0d027620d1cffd72a227d

Download Submit
C:\Program Files\Notepad3_x86\Notepad3.ini
Filesize
4KB

MD5
ec3cdc5c801f2a9e185e9026befff401

SHA1
64f312fa60663e28bbfc2c94400ce881e5e71c5e

SHA256
16748ed97496fedbc33814211b0f8890b5b88e25a26f8509f0b6d919aac7510f

SHA512
e118f6c19a101c6fbb836234aaedb3b9820de572a22f9e3c8a0fc4d16616d677ae419a6d316829c4d04f6d351dea60005ee37da921d653948b8cde0536d63f69

Download Submit
C:\Program Files\Notepad3_x86\Themes\Dark.ini
Filesize
18KB

MD5
da74cf834e686c51ae6952d86c2f3a2b

SHA1
ecc20f62f35cb7fa4d4186bad30f5e18a3a3c3d9

SHA256
f49417e55e64b0649fa8308f3fe337cdf38589981fdf017240830ef9fe782380

SHA512
f780d4cd766227510f087438d155d7df36121671054d795abaedbae1b9f90ec0271caba518faef1684b300ffa66273f5895e07c31e8af2dbab2b96d27c522379

Download Submit
C:\Program Files\Notepad3_x86\Themes\Obsidian.ini
Filesize
18KB

MD5
88f0328d12fc95ffdb03cb54104dd5ad

SHA1
2505e0383b11881b63606237f1cff7e4dfe3f6ac

SHA256
23df89332abd4803f37770793364357d050f32b7fe8607fc84fe1b299acf759e

SHA512
baa28fa95f3d17525288a11fd20f8ee7e201ee22347234f6e4774ab94c0a1db108457cdf4d14eddd53e7b982b46f4389e671a513fa69dc4fd6ab525643078314

Download Submit
C:\Program Files\Notepad3_x86\Themes\Sombra.ini
Filesize
18KB

MD5
92e069b51a1367083e93ac8f9dc62355

SHA1
35b659c34ecae695e8cee868616c57c152b9c2b0

SHA256
0e254e9623f8256bb20fb8bfdcd73e94aab120bf3afb801155686f8e3c2412e4

SHA512
e9308e8cd1f2fc4a13944683e628ea954963069a5eb15e7198c3a5145bc0ac9dccc4fc5b72b0afdd30cd47dc52039bbb7a39117cfe4fb4d76c5fba2f1957b266

Download Submit
C:\Program Files\Notepad3_x86\lng\mplng.dll
Filesize
18KB

MD5
bc3795d69643740772716c66b6856ef7

SHA1
dfdb788b9466748be3e514aeb1d9925cd8d4a832

SHA256
8da7e326335b7ac4b3c47cee5f88f088ca8beda7654a87395ec874c99d78b470

SHA512
733514513c37d41d429742cda5a39ceccbf557bbaf67f29f3d13ce12c4568f9b1280f8b683350351c7f4fa1e147f2e198910e322936653c212ab800af27862b5

Download Submit
C:\Program Files\Notepad3_x86\lng\np3lng.dll
Filesize
18KB

MD5
662b349c0bfad28068cff6ef88f4a01c

SHA1
8177b76e4356fe403313e2030fabfa812b8ba622

SHA256
fd4d476578b52aad9470aedb6c9337fa547bf183b98ae519751c1ec625ad5928

SHA512
f7ddd6fba6c9fb2d1b1ba6c89e1a629b12d2faec0aafc6d96d8f87ecc016828d4f64cea93a84ad6ab6fb54497584ee3d9fa14d45980596009e7b1e49173d8ffa

Download Submit
C:\Program Files\Notepad3_x86\lng\zh-CN\MPLNGD~1.MUI
Filesize
143KB

MD5
68d722e61e42502f4c95a2467a7901b0

SHA1
2fc7a32eb02f39da718ac5117cae911220877224

SHA256
ac3db310402281afd2fbf1e84b2c93c45d867e08212b2b357b99095a03587d35

SHA512
0704cf18aa867307f57b97a17b21b8e3b09567af397e3b52298ed4e999349d7cb5828f58a4431267123485042d606134a4660b6c207e1d9d70f64c523940448b

Download Submit
C:\Program Files\Notepad3_x86\lng\zh-CN\NP3LNG~1.MUI
Filesize
307KB

MD5
6cf1c4390e2e4fbc8a1628212ddd0c35

SHA1
15e68382bc5642f1f6432275a47e4e3d82ea715a

SHA256
57789e75c59ce179dabba39883f657262abc70a3958df5eb6c216cc60a8e6ba6

SHA512
0e526a57ec682e402c4442b7136e0b9ac0eb620a48f630906bea7b08e88b80fbe99728c91e5f142a771ec1aba38eb658fb2e503afe1b2b07a37c8c1af4cd3911

Download Submit
C:\Program Files\Notepad3_x86\minipath.exe
Filesize
937KB

MD5
ea34b7087241c749f5d533c0a3685cfe

SHA1
3e137440093b4d217d13e666dc934226db694bab

SHA256
009a0f766cbe9b5a972bc26ef649aabae0a2a62319133a747d3fc915168b7260

SHA512
bab976b9ed87a5d3664d6d869400b1118731261646b8a7c6f8f2984d56f4c265f1edbca14da96c8b652704a2cd64118927824250864cf4d38c2c18f5b9f5fca8

Download Submit
C:\Program Files\Notepad3_x86\minipath.ini
Filesize
4KB

MD5
74442050efaf0ebfd26fa5e7654f5c7e

SHA1
822d865d8fc05eb53d7e34388a943e89119d948c

SHA256
da1801467202a178271798527a7bb3fbe7b5c7793ade3c923835f205cb7801b4

SHA512
ba7c568fc779928c8b5ab695710416d26c71f41d447047cb768c04af3f46bb831fc9ad48d39f7948ef5cec198b3200f727a2ba4edf17c0def2bd57b7bed26219

Download Submit
C:\Program Files\用Notepad3打开.CMD
Filesize
16KB

MD5
82320cc2587c6eb1f408365b2684de92

SHA1
ac5997ea30cddafac8cf22962d2a650e376a69aa

SHA256
ee042523849005185b464337dfa508c3a33b120f9442a3c7f7dd6fb33bf010f8

SHA512
276063245c24530562ccc0d3c9443bf58b22770b3a07ff6c90d2b2b85131250f07e105686e9ca1ca9533bd3efdd0d9c90977680a067b16f6cd8e64b76e06a6a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
54b932143246674fc03a4e9858c0ee11

SHA1
90b4afa16ed7473148f4950d8162c00648314198

SHA256
ca45313907d1b10dc67f17d1f0a8e146913adb8da1733ac53167c1db17602ce4

SHA512
114af931e24907de0234ae2568edb43b34de1848c422738f4faaf690048356bc7ff336cf080e2350c770476079aae624b5140cdeabd46b7973fb8c80ff4b7277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
3eaab70c1d9b1c47de04e27c46391c3e

SHA1
390dfdf7afecb4c9f5cb35f735f314085295ff31

SHA256
66725efbb677efc1b3eb6265d5639c365233f6aaca12162592c6aa1b890df8c5

SHA512
45c1b59dd5a91ab5c7c2802b49d841f7e442e4b2ca619f3fad3252cf18c7c1ce01a9096204211960d5ef8a89ea7dcca298f41ffd208aabc362911b4cdb18b44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b528f1ec99f1bb456bbf1792d523e96d

SHA1
836c03a8c5b5cae18c18d82f1c9d79a9fcf2dda2

SHA256
61272be5ce63b56a3a3cea47e3c5e48629b75b41d21ab250f5cf49169356b8df

SHA512
1f8cd845e7748af8a7c116e5aba7bb88318c97e908103d69f997a63fba8ad4b849899d8787a20544a80ba9deb4fcd0a132954050c52e5740a47938c8ed1450d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a3f9033d9801f0496e567033d0b32d0d

SHA1
758ea6f38b05bef2c3a900021b5583525125a3a8

SHA256
a668618d974d7bcf3cb00b5e8858ebd624aa60c51742a9929f2da61b2fee04af

SHA512
080e34429b62b63a843b060f331209dc496115813e65ede928c4ec1a99973d8e054fd65d54bb48592625d12c1be87fd8ab1752ffa82ff4cf71caa2026294db33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
578819a4e8a3d2a43f815de9dbbffd17

SHA1
21aaf97d4c96fab6d4c5bd8caa6210111a76a849

SHA256
473c76a798966d1fc6d3f17d48aa33397929605fd16484de3cbad7b34c822440

SHA512
ee8cf236add59bb499de7dd728c09be499a9dfbaae55fb9c7f47d077bee21e25d7525ff7934953d9dfbe91235913e35770d92b334baa59e8d2b2250cd90b4e71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad3.lnk
Filesize
1KB

MD5
8f58f21fc87884f9b264e8214564bb6b

SHA1
c1a46ef73e710afe1f28aa06b3857272fc29d3b2

SHA256
4763deb36d297bc79bfb2930cc484cfbd605413f8b2211fa6faf9956678000be

SHA512
5019d624079e33f93f5c85a745ae50a4c6fb662a036c15fdecfec93f95d0453b5a9a3a4e65dc7bca5b09abc522667272e61c09509e5930b7756ebd356b921863

Download Submit
memory/112-162-0x0000000000000000-mapping.dmp

Download
memory/308-163-0x0000000000000000-mapping.dmp

Download
memory/364-158-0x0000000000000000-mapping.dmp

Download
memory/652-157-0x0000000000000000-mapping.dmp

Download
memory/968-165-0x0000000000000000-mapping.dmp

Download
memory/968-166-0x0000020515500000-0x0000020515522000-memory.dmp

Filesize
136KB

Download
memory/968-167-0x00000205153C0000-0x00000205153CA000-memory.dmp

Filesize
40KB

Download
memory/968-168-0x00007FFC9A690000-0x00007FFC9B151000-memory.dmp

Filesize
10.8MB

Download
memory/968-169-0x00007FFC9A690000-0x00007FFC9B151000-memory.dmp

Filesize
10.8MB

Download
memory/1260-150-0x0000000000000000-mapping.dmp

Download
memory/1272-193-0x0000000000000000-mapping.dmp

Download
memory/1488-191-0x0000000000000000-mapping.dmp

Download
memory/1760-156-0x0000000000000000-mapping.dmp

Download
memory/1820-203-0x0000016271400000-0x0000016271420000-memory.dmp

Filesize
128KB

Download
memory/1820-228-0x0000015A00027000-0x0000015A0002A000-memory.dmp

Filesize
12KB

Download
memory/1820-238-0x0000015A00041000-0x0000015A00045000-memory.dmp

Filesize
16KB

Download
memory/1820-215-0x0000015A00020000-0x0000015A00023000-memory.dmp

Filesize
12KB

Download
memory/1820-212-0x0000015A0000C000-0x0000015A00010000-memory.dmp

Filesize
16KB

Download
memory/1820-211-0x0000015A0000C000-0x0000015A00010000-memory.dmp

Filesize
16KB

Download
memory/1820-237-0x0000015A00041000-0x0000015A00045000-memory.dmp

Filesize
16KB

Download
memory/1820-236-0x0000015A00041000-0x0000015A00045000-memory.dmp

Filesize
16KB

Download
memory/1820-235-0x0000015A00041000-0x0000015A00045000-memory.dmp

Filesize
16KB

Download
memory/1820-230-0x0000016276A00000-0x0000016276A08000-memory.dmp

Filesize
32KB

Download
memory/1820-226-0x0000015A00027000-0x0000015A0002A000-memory.dmp

Filesize
12KB

Download
memory/1820-227-0x0000015A00027000-0x0000015A0002A000-memory.dmp

Filesize
12KB

Download
memory/1820-210-0x0000015A0000C000-0x0000015A00010000-memory.dmp

Filesize
16KB

Download
memory/1820-214-0x0000015A00020000-0x0000015A00023000-memory.dmp

Filesize
12KB

Download
memory/1820-221-0x0000015A00023000-0x0000015A00027000-memory.dmp

Filesize
16KB

Download
memory/1820-208-0x0000015A0000C000-0x0000015A00010000-memory.dmp

Filesize
16KB

Download
memory/1820-223-0x0000015A00023000-0x0000015A00027000-memory.dmp

Filesize
16KB

Download
memory/1820-222-0x0000015A00023000-0x0000015A00027000-memory.dmp

Filesize
16KB

Download
memory/1820-220-0x0000015A00023000-0x0000015A00027000-memory.dmp

Filesize
16KB

Download
memory/1820-217-0x0000015A00020000-0x0000015A00023000-memory.dmp

Filesize
12KB

Download
memory/1820-216-0x0000015A00020000-0x0000015A00023000-memory.dmp

Filesize
12KB

Download
memory/1820-209-0x0000015A0000C000-0x0000015A00010000-memory.dmp

Filesize
16KB

Download
memory/1880-171-0x0000000000000000-mapping.dmp

Download
memory/2088-185-0x0000000000000000-mapping.dmp

Download
memory/2380-155-0x0000000000000000-mapping.dmp

Download
memory/2504-173-0x0000000000000000-mapping.dmp

Download
memory/2504-178-0x00007FFC99D40000-0x00007FFC9A801000-memory.dmp

Filesize
10.8MB

Download
memory/2504-177-0x00007FFC99D40000-0x00007FFC9A801000-memory.dmp

Filesize
10.8MB

Download
memory/2928-132-0x0000000000000000-mapping.dmp

Download
memory/3136-184-0x0000000000000000-mapping.dmp

Download
memory/3600-172-0x0000000000000000-mapping.dmp

Download
memory/3824-170-0x0000000000000000-mapping.dmp

Download
memory/4000-151-0x0000000000000000-mapping.dmp

Download
memory/4120-183-0x0000000000000000-mapping.dmp

Download
memory/4256-179-0x0000000000000000-mapping.dmp

Download
memory/4256-181-0x00007FFC99DF0000-0x00007FFC9A8B1000-memory.dmp

Filesize
10.8MB

Download
memory/4256-182-0x00007FFC99DF0000-0x00007FFC9A8B1000-memory.dmp

Filesize
10.8MB

Download
memory/4360-190-0x00007FFC99DF0000-0x00007FFC9A8B1000-memory.dmp

Filesize
10.8MB

Download
memory/4360-186-0x0000000000000000-mapping.dmp

Download
memory/4360-189-0x00007FFC99DF0000-0x00007FFC9A8B1000-memory.dmp

Filesize
10.8MB

Download
memory/4812-159-0x0000000000000000-mapping.dmp

Download
memory/5008-192-0x0000000000000000-mapping.dmp

Download
memory/5016-134-0x0000000000000000-mapping.dmp

Download