b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

Analysis

max time kernel
143s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
11-02-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin.sh
Size

132KB
MD5

a73ddd6ec22462db955439f665cad4e6
SHA1

ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256

b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
SHA512

92a52f68a7324c4d5876e1f7e2cb87d14b8604b057ceee2e537815568faa96abf576a22111c5c976eff72ab9015f1261b2331d4b4d711f4e62c8eb403c2377aa
SSDEEP

3072:2glZ3FtCKXhkmHtZ9TEKzjfj/WMngyIfsJ0F7xPtoM:2IIKXhZtL7jOTyIG87Xl

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral1/files/0x000400000002a7cd-63.dat	patched_upx

Executes dropped EXE 4 IoCs

pid	Process
884	npp.8.6.2.Installer.x64.exe
2892	notepad++.exe
3052	gup.exe
904	notepad++.exe

Loads dropped DLL 16 IoCs

pid	Process
884	npp.8.6.2.Installer.x64.exe
884	npp.8.6.2.Installer.x64.exe
884	npp.8.6.2.Installer.x64.exe
884	npp.8.6.2.Installer.x64.exe
884	npp.8.6.2.Installer.x64.exe
884	npp.8.6.2.Installer.x64.exe
4016	regsvr32.exe
3984	regsvr32.exe
3052	gup.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InProcServer32\ = "C:\\Program Files\\Notepad++\\contextMenu\\NppShell.dll"	regsvr32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000002a7cd-63.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Notepad++\functionList\sinumerik.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\ada.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\vim Dark Blue.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\coffee.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\cpp.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\bash.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\cs.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\perl.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\gdscript.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\hollywood.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\cobol.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\gdscript.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\javascript.js.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\powershell.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\nsis.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\updater\updater.ico	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\langs.model.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\css.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\python.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\vhdl.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\lua.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\inno.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\ruby.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\notepad++.exe	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Ruby Blue.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\DansLeRuSH-Dark.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\batch.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\powershell.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\overrideMap.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\xml.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\fortran.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\rust.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\nppexec.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\HotFudgeSundae.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\vb.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\perl.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\actionscript.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\cpp.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\stylers.model.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\nppLogNulContentCorruptionIssue.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Plastic Code Wrap.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\baanc.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Black board.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\updater\gup.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\java.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\php.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\pascal.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\lua.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\cs.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\c.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\java.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\BaanC.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\updater\LICENSE	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\typescript.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\updater\GUP.exe	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\cmake.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\typescript.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\sql.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\themes\khaki.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\vhdl.xml	npp.8.6.2.Installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\tex.xml	npp.8.6.2.Installer.x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	notepad++.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	notepad++.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4286256601-2211319207-2237621277-1000\{EB0D9918-2780-4790-BB5A-7F768EE2477A}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	notepad++.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ANotepad++64\ = "Notepad++ Context menu"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	notepad++.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ANotepad++64\NeverDefault	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	notepad++.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shell\ANotepad++64	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	notepad++.exe
Key created	\Registry\User\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\NotificationData	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	notepad++.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\ = "notepad++"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5c003100000000004b5825b210004e4f544550417e310000440009000400efbe4b5824b24b5826b22e00000066a802000000030000000000000000000000000000007c0cd3004e006f00740065007000610064002b002b00000018000000	notepad++.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	notepad++.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000004b5824b2110050524f4752417e310000740009000400efbec55259614b5824b22e0000003f0000000000010000000000000000004a00000000007414a900500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	notepad++.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	notepad++.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings	notepad++.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	notepad++.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 672275.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
456	msedge.exe
456	msedge.exe
4528	identity_helper.exe
4528	identity_helper.exe
4496	msedge.exe
4496	msedge.exe
864	msedge.exe
864	msedge.exe
2832	msedge.exe
2832	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4460	OpenWith.exe
1472	OpenWith.exe
2892	notepad++.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

pid	Process
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeDebugPrivilege	2896	firefox.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
4460	OpenWith.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
1472	OpenWith.exe
884	npp.8.6.2.Installer.x64.exe
3052	gup.exe
2892	notepad++.exe
904	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe
2892	notepad++.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 2096	4460	OpenWith.exe	81
PID 4460 wrote to memory of 2096	4460	OpenWith.exe	81
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2096 wrote to memory of 2896	2096	firefox.exe	83
PID 2896 wrote to memory of 1092	2896	firefox.exe	85
PID 2896 wrote to memory of 1092	2896	firefox.exe	85
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 708	2896	firefox.exe	86
PID 2896 wrote to memory of 3360	2896	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin.sh
1⤵
- Modifies registry class
PID:4768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\bin.sh"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\bin.sh
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2896.0.296920988\1711536129" -parentBuildID 20221007134813 -prefsHandle 1780 -prefMapHandle 1776 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d43c0e8c-7ba5-4eb4-bc95-1b575c2a4fce} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" 1868 1dee4bbc458 gpu
      4⤵
      PID:1092
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2896.1.1445817244\1083541744" -parentBuildID 20221007134813 -prefsHandle 2260 -prefMapHandle 2256 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b157f590-da88-454a-aef3-c0b409ac06c9} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" 2264 1dee4afa858 socket
      4⤵
      Checks processor information in registry
      PID:708
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2896.2.440312271\2056909014" -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 3056 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cf1fe0a-fd27-4ac7-9bde-c7b7a1994dbc} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" 3204 1dee9fd7058 tab
      4⤵
      PID:3360
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2896.3.242881099\984258355" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3468 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fec9b99-0d6f-4f33-877e-ec7d2391f805} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" 3480 1dee8a09a58 tab
      4⤵
      PID:4476
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2896.6.391889410\197430982" -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97dab48b-228c-46e5-9e76-342f950d9196} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" 5472 1dee8a2a858 tab
      4⤵
      PID:1424
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2896.5.1369476788\1701606973" -childID 4 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1d9cc25-3d74-4a96-a8f3-d8af34896290} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" 5284 1dee8a2a558 tab
      4⤵
      PID:2784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2896.4.1958658770\1559427086" -childID 3 -isForBrowser -prefsHandle 5124 -prefMapHandle 5112 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f07a9072-959b-49ba-bfc3-5b6e0c22baa4} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" 5072 1dee8a2a258 tab
      4⤵
      PID:748
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2896.7.1585345957\1533820395" -childID 6 -isForBrowser -prefsHandle 3324 -prefMapHandle 4428 -prefsLen 26763 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c347453f-63c6-434d-9876-8b3dc9ed1128} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" 3200 1deee121858 tab
      4⤵
      PID:4040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1472
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\bin.sh"
  2⤵
  PID:608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\bin.sh
    3⤵
    - Checks processor information in registry
    PID:4000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\Downloads\bin.sh
1⤵
PID:1328
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\Downloads\bin.sh
  2⤵
  - Checks processor information in registry
  PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc2d673cb8,0x7ffc2d673cc8,0x7ffc2d673cd8
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6784 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2832
- C:\Users\Admin\Downloads\npp.8.6.2.Installer.x64.exe
  "C:\Users\Admin\Downloads\npp.8.6.2.Installer.x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:884
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files\Notepad++\contextMenu\NppShell.dll"
    3⤵
    - Loads dropped DLL
    PID:4016
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files\Notepad++\contextMenu\NppShell.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:3984
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" "C:\Program Files\Notepad++\notepad++.exe"
    3⤵
    PID:1092
- - C:\Program Files\Notepad++\notepad++.exe
    "C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\Notepad++\change.log"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8176 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8296 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8352 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8360 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8712 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9296 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9312 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,1041264207915188539,1037535330570943744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9632 /prefetch:1
  2⤵
  PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C8
1⤵
PID:4208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3792
- C:\Program Files\Notepad++\notepad++.exe
  "C:\Program Files\Notepad++\notepad++.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2892
- - C:\Program Files\Notepad++\updater\gup.exe
    "C:\Program Files\Notepad++\updater\gup.exe" -v8.62 -px64
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Notepad++\contextMenu\NppShell.dll

Filesize
388KB

MD5
a3f7ba2ee563b50dcd411376f66c8d02

SHA1
b865b1e878b3a68538c5ebe0aeffc98ff617736d

SHA256
42272408ffb295313636f3f3b19947079339e32b43368d6c379fd8c911ec5122

SHA512
40b69e2dca62984d4e28d9db822961ffd41df5911ed83b5e826668d5aafeb0ff101139dcfb7c51f96b7f9ee417155cf421ad7a743159b722bb2841729f4a7193

Download Submit
C:\Program Files\Notepad++\langs.model.xml

Filesize
451KB

MD5
e2720d29d41e4373d807701e8c7e74f7

SHA1
42f6abe22a32bc4a3e389205bb1e82f6685f81a0

SHA256
b21447e1d7fa8e21a8641638701e18a30ebf491766b8f2071aa12c5595b4b1e8

SHA512
4cacc1190641f4de8523751183f4edfc0042dad415a7963fe221e2186aad4759c4831b61fb77e27ee8bc1cb16c876e04288be00c972f6326821ef516336bbf99

Download Submit
C:\Program Files\Notepad++\notepad++.exe

Filesize
6.9MB

MD5
ea0167b2420c24a2e151c93edda4d7a4

SHA1
e46ab8c95852e639646957f6214d7eb267b9d488

SHA256
e8cd50b75ff8ab807bb42769424a4b8511c80c638005ff3f79dd853070c71624

SHA512
495786ee5c706a2bfaf256bfe26ca5d78e106af24b11a9affe0b2fac68d6348e6b51f4f03ddd9ec6aa1bcc186f7467c341fba6efe85b62576befb3384d6ba70f

Download Submit
C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll

Filesize
203KB

MD5
b65fdddd07b2cac6fbe48b965a7f3f10

SHA1
57873c8ae4ef062340299db8e92e616121011a51

SHA256
9ff8dbeb2d3ca17cd543621464f37b3d9b78b7d9194e83294e9d06624fabb7bf

SHA512
5afaf8409a8572f353c51e0e44201d0ab12a9c94aa97fee8097334cf5e37f409e123b852c3b139cd506ea8e8a802e0a771a0ce4ebea04c3905edd47e9b64f64f

Download Submit
C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll

Filesize
199KB

MD5
13c6c862f6efcab7f9190ae77091f8c3

SHA1
c80d1e8be75b658b2d226febc9365e1b7eed2f31

SHA256
88ded8ea380aa1b2deb5a6ba0c600e74a445c862919bf15cd0deed3987f1951e

SHA512
1518993690daf78d7883c19a6b9d78be205542888ce06f4e4a484b02b9108b13180657c45e93ddad0dfbea33554ca707ac5a170190ed27d35f3023647b3dc14a

Download Submit
C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll

Filesize
153KB

MD5
2e9427296085643dd15eed57360c4490

SHA1
ea9cf44eac4d19e7dbc723b5ce2541dd9d6de31c

SHA256
089780324ce5e5482876a9da6271dd7d7c0acc41dfff03deb6c5c1925828dd8b

SHA512
b5089dd044b670da06fc95449a05fdc73cfe428e49eff55de2d73c4e9905cd82d32eb3567bf7709105fcb253c05d66552988599628f55afdec07543a546453cd

Download Submit
C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll

Filesize
145KB

MD5
27aa04bd27cd40bebb2fe0f2923b3670

SHA1
c0c5e034dacf5fb86f1fb83bd7870f4465ec6618

SHA256
cdbdd182cac307ea29fcffde1243f73c07ea746d72fb94a38a3363e928de4039

SHA512
8b5d5dfc8168698ddb4e395dab4c1458ae63254e4d823dfae761a39c2aaeb335e3fce4cc37e7230bdf16a15e7c1ba865e9bbd88770320379edf932fee29ad13c

Download Submit
C:\Program Files\Notepad++\shortcuts.xml

Filesize
3KB

MD5
fb573784b83033dd4361f52006d02cb8

SHA1
0a2923a44ec1bd5e7e8bc7cace15857ae03bf63c

SHA256
37a24662cd55b627807bc2bb7cbba5bbf2abaf6da4dd7bbb949bfaa7903eae9c

SHA512
753b44b5e8bea858cf5cc5ddfdc38098a2f3f921949cf98706ead95bdfa1de7ab0c115e9d69237623a03c422969480204c69d3ba277141527458c68230d0c67c

Download Submit
C:\Program Files\Notepad++\stylers.model.xml

Filesize
182KB

MD5
343b8f55f376e88674733286d027f834

SHA1
466886054d5c2641ba6058f58a7a84053aa4696e

SHA256
f002b36e70f0fb159885c21fa6e6395176cd50a254201a94cbed756d9843fa9a

SHA512
ef6643badbb87739f0ae847d201651f8d3e677c54ca2aa3f81277b053355772f71d9b0f490617c104ce861a29e2b283fe6d82faf4cfe8f10bfc571d683cfea8e

Download Submit
C:\Program Files\Notepad++\updater\gup.exe

Filesize
818KB

MD5
1884dd352c2b8df7e7ee80573af580ac

SHA1
cabd8ed8b7c65f403ecdd90a9dff142b044fb3fc

SHA256
f22a7438a2226321324a81926bb311c25377ce977a32c84064d29e932fa22598

SHA512
a90fa4a1dbf789b0a9d085e4e3dfbb6fe2efe5dccabe311bb6411529e5cb465e575291e414d86acbe82c9b39eb6d6cf92c45e5d29d6ff75782d98c201863039c

Download Submit
C:\Program Files\Notepad++\updater\gup.xml

Filesize
4KB

MD5
abde55a0b1cb4a904e622c02f559dcd1

SHA1
1662f8445a000bbf7c61c40e39266658f169bf13

SHA256
92717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5

SHA512
8fe75fb468f87be1153a6a0d70c0583a355f355bfe988027c88d154b500e97f2c5241d9557ebb981067205e2f23ad07b6a49c669cd3e94eaa728201173b235a0

Download Submit
C:\Program Files\Notepad++\updater\libcurl.dll

Filesize
728KB

MD5
55749af1692a3e5ddf168a0d212ae549

SHA1
0edfb6d343a5d8ccb68f836dbfa40ccdf2ecaab0

SHA256
6b15342b708e58e7dcec14ebd54bbcbc33d7081d8ffea93f8c59b64879e011f0

SHA512
7042a8a82bbf402a41be9eee63b2a2ea8f57b0226b1019cc652bf0050e75f833d11c7f64b0fde46d4d3882ec5eab85b8d15f41a50133d69990b80bd70d1df032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0bed556ffeb1e69835b408d733b041f0

SHA1
e2aec94abd489a26f36a9694c7ef3903af6409b6

SHA256
7d60b9117a935eaba25d7273a5b5e8ba04ece22672661ecb37a3c8a08f61def3

SHA512
47d492a7c72f9d12511f070d7d28451b1c52c5f0d446890e704b02bbc51330b1890c5ac4e050d514ff1bfd9c64421adeebee114718042af5aee3f5fdfb413fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
62KB

MD5
b92765b253928873eadc9f4203a6b75d

SHA1
f18fd29a4c4c51f124ca128d32b36b6d662ae546

SHA256
f62facef855540dbca4cc8419f8bc454e05ed6d2df68c19dd85529a72a4124f4

SHA512
8cbde23274298ea87325b19b0b418448d0e664f7f9d2fbfa689d3ba27e00dd15fff1fd9a269c26c7703c9ab620be8f362462dd4ab7af85d4d944a2795021d019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a6db0a6253cb819aed7c996e10b56c14

SHA1
476b576cbe3042f68f950f36c1845919d100a653

SHA256
48c82799ab1d4ad567093d83a318e1506c4dc90dc808aaccbc4de338abe96cf5

SHA512
7ee92e0137d15aae6a5b48dba566caab7d3500dbb711ecc3853ad7052c338963d14458553a6bddc1874aaead5e4ece55169582bb0c39c04fb4bdfbbb867f2240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
52dd263e5e013776ab5e2b8132b3c3df

SHA1
dc65eba0815f4258d408d49f7bec4f086d911044

SHA256
66caa8d29ce28d6a6b8e2152026b9531c23f3d1910b13e235b7c5903b05016a5

SHA512
44ab7ed242c20a960d2838b0a4173d378de9b3c28968033957184713785a2e67ff51a8321bc2ce85adb36b60588e33f69fb71abd3f23a5fcc7c3e276db6e268f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
55e4d48b63d6d13c557e709d42965429

SHA1
8805e27c3dc614bad58d38936dec1915cf58d9f1

SHA256
5ece8462efa1b6e1de0173d351908472bfc8a4c0fda56be2270b80dc84f0889e

SHA512
265fa27862ad321fdd9680fece55099fba49a1f27b53018eb2a755e35dd875de4c0c578982046d881eb8789beff0591c106fe0d3ab7167a939936efe8385974c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e09a84a598d51cc1dedba3a1556e1b1c

SHA1
f3a6cc3804dd11508dc1369bf111ae357a413552

SHA256
72b1fedb4ec19696998b52aeee8ebb71af722667d1f73c26632d6723e511e0b7

SHA512
70aa373df27665de152a49a79f1ef22b0859deba55f1947bc3ac4c7317b1c9d1b3ad0da76ba38ada8a1a01c59a52b66abc3e22563f6b3d24440546e20e99275c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9f9f824c3e8bf08920755f767e186dcd

SHA1
8d3c7bb8e681dea0738c8e6065f2c824834547fc

SHA256
93ab2899df5f508a6518fadab4307716061b1fb6060b6376dbd48d30ed6eaa90

SHA512
106d4b1e5105cf31411f9d3dbab8c53f1f226da328d98f87ee47ee52f7df37f5658329cb05ea8a30d23147c808763f96453f120a265d48d60eefee3613f5d8cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
496b5aa5f3af43dd1f791f0bbf8c2290

SHA1
d4475c2a21a66ee5ca092ea227e1a43f30914423

SHA256
cabe4803e1ac7d2bd102aa125ec8652c8f9141ef9196dfce48b3e17fe13dce6d

SHA512
26cd5bed8154ca13a043ea35f51a1dd3c0a6aeb3aa0067e2ff0cc7ce894d8a9d29a0905addc85544204767f2d78efe4763ed23adb15e7245637c63896224f159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82b296b1c7a42abc56b369993d89962a

SHA1
82251323ad6ca14e46b3ffa5a91dc6b1ff7fb188

SHA256
132235fac6bf85970a23c8c507f6f99bcf043a4c7065558e06b6e94bc52a7f75

SHA512
a05ff881a5304764b4fc6c582e7965f064ddbbbe780dbef617717c202866fbfb293448e575a529264490b815810cd82fff22ea6f555eaf4828dc03ab4ed7775f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
5e1542ec05a1840cfb56ae87d1c2e16e

SHA1
25bdd95b83b7c614a6446609cff6ecbcab58d9d8

SHA256
41acd6ffea81ff1b8b58a4693696a397817473eb899edbf6606314820a8e40b8

SHA512
12c32368cbedc3d2515907ab740c75022fc4eaecec9b45734f346db0df209e667b066b2fcd891e84193868ecec8b892e7b484c66a8b329562bad53a69b25c0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
669eedc209504860daa77e9bedc3f554

SHA1
304f675d16231daa50332b4a9d9bc61bcd3f0727

SHA256
bd6bf6f26f328527fd0475614359ec712da8d0edd1790bb19ac3e665368e8b41

SHA512
7c2abf70d710c5ee2c8f22bca5e740ea0e27daa6b3cd73a52814fb0454fe7759ecde9a6895bed54524ff82e19082a818445e4b8f4ea6cf3b871166e590cdcb69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fd7a893abadcd1b22b4398d47dd1fc5b

SHA1
e3d6155ded48f3841ac08022efe4a3e178f9a056

SHA256
aec5ce915ee2716fb22bb258dd88cf251fa48e192dc251cd64e438c2775046b0

SHA512
88204b4988dde4ada3bfa9c7a0f813584756ee49a285ed4954b0b9562d6164101173e17ecb92a76394a7e096fd52009027a5d7c144b067aae9030e4abdbbc44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
af90f987b5d663a156c767dd0dafbdda

SHA1
75f3394abed1c07c1e1c1a0603d38b87d89ae0d5

SHA256
b06d4005f60aa08e8d8d992953ca8e720de254b406f70b933e62522979e7286b

SHA512
29d7d6c487a4447ce144836688f7f9da76ef1700bfd2b7a97516c8133108a2e817632fe7d467f329f35f1b3fed8f9f819c7585b9a9886f8326f4a1b6988adc49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587f2e.TMP

Filesize
1KB

MD5
94127bb76d7ee78fe0f1604fdeca75d4

SHA1
e91cf92014cec7cab27702d155b1b682fae960e8

SHA256
937e2247bbda1afc4923f30ee8be1bc4f259fd08909584aab9c79cedf4addc83

SHA512
599eb046dbcefa9b3aca5827192263754b98d8db40545d656345b35af32277898d9c6399ced52b2ff32ee32a26d1b3dd7901c7586f88c35191caae51d6009e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5ba3fafa83ef11d15751f1e6b114a55e

SHA1
86e23b30f7b0bf55ba61182628c12c24a68014c4

SHA256
486de836f33d6889262eef18f21b9138383068d97bc8e097ec312d8976d8e5ca

SHA512
8261aab0e39aa206135a167e4318a3c7cf3d6f5cb42bf9d51af748cc0ed15c19f774c52425dbabf5f1ed1990f05cd953cc3410aeab96d8b61b94e90c76a04e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
65ebbba82741396a57ce75d331f36841

SHA1
d9eac0000ec2bb12fa8998bc6c58371887a63258

SHA256
06a752735a30dd6df91a34f8fbf92b7ca66f015011956bbaa8193c0697ee1bdf

SHA512
708b22d1d08f0c5c4a48a54d35a5cdea58a4bc849fa92333c25ec48efa20fbec7d841f1fd714c253dd04a66948c73c091fdb5a7ffa1dbad399e68cbde1f151b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
dc760b41d60bc6daa377eb65751e52d6

SHA1
4aed9e27cac3676ce17a8b15d308b927437920af

SHA256
b8faaeaccb344f21a4ff38095831bed6c3b394f29de747b4f4c4f14ceed9c6a4

SHA512
7f0cd2fdd7fbf492b8db3150de3798e7b298d861608b3c443f5b7af46d7af07c313a5027d2627f451f7f9a16f3ff63f51538821cc80bfeac7f6fc0e515c0977b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB39D.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB39D.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB39D.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB39D.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB39D.tmp\ioSpecial.ini

Filesize
1KB

MD5
a97fd34381bfd5c011d9f58fe24cfb7e

SHA1
38ee3531bb970ec96873e3933415a08bf980fdd6

SHA256
86b38fa18f6439c0d740eb1446a211932d659b71d5622c5bed1b28f0f4e01605

SHA512
4a3f453f9fa573215e38564f0dbd287e0641e00c0ce6d9765e5ed485478a3710d93899c6cb1247ea7201a959c09d49e5bcc67abf73ca9f69e1f2210229b743e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB39D.tmp\ioSpecial.ini

Filesize
1KB

MD5
47be03270f80ef5501543c8ed927324c

SHA1
2f157f37612c5447a1337e597bb68551038332ac

SHA256
a0eb5a440586c974f9daea569d88a9c3f3c2a5f89a25ed579f103f3de7433977

SHA512
b025821c38e7a43d7649e09c91af88c5c9db7feb0eca75c671e8714c71a07b4f94c289c842dc00bcf6666b9993963df01f9eacb3f3dd882f006335bea7db0d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB39D.tmp\ioSpecial.ini

Filesize
1KB

MD5
0c521173199af5c2684e011ff6105df5

SHA1
b2de09f6dab0c43309a0f87390c3161722052e2b

SHA256
eed25c5e14d451aaa1c0e58dac94a2844b172746c8d46184028ba8cb199193c2

SHA512
e8a9d7a0056179da09937e23121ff5b703ec573e1fa51430ea87968f69d8d7ed8b1b61b5c33654b2fb02c47b256d8e9afb0824c17b4467e2375c6984ae4d57ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB39D.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4uf7yb.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3a738d0d181b3940243633cf47422f09

SHA1
40febf6b92aa796c0647814cbee7c9abdb6634b2

SHA256
7211fe6430b51ed17cc40e6b875ae7b1ccb720aeb959a6000a972feb1159369b

SHA512
135400dd71afda74c11592801042ba9ec9f6bf4845542c757875919506249eca7cbb75b6c76333b86dad84359531942300917bb7ea54f636ad0590e3a164b4e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4uf7yb.default-release\datareporting\glean\pending_pings\42055bfc-452e-45fe-aa7f-2cb6b7581d8f

Filesize
746B

MD5
ee0178711c40bbe4a45611d335027444

SHA1
56aab874d3b526707f32faf4a382cdcadd95db76

SHA256
585ebbc9a750bebd69b9343cde7d6950bb8bb519c28f1e43a7b7621e3f22132c

SHA512
3d70e979967ce1576520619c53342b7a22efdd008e9a3132d7b42bce51d9ab247a7a9f340c50296f0834f1a1c8b65ba74d014e993310f99d26a85b98dfd33d2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4uf7yb.default-release\datareporting\glean\pending_pings\caf877a6-f07f-4ae5-8201-ff93dbab656d

Filesize
10KB

MD5
c0e52e8ee5024e6c84d447ce898b86ec

SHA1
3e921aaab670ffc12dccdaf0447b75002d2eaa65

SHA256
b9c6a0cb56c8ab209b2874977b9a83714a946160cee39021363dda71a72d1977

SHA512
177c1c3bc1cea72367ecdb364916fb4cddfa720eddeb64ca785bca9556169f0a284fdc993dc62cafe2f83a771733897481b546e0abb39f097d17fbc044f6ae1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4uf7yb.default-release\prefs-1.js

Filesize
6KB

MD5
a66bce32cc92ff570ff0cc71fb7b9bbd

SHA1
ba5814a48953d40d45f9e89ff13fd26e8eb05a2e

SHA256
adf9617bae430e70a6901de13035ca989dccd16a16b272f33e1c87c8b610f107

SHA512
688aa3c10d467d545b2c869c95cca7be69915ff74f87c1289a8d46eb601f243321151ef96efd3d41380eae194ee467560df16d1d6dcd5e7231300e795661aefb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4uf7yb.default-release\sessionCheckpoints.json

Filesize
212B

MD5
29ce37dc02c78bbe2e5284d350fae004

SHA1
bab97d5908ea6592aef6b46cee1ded6f34693fa2

SHA256
1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

SHA512
53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4uf7yb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
0fd036c36b8881ac2cdd8c70bdff9e7a

SHA1
d7fd9cbf089714f21f53523b3b65424ec115bdd4

SHA256
95085fc54da8b1eca977f37c350b9a272fe005d6e95fbc8f4c44be7769c1146e

SHA512
a52216db3bee74c036040c9c6c38fbdbc9557034ef910dbd73a7b5ea979a92fca24b76a8973a82b136fec7e23c7e3bf8c5a7b650d78943a7fdf8d1f9a02c4bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4uf7yb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f277fced1d45e3edfa82290b1526e70f

SHA1
f992e6423ecaa22106bc07bb549d15ae750f1a3a

SHA256
2c4341cb9e470f53b7ad86f45d5011e46f72758ff941bc344698480d272cb866

SHA512
93e716f6f13b6033a3a015cc0e699d76ed3c48f8e598ec95dd63834da2661c6d3063b58749f11dd2eb221c83407f7ac9be700ad400f89e867fd61a38c433b6fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4uf7yb.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
a9795d2d9f4ccb4cba7875366029a946

SHA1
f167432d3a88acbef9ab01ef146ebdfce5ca0108

SHA256
f92778fedbe91cb403bb29c06c86674c55a2c75c252c6a0d4ff69cf071459286

SHA512
153e8f2fb9104c0f8653d42f1ab7c63912032e0c702e94331afd99ffeba3bee25b5f5c0bd9d460abc103df19d9da2c72e4052b78bab8ec21ab6570b170a4fa8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4uf7yb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3e6573f6b3f1b169bd09a5fbb36cb927

SHA1
4e8dcda7a54ff55a631244cba426c2e305bb2dbe

SHA256
dd66f6c4a6bdedf4509f6df021e40a8e368a81544be8c90aa621d29a48875639

SHA512
4cf59c35d51fc20b675e11e2be95768dc21d028901d76fa1fc05a71879d526f429b2bd8f4280836e8cdba33a2b1be8f83dde467a3d41ef774b34fa3c52b16234

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\contextMenu.xml

Filesize
4KB

MD5
fde4cc09d1c18c6cd7c1a4878e89d27e

SHA1
22fba21b254fed1a60da5de2b8af3cf6e132b647

SHA256
43ac0b7ba9b1f91fd8d4841b8119344e6212b307a1decccf61658f31d38bb425

SHA512
fcc87b93cb4dd0949e82edb7d2788d7abd317f9f4c5f046ceba1cd85a64b12b29c6baba3e8646265db02a48a2dc20c3b5e893a1334d9b1e91d26692b4e9c2d29

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\plugins\config\converter.ini

Filesize
646B

MD5
f07150054a6afff4d8e9d58899167722

SHA1
e092cd960ab728667d91b37d64a02d7f6821518b

SHA256
5b0a08439e8e93817772f84e1098f14152d9da36c2601a0600ddaae6f61359d0

SHA512
8c86aa4c058a8ab5fd26f21cacc8ddaffa8ce6012bb329d3c5b817da00b4b43018a575c768d1921c6eeab7537f172c7cb3de658b014365ea52fb3c87547182b9

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\toolbarIcons.xml

Filesize
2KB

MD5
bc4b775a277672fc7edf956120576ecb

SHA1
fe7c2db5b4d4c5a3f5603cf56c4d71cc9ee2d71d

SHA256
4ec98de37193f41242c1a47507bcc4c1af555e71154f7354272bc3e664e19877

SHA512
f87dc3ce52831ee308fbfa2b1b94c07e2811e7028360f046e012f8ea5a8f0ebcd362de7a663dee810c3da0791474c1485b1a2626c7867e76236156b125ff39b2

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled.udl.xml

Filesize
6KB

MD5
672e6d5f89887666ec94711e442644e0

SHA1
8d069ae93347316eff0dcf7aff4d22da18a62af2

SHA256
b34fe6811dacfe49d77d434123867e866daf6e0e27387a0446887dabe8943f04

SHA512
8fc5e9bbe027826304fa6f329fb16e4c9e4e7a597d87e9c691ed6a9f505b7bc1967339b43c6426105432a030260b0654468ab8fcbb4312b2fb6ed6c6aa537edc

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled_DM.udl.xml

Filesize
6KB

MD5
3690cef1865e32fe6be1b2ec7656539a

SHA1
bc043bec63c310a60d9e242810036460c467945d

SHA256
e45e49f0895249d951df2c07e0f06ca1242e05c961dd921e5aa2781ae2e7ff25

SHA512
c2be869d96baec2018e13dcf5934dd9cf74146541e852cc2eedb4d83a8af23e2577cde7a0158fefaa11056416ff039df3a7725e320620193e9bfe72c8067c051

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 672275.crdownload

Filesize
4.6MB

MD5
027915384e3cc7b04d9e636171aa3e15

SHA1
b4785869c7642af6107af65e5cbacdb9124b0aa2

SHA256
724c134f991443085bfdd1bff6595d5eb85bc67770bbecaed43c4505e01724ef

SHA512
517a04c36d12b25ee2095bb2949831c0225f24aa8505b2423113bf3e9f02dba55458d078b85a68f08ca24e119c8b7f788bc8c25d22fd950762236970728bdd72

Download Submit
C:\Users\Admin\Downloads\bJgLewQN.sh.part

Filesize
132KB

MD5
a73ddd6ec22462db955439f665cad4e6

SHA1
ac6962542a4b23ac13bddff22f8df9aeb702ef12

SHA256
b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

SHA512
92a52f68a7324c4d5876e1f7e2cb87d14b8604b057ceee2e537815568faa96abf576a22111c5c976eff72ab9015f1261b2331d4b4d711f4e62c8eb403c2377aa

Download Submit
memory/2892-1615-0x00000210EA3A0000-0x00000210EA3C9000-memory.dmp

Filesize
164KB

Download
memory/2892-1648-0x00000210EA3A0000-0x00000210EA3C9000-memory.dmp

Filesize
164KB

Download