Malware analysis notepad.exe Malicious activity | ANY.RUN

Add for printing

File name:	notepad.exe
Full analysis:	https://app.any.run/tasks/e516277c-c8d9-4f95-9256-7980de83b16c
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 22, 2024, 21:37:25
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adware innosetup loader stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	B50D94184624ACC7519A7527240B69F4
SHA1:	882D4A8D6A744EA1D490E2EA88F86B711E3FA3A8
SHA256:	B5F3F6B5FCA984356218490651C523B039718DA267C61FDA6A41DF54AF697570
SSDEEP:	98304:x0JSc7B7QULpkgCv+mN+h4QhG5EGblrVP6m+bX8SXOhNQ9MYz5NiVsmerpqxXEdm:bcjYm/Wme7B/1b93

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - notepad.exe (PID: 1328)
  - notepad.exe (PID: 5396)
  - notepad.tmp (PID: 5540)
  - notepad.exe (PID: 2380)
  - downloader.exe (PID: 4992)
  - msiexec.exe (PID: 1720)
  - msiexec.exe (PID: 5268)
  - Yandex.exe (PID: 7392)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - lite_installer.exe (PID: 916)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - 360TS_Setup.exe (PID: 3480)
  - 360TS_Setup.exe (PID: 6296)
- Scans artifacts that could help determine the target
  - downloader.exe (PID: 4992)
  - lite_installer.exe (PID: 916)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
- Registers / Runs the DLL via REGSVR32.EXE
  - notepad.exe (PID: 2380)
- Actions looks like stealing of personal data
  - lite_installer.exe (PID: 916)
  - seederexe.exe (PID: 5196)
  - 360TS_Setup.exe (PID: 6296)
- Steals credentials from Web Browsers
  - seederexe.exe (PID: 5196)
SUSPICIOUS
- Executable content was dropped or overwritten
  - notepad.exe (PID: 1328)
  - notepad.exe (PID: 5396)
  - notepad.tmp (PID: 5540)
  - notepad.exe (PID: 2380)
  - downloader.exe (PID: 4992)
  - Yandex.exe (PID: 7392)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - lite_installer.exe (PID: 916)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - 360TS_Setup.exe (PID: 3480)
  - 360TS_Setup.exe (PID: 6296)
- Reads security settings of Internet Explorer
  - notepad.tmp (PID: 1252)
  - notepad.tmp (PID: 5540)
  - downloader.exe (PID: 4992)
  - notepad++.exe (PID: 4364)
  - lite_installer.exe (PID: 916)
  - explorer.exe (PID: 7436)
  - Yandex.exe (PID: 7392)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - 360TS_Setup.exe (PID: 6296)
- Reads the date of Windows installation
  - notepad.tmp (PID: 1252)
  - notepad++.exe (PID: 4364)
  - downloader.exe (PID: 4992)
  - explorer.exe (PID: 7436)
  - Yandex.exe (PID: 7392)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
- Reads the Windows owner or organization settings
  - notepad.tmp (PID: 5540)
  - msiexec.exe (PID: 1720)
- Process requests binary or script from the Internet
  - notepad.tmp (PID: 5540)
  - downloader.exe (PID: 4992)
  - lite_installer.exe (PID: 916)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
- Malware-specific behavior (creating "System.dll" in Temp)
  - notepad.exe (PID: 2380)
- The process creates files with name similar to system file names
  - notepad.exe (PID: 2380)
  - Yandex.exe (PID: 7392)
- Searches for installed software
  - notepad.tmp (PID: 5540)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 1676)
- Process drops legitimate windows executable
  - downloader.exe (PID: 4992)
  - 360TS_Setup.exe (PID: 6296)
- Checks Windows Trust Settings
  - downloader.exe (PID: 4992)
  - msiexec.exe (PID: 1720)
  - lite_installer.exe (PID: 916)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - 360TS_Setup.exe (PID: 6296)
- Explorer used for Indirect Command Execution
  - explorer.exe (PID: 5268)
- Potential Corporate Privacy Violation
  - downloader.exe (PID: 4992)
  - lite_installer.exe (PID: 916)
  - notepad.tmp (PID: 5540)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
- Starts a Microsoft application from unusual location
  - YandexPackSetup.exe (PID: 6732)
- Adds/modifies Windows certificates
  - downloader.exe (PID: 4992)
- Creates a software uninstall entry
  - notepad.exe (PID: 2380)
  - Yandex.exe (PID: 7392)
- Changes the title of the Internet Explorer window
  - seederexe.exe (PID: 5196)
- Reads Mozilla Firefox installation path
  - seederexe.exe (PID: 5196)
- Application launched itself
  - downloader.exe (PID: 4992)
- Changes the Home page of Internet Explorer
  - seederexe.exe (PID: 5196)
- Starts itself from another location
  - Yandex.exe (PID: 7392)
  - 360TS_Setup.exe (PID: 3480)
- Creates file in the systems drive root
  - 360TS_Setup.exe (PID: 6296)
- Drops a system driver (possible attempt to evade defenses)
  - 360TS_Setup.exe (PID: 6296)
- Drops 7-zip archiver for unpacking
  - 360TS_Setup.exe (PID: 6296)
- The process verifies whether the antivirus software is installed
  - 360TS_Setup.exe (PID: 6296)
INFO
- Checks supported languages
  - notepad.exe (PID: 1328)
  - notepad.tmp (PID: 1252)
  - notepad.exe (PID: 5396)
  - notepad.tmp (PID: 5540)
  - notepad.exe (PID: 2380)
  - downloader.exe (PID: 4992)
  - notepad++.exe (PID: 4364)
  - GUP.exe (PID: 6748)
  - notepad++.exe (PID: 6136)
  - YandexPackSetup.exe (PID: 6732)
  - msiexec.exe (PID: 1720)
  - msiexec.exe (PID: 5268)
  - lite_installer.exe (PID: 916)
  - seederexe.exe (PID: 5196)
  - downloader.exe (PID: 7312)
  - explorer.exe (PID: 7436)
  - sender.exe (PID: 7480)
  - Yandex.exe (PID: 7392)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - 360TS_Setup.exe (PID: 3480)
  - 360TS_Setup.exe (PID: 6296)
- Reads the computer name
  - notepad.tmp (PID: 1252)
  - notepad.tmp (PID: 5540)
  - downloader.exe (PID: 4992)
  - notepad++.exe (PID: 4364)
  - GUP.exe (PID: 6748)
  - msiexec.exe (PID: 1720)
  - YandexPackSetup.exe (PID: 6732)
  - notepad.exe (PID: 2380)
  - lite_installer.exe (PID: 916)
  - msiexec.exe (PID: 5268)
  - seederexe.exe (PID: 5196)
  - downloader.exe (PID: 7312)
  - Yandex.exe (PID: 7392)
  - explorer.exe (PID: 7436)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - sender.exe (PID: 7480)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - 360TS_Setup.exe (PID: 3480)
  - 360TS_Setup.exe (PID: 6296)
- Create files in a temporary directory
  - notepad.exe (PID: 1328)
  - notepad.exe (PID: 5396)
  - notepad.tmp (PID: 5540)
  - notepad.exe (PID: 2380)
  - downloader.exe (PID: 4992)
  - YandexPackSetup.exe (PID: 6732)
  - msiexec.exe (PID: 5268)
  - lite_installer.exe (PID: 916)
  - seederexe.exe (PID: 5196)
  - downloader.exe (PID: 7312)
  - Yandex.exe (PID: 7392)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - sender.exe (PID: 7480)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - 360TS_Setup.exe (PID: 3480)
  - 360TS_Setup.exe (PID: 6296)
- Process checks computer location settings
  - notepad.tmp (PID: 1252)
  - downloader.exe (PID: 4992)
  - notepad++.exe (PID: 4364)
  - msiexec.exe (PID: 5268)
  - explorer.exe (PID: 7436)
  - Yandex.exe (PID: 7392)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - 360TS_Setup.exe (PID: 6296)
- Reads the software policy settings
  - notepad.tmp (PID: 5540)
  - downloader.exe (PID: 4992)
  - msiexec.exe (PID: 1720)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - slui.exe (PID: 6560)
  - lite_installer.exe (PID: 916)
  - 360TS_Setup.exe (PID: 6296)
- Reads Environment values
  - notepad.exe (PID: 2380)
  - msiexec.exe (PID: 5268)
- Creates a software uninstall entry
  - notepad.tmp (PID: 5540)
- Checks proxy server information
  - notepad.tmp (PID: 5540)
  - downloader.exe (PID: 4992)
  - lite_installer.exe (PID: 916)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - slui.exe (PID: 6560)
  - 360TS_Setup.exe (PID: 6296)
- Creates files or folders in the user directory
  - downloader.exe (PID: 4992)
  - notepad.exe (PID: 2380)
  - notepad++.exe (PID: 4364)
  - msiexec.exe (PID: 5268)
  - seederexe.exe (PID: 5196)
  - msiexec.exe (PID: 1720)
  - lite_installer.exe (PID: 916)
  - Yandex.exe (PID: 7392)
  - explorer.exe (PID: 7436)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - 360TS_Setup.exe (PID: 6296)
- Creates files in the program directory
  - notepad.exe (PID: 2380)
  - 360TS_Setup.exe (PID: 3480)
  - 360TS_Setup.exe (PID: 6296)
- Reads the machine GUID from the registry
  - downloader.exe (PID: 4992)
  - notepad++.exe (PID: 4364)
  - msiexec.exe (PID: 1720)
  - seederexe.exe (PID: 5196)
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
  - lite_installer.exe (PID: 916)
  - 360TS_Setup.exe (PID: 6296)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 6284)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 5268)
  - msiexec.exe (PID: 1720)
- Disables trace logs
  - 360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe (PID: 7536)
- Manual execution by a user
  - {34E72AC1-F5DC-4661-9B18-6EF6BF78C9D8}.exe (PID: 7684)
- Dropped object may contain TOR URL's
  - 360TS_Setup.exe (PID: 6296)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (63.4)
.exe	\|	Win32 Executable Delphi generic (20.9)
.exe	\|	Win32 Executable (generic) (6.6)
.exe	\|	Win16/32 Executable Delphi generic (3)
.exe	\|	Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:06:14 13:27:46+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	66560
InitializedDataSize:	187392
UninitializedDataSize:	-
EntryPoint:	0x1181c
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	8.4.7.0
ProductVersionNumber:	8.4.7.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	Notepad++ Setup (r2301041608)
FileVersion:	8.4.7
LegalCopyright:
ProductName:	Notepad++
ProductVersion:	8.4.7

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

165

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

916

"C:\Users\admin\AppData\Local\Temp\2F249E7C-8202-47C7-8CB4-24A2BB7810B7\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER

C:\Users\admin\AppData\Local\Temp\2F249E7C-8202-47C7-8CB4-24A2BB7810B7\lite_installer.exe

msiexec.exe

User:

admin

Company:

Yandex

Integrity Level:

MEDIUM

Description:

YandexBrowserDownloader

Exit code:

Version:

1.0.1.9

Modules

Images
c:\users\admin\appdata\local\temp\2f249e7c-8202-47c7-8cb4-24a2bb7810b7\lite_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

1252

"C:\Users\admin\AppData\Local\Temp\is-KRDV8.tmp\notepad.tmp" /SL5="$401DC,12108799,254976,C:\Users\admin\AppData\Local\Temp\notepad.exe"

C:\Users\admin\AppData\Local\Temp\is-KRDV8.tmp\notepad.tmp

—

notepad.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-krdv8.tmp\notepad.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1328

"C:\Users\admin\AppData\Local\Temp\notepad.exe"

C:\Users\admin\AppData\Local\Temp\notepad.exe

explorer.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Notepad++ Setup (r2301041608)

Version:

8.4.7

Modules

Images
c:\users\admin\appdata\local\temp\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1676

/s "C:\Program Files (x86)\Notepad++\NppShell_06.dll"

C:\Windows\System32\regsvr32.exe

—

regsvr32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1720

regsvr32 /s "C:\Program Files (x86)\Notepad++\NppShell_06.dll"

C:\Windows\SysWOW64\regsvr32.exe

—

notepad.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1720

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2380

"C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\qyw4q4mb7YF\notepad.exe"

C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\qyw4q4mb7YF\notepad.exe

notepad.tmp

User:

admin

Company:

Don HO don.h@free.fr

Integrity Level:

HIGH

Description:

Notepad++ : a free (GNU) source code editor

Exit code:

Version:

8.4.7.0

Modules

Images
c:\users\admin\appdata\local\temp\is-65ubf.tmp\qyw4q4mb7yf\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3480

"C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\ewCw7jtKRp3Sop_cDp2c\360TS_Setup.exe" /c:WW.Coin.CPI202223 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=

C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\ewCw7jtKRp3Sop_cDp2c\360TS_Setup.exe

360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe

User:

admin

Integrity Level:

HIGH

Description:

Installer Module

Version:

11,0,0,1118

Modules

Images
c:\users\admin\appdata\local\temp\is-65ubf.tmp\ewcw7jtkrp3sop_cdp2c\360ts_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imm32.dll

4364

"C:\Program Files (x86)\Notepad++\notepad++.exe"

C:\Program Files (x86)\Notepad++\notepad++.exe

explorer.exe

User:

admin

Company:

Don HO don.h@free.fr

Integrity Level:

MEDIUM

Description:

Notepad++

Exit code:

Version:

8.47

Modules

Images
c:\program files (x86)\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

4992

"C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\SV3XGqkqx8MW7QArW9f\downloader.exe" --sync --partner 26983 --distr /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y VID=14"

C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\SV3XGqkqx8MW7QArW9f\downloader.exe

notepad.tmp

User:

admin

Integrity Level:

HIGH

Description:

Setup Downloader

Exit code:

Version:

0.1.0.33

Modules

Images
c:\users\admin\appdata\local\temp\is-65ubf.tmp\sv3xgqkqx8mw7qarw9f\downloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

48 950

Read events

48 482

Write events

434

Delete events

Modification events


(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: A415000051E3F25E7FDCDA01
(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 22B60181C92A92C487343FBD1AB69310F1F0C2DFFB764119CB00A05607D5D712
(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	RegFiles0000
Value: C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\qyw4q4mb7YF\notepad.exe
(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	RegFilesHash
Value: 7363B1608FE76A138724C546C24BFEC1E655EFBCB4BB9BE94BD7867DEC0A14F8
(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Operation:	write	Name:	696E7374616C6C696E672D59616E6465785F636973
Value: 3726F1637FDCDA01
(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Operation:	write	Name:	696E7374616C6C696E672D33363054535F73696E676C65
Value: 3726F1637FDCDA01
(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Operation:	write	Name:	696E7374616C6C696E672D6C696E6B2D776F726C642D6F662D74616E6B73
Value: 3726F1637FDCDA01
(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Operation:	write	Name:	696E7374616C6C696E672D6C696E6B2D776F726C642D6F662D7761727368697073
Value: 3726F1637FDCDA01
(PID) Process:	(5540) notepad.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Operation:	write	Name:	696E7374616C6C696E672D6C696E6B2D63726F73736F7574
Value: 3726F1637FDCDA01

Add for printing

Executable files

674

Suspicious files

640

Text files

605

Unknown types

Dropped files

PID	Process	Filename		Type
1328	notepad.exe	C:\Users\admin\AppData\Local\Temp\is-KRDV8.tmp\notepad.tmp		executable
		MD5:095136037790B7F1BE43755B92F54271	SHA256:4F664211F63898CCDDB38412E9281167EA783B108111B3A5C54C77CE640F8032
5540	notepad.tmp	C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\ewCw7jtKRp3Sop_cDp2c\Checkboxes_150.png		image
		MD5:C0E407C960B6F0C76B0F020F7E541643	SHA256:6026E4996C400C194EF312F5DCB0F8CA57ECE6540DD2D9C23E7BE01FC74067C4
5540	notepad.tmp	C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\idp.dll		executable
		MD5:55C310C0319260D798757557AB3BF636	SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
5540	notepad.tmp	C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5396	notepad.exe	C:\Users\admin\AppData\Local\Temp\is-32S8M.tmp\notepad.tmp		executable
		MD5:095136037790B7F1BE43755B92F54271	SHA256:4F664211F63898CCDDB38412E9281167EA783B108111B3A5C54C77CE640F8032
5540	notepad.tmp	C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\is-PLVTB.ini		text
		MD5:D8B0D017F0A72C7DD34AACEA6C84D64B	SHA256:42B64969C83F9B5EBE6E54ED0CC396C86667C1E697C91F2FDCDCB5FC27318793
5540	notepad.tmp	C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\botva2.dll		executable
		MD5:EF899FA243C07B7B82B3A45F6EC36771	SHA256:DA7D0368712EE419952EB2640A65A7F24E39FB7872442ED4D2EE847EC4CFDE77
5540	notepad.tmp	C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\CallbackCtrl.dll		executable
		MD5:F07E819BA2E46A897CFABF816D7557B2	SHA256:68F42A7823ED7EE88A5C59020AC52D4BBCADF1036611E96E470D986C8FAA172D
5540	notepad.tmp	C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\SV3XGqkqx8MW7QArW9f\Logo.png		image
		MD5:F6D369CA0401028A9D6400FA33B6569A	SHA256:625112B42752867093EF31A9D556B3A3B1954E67B4C8E3EE2CAF8C0BB92013A1
5540	notepad.tmp	C:\Users\admin\AppData\Local\Temp\is-65UBF.tmp\ewCw7jtKRp3Sop_cDp2c\Background_100.png		image
		MD5:492B73C9CDA482F4528559B50FFA2263	SHA256:087F71CCB844C086CA60580FF07A81AC6E7E1034D6C5011E036FCDEABDCB8A6E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

117

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5540	notepad.tmp	HEAD	302	5.45.205.241:80	http://download.yandex.ru/yandex-pack/downloader/downloader.exe	unknown	—	—	whitelisted
5540	notepad.tmp	HEAD	200	5.45.247.53:80	http://cachev2-ams03.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=294	unknown	—	—	whitelisted
5540	notepad.tmp	GET	302	5.45.205.241:80	http://download.yandex.ru/yandex-pack/downloader/downloader.exe	unknown	—	—	whitelisted
4992	downloader.exe	GET	302	5.45.205.241:80	http://download.yandex.ru/yandex-pack/downloader/info.rss	unknown	—	—	whitelisted
5540	notepad.tmp	GET	200	5.45.192.4:80	http://cachev2-rad-01.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=309	unknown	—	—	whitelisted
4992	downloader.exe	GET	302	5.45.205.241:80	http://downloader.yandex.net/yandex-pack/26983/YandexPackSetup.exe	unknown	—	—	whitelisted
4992	downloader.exe	GET	200	5.45.247.53:80	http://cachev2-ams03.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/info.rss?lid=294	unknown	—	—	whitelisted
4992	downloader.exe	GET	200	5.45.247.52:80	http://cachev2-ams02.cdn.yandex.net/downloader.yandex.net/yandex-pack/26983/YandexPackSetup.exe?lid=289	unknown	—	—	whitelisted
4992	downloader.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D	unknown	—	—	whitelisted
4992	downloader.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDG8SbJzCh95FjOiQ9g%3D%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
6012	MoUsoCoreWorker.exe	52.167.249.196:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3656	RUXIMICS.exe	52.167.249.196:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3008	svchost.exe	52.167.249.196:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4204	svchost.exe	4.209.32.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5540	notepad.tmp	34.88.137.133:443	conf.datarcv.ru	GOOGLE-CLOUD-PLATFORM	FI	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
3008	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5540	notepad.tmp	5.45.205.241:80	download.yandex.ru	YANDEX LLC	RU	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	52.167.249.196 40.127.240.158	whitelisted
google.com	216.58.206.78	whitelisted
conf.datarcv.ru	34.88.137.133	unknown
stat.datarcv.ru	34.88.137.133	unknown
download.yandex.ru	5.45.205.241 5.45.205.245 5.45.205.244 5.45.205.243 5.45.205.242	whitelisted
cachev2-ams03.cdn.yandex.net	5.45.247.53	whitelisted
cachev2-rad-01.cdn.yandex.net	5.45.192.4	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
downloader.yandex.net	5.45.205.241 5.45.205.242 5.45.205.244 5.45.205.245 5.45.205.243	whitelisted
cachev2-ams02.cdn.yandex.net	5.45.247.52	whitelisted

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
4992	downloader.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
916	lite_installer.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
916	lite_installer.exe	Misc activity	ET INFO EXE - Served Attached HTTP
5540	notepad.tmp	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
7536	360TS_Setup_Mini_WW_Coin_CPI202223_6.6.0.1054.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

6 ETPRO signatures available at the full report

Add for printing

Process	Message
notepad++.exe	VerifyLibrary: C:\Program Files (x86)\Notepad++\updater\gup.exe
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	E687332916D6B681FE28C5EF423CEE259D3953B9
notepad++.exe	VerifyLibrary: C:\Program Files (x86)\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	E687332916D6B681FE28C5EF423CEE259D3953B9
notepad++.exe	VerifyLibrary: C:\Program Files (x86)\Notepad++\updater\gup.exe
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	E687332916D6B681FE28C5EF423CEE259D3953B9
YandexPackSetup.exe	IsAlreadyRun() In

General Info

notepad.exe

B50D94184624ACC7519A7527240B69F4

882D4A8D6A744EA1D490E2EA88F86B711E3FA3A8

B5F3F6B5FCA984356218490651C523B039718DA267C61FDA6A41DF54AF697570

98304:x0JSc7B7QULpkgCv+mN+h4QhG5EGblrVP6m+bX8SXOhNQ9MYz5NiVsmerpqxXEdm:bcjYm/Wme7B/1b93

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Scans artifacts that could help determine the target

Registers / Runs the DLL via REGSVR32.EXE

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Reads the Windows owner or organization settings

Process requests binary or script from the Internet

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Searches for installed software

Creates/Modifies COM task schedule object

Process drops legitimate windows executable

Checks Windows Trust Settings

Explorer used for Indirect Command Execution

Potential Corporate Privacy Violation

Starts a Microsoft application from unusual location

Adds/modifies Windows certificates

Creates a software uninstall entry

Changes the title of the Internet Explorer window

Reads Mozilla Firefox installation path

Application launched itself

Changes the Home page of Internet Explorer

Starts itself from another location

Creates file in the systems drive root

Drops a system driver (possible attempt to evade defenses)

Drops 7-zip archiver for unpacking

The process verifies whether the antivirus software is installed

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Reads the software policy settings

Reads Environment values

Creates a software uninstall entry

Checks proxy server information

Creates files or folders in the user directory

Creates files in the program directory

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Disables trace logs

Manual execution by a user

Dropped object may contain TOR URL's

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules