Loading ...

Play interactive tourEdit tour

Windows Analysis Report Notepad2.exe

Overview

General Information

Sample Name:Notepad2.exe
Analysis ID:435307
MD5:f6d48867d815d6322199e90aa71a8c69
SHA1:f8f9c191d37b643a20870ab8d0af39780c4677ff
SHA256:c6086336a827a9852ee5cf6f46ffb7b1fccf82f194132a0c8a217d1240654f9f
Infos:

Most interesting Screenshot:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

PE file contains strange resources
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • Notepad2.exe (PID: 6948 cmdline: 'C:\Users\user\Desktop\Notepad2.exe' MD5: F6D48867D815D6322199E90AA71A8C69)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Notepad2.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Notepad2.exeString found in binary or memory: http://www.flos-freeware.ch
Source: Notepad2.exeString found in binary or memory: http://www.flos-freeware.ch.JNo
Source: Notepad2.exeString found in binary or memory: http://www.flos-freeware.chFlorian
Source: Notepad2.exeString found in binary or memory: http://www.flos-freeware.chflorian.balmer
Source: Notepad2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Notepad2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Notepad2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Notepad2.exeBinary or memory string: OriginalFilename vs Notepad2.exe
Source: Notepad2.exe, 00000001.00000002.942494383.0000000002D10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Notepad2.exe
Source: Notepad2.exe, 00000001.00000002.942494383.0000000002D10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Notepad2.exe
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: Notepad2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Notepad2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Notepad2.exeString found in binary or memory: et-event get-eventlog get-eventsubscriber get-executionpolicy get-formatdata get-help get-history get-host get-hotfix get-item get-itemproperty get-job get-location get-member get-module get-pfxcertificate get-process get-psbreakpoint get-pscallstack get-psdri
Source: Notepad2.exeString found in binary or memory: add-computer add-content add-history add-member add-pssnapin add-type checkpoint-computer clear-content clear-eventlog clear-history clear-host clear-item clear-itemproperty clear-variable compare-object complete-transaction connect-wsman convertfrom-csv convertfrom-securestring convertfrom-stringdata convert-path convertto-csv convertto-html convertto-securestring convertto-xml copy-item copy-itemproperty debug-process disable-computerrestore disable-psbreakpoint disable-psremoting disable-pssessionconfiguration disable-wsmancredssp disconnect-wsman enable-computerrestore enable-psbreakpoint enable-psremoting enable-pssessionconfiguration enable-wsmancredssp enter-pssession exit-pssession export-alias export-clixml export-console export-counter export-csv export-formatdata export-modulemember export-pssession foreach-object format-custom format-list format-table format-wide get-acl get-alias get-authenticodesignature get-childitem get-command get-computerrestorepoint get-content get-counter get-credential get-culture get-date get-event get-eventlog get-eventsubscriber get-executionpolicy get-formatdata get-help get-history get-host get-hotfix get-item get-itemproperty get-job get-location get-member get-module get-pfxcertificate get-process get-psbreakpoint get-pscallstack get-psdrive get-psprovider get-pssession get-pssessionconfiguration get-pssnapin get-random get-service get-tracesource get-transaction get-uiculture get-unique get-variable get-verb get-winevent get-wmiobject get-wsmancredssp get-wsmaninstance group-object import-alias import-clixml import-counter import-csv import-localizeddata import-module import-pssession invoke-command invoke-expression invoke-history invoke-item invoke-wmimethod invoke-wsmanaction join-path limit-eventlog measure-command measure-object move-item move-itemproperty new-alias new-event new-eventlog new-item new-itemproperty new-module new-modulemanifest new-object new-psdrive new-pssession new-pssessionoption new-service new-timespan new-variable new-webserviceproxy new-wsmaninstance new-wsmansessionoption out-default out-file out-gridview out-host out-null out-printer out-string pop-location push-location read-host receive-job register-engineevent register-objectevent register-pssessionconfiguration register-wmievent remove-computer remove-event remove-eventlog remove-item remove-itemproperty remove-job remove-module remove-psbreakpoint remove-psdrive remove-pssession remove-pssnapin remove-variable remove-wmiobject remove-wsmaninstance rename-item rename-itemproperty reset-computermachinepassword resolve-path restart-computer restart-service restore-computer resume-service select-object select-string select-xml send-mailmessage set-acl set-alias set-authenticodesignature set-content set-date set-executionpolicy set-item set-itemproperty set-location set-psbreakpoint set-psdebug set-pssessionconfiguration set-service set-strictmode set-tracesource set-variable set-wmiinstance set-wsmaninstance set-wsmanqu
Source: C:\Users\user\Desktop\Notepad2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
Source: Notepad2.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Notepad2.exeStatic PE information: section name: RT_CURSOR
Source: Notepad2.exeStatic PE information: section name: RT_BITMAP
Source: Notepad2.exeStatic PE information: section name: RT_ICON
Source: Notepad2.exeStatic PE information: section name: RT_MENU
Source: Notepad2.exeStatic PE information: section name: RT_DIALOG
Source: Notepad2.exeStatic PE information: section name: RT_STRING
Source: Notepad2.exeStatic PE information: section name: RT_ACCELERATOR
Source: Notepad2.exeStatic PE information: section name: RT_GROUP_ICON
Source: Notepad2.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\Notepad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Notepad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Notepad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Notepad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Notepad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Notepad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Notepad2.exe, 00000001.00000002.941733351.00000000013C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: Notepad2.exeBinary or memory string: Shell_TrayWnd
Source: Notepad2.exe, 00000001.00000002.941733351.00000000013C0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Notepad2.exeBinary or memory string: * - =%s=%sIsAppThemedSetCurrentProcessExplicitAppUserModelIDshell32.dll(default)OpacityLevelSetLayeredWindowAttributesUser32ResizeDlg%CSIDL:MYDOCUMENTS%-n .lnk%.2iCloseThemeDataGetThemeSysFontWINDOWSTYLE;WINDOWOpenThemeDatauxtheme.dllTrayNotifyWndShell_TrayWnd] [%i ToolbarReBarWindow32%02iToolbar LabelsToolbarWindow32OVRCR+LFUnicode BE BOM9'999'999 BytesLn 9'999'999 : 9'999'999 Col 9'999'999 : 999 Sel 9'999'999StickyWindowPositionSingleFileInstanceReuseWindowWindow%ix%i Maximized%ix%i SizeY%ix%i SizeX%ix%i PosY%ix%i PosXBitmapDisabledBitmapHotBitmapDefaultToolbar ImagesAutoReloadTimeoutFileCheckInvervalFileDlgFiltersDefaultDirectory ."DefaultExtensiontxtFindReplaceDlgPosYFindReplaceDlgPosXFavoritesDlgSizeYFavoritesDlgSizeXOpenWithDlgSizeYOpenWithDlgSizeXFileMRUDlgSizeYFileMRUDlgSizeXRecodeDlgSizeYRecodeDlgSizeXEncodingDlgSizeYEncodingDlgSizeXShowStatusbarShowToolbarToolbarButtonsTransparentModeMinimizeToTrayAlwaysOnTopEscFunctionResetFileWatchingFileWatchingModeSaveBeforeRunningToolsPrintMarginBottomPrintMarginRightPrintMarginTopPrintMarginLeftPrintZoomPrintColorModePrintFooterPrintHeaderFixTrailingBlanksFixLineEndingsDefaultEOLModeNoEncodingTagsLoadASCIIasUTF8SkipUnicodeDetectionDefaultEncodingViewEOLsViewWhiteSpaceShowLineNumbersShowSelectionMarginLongLineModeLongLinesLimitMarkLongLinesIndentWidthTabWidthBackspaceUnindentsTabIndentsTabsAsSpacesShowIndentGuidesAutoIndentHighlightCurrentLineAutoCloseTagsMatchBracesShowWordWrapSymbolsWordWrapSymbolsWordWrapIndentWordWrapModeWordWrapPathNameFormatFavoritesOpenWithDirNoFindWrapCloseReplaceCloseFindSaveFindReplaceSaveRecentFilesSaveSettingsSettings "%i,%i,%i,%i,%iPOSFLTRBMPOS:%i,%i*?sysmru=appid=CRLFCRLFUTF-8-SIGNATUREUTF8-SIGNATUREUTF-8SIGNATUREUTF8SIGNATUREUTF-8SIGUTF8SIGUTF-8UTF8UNICODE-BEUNICODEBEWUNICODEMBCSAANSI-/-+ShellUseSystemMRUShellAppUserModelIDNoFileVariablesNoCGIGuessNoHTMLGuessSimpleIndentGuidesToolbarLookNoFadeHiddenPortableMyDocsRelativeFileMRUMultiFileArgNotepad2Notepad2.ini.ini
Source: Notepad2.exe, 00000001.00000002.941733351.00000000013C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Notepad2.exeCode function: 1_2_00007FF7ECA1AA98 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_00007FF7ECA1AA98

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection1Process Injection1OS Credential DumpingSystem Time Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Notepad2.exe0%VirustotalBrowse
Notepad2.exe0%MetadefenderBrowse
Notepad2.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.flos-freeware.ch.JNo0%Avira URL Cloudsafe
http://www.flos-freeware.chFlorian0%Avira URL Cloudsafe
http://www.flos-freeware.chflorian.balmer0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.flos-freeware.ch.JNoNotepad2.exefalse
  • Avira URL Cloud: safe
unknown
http://www.flos-freeware.chFlorianNotepad2.exefalse
  • Avira URL Cloud: safe
unknown
http://www.flos-freeware.chflorian.balmerNotepad2.exefalse
  • Avira URL Cloud: safe
unknown
http://www.flos-freeware.chNotepad2.exefalse
    high

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:435307
    Start date:16.06.2021
    Start time:11:54:17
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 25s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:Notepad2.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:19
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:CLEAN
    Classification:clean1.winEXE@1/0@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 33.3% (good quality ratio 0%)
    • Quality average: 0%
    • Quality standard deviation: 0%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
    • Execution Graph export aborted for target Notepad2.exe, PID 6948 because there are no executed function

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):5.889404378786351
    TrID:
    • Win64 Executable GUI (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Notepad2.exe
    File size:919552
    MD5:f6d48867d815d6322199e90aa71a8c69
    SHA1:f8f9c191d37b643a20870ab8d0af39780c4677ff
    SHA256:c6086336a827a9852ee5cf6f46ffb7b1fccf82f194132a0c8a217d1240654f9f
    SHA512:05b1bc5b750955bda17d8baf29aecf019fe07cb9723acab8bd4b6384f4426b837b5bf9c07ac80ff4812081e3bee6ae15e05387810c060adeb05531219082bcfe
    SSDEEP:24576:ptdaP4lgqVU2stGJPATW2cmGxxO9s4tjp:ptdM4Wg5stGJ4kkt9
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!s..!s..!s..Y...!s..Y...!s..Y...!s..!r..#s..Y...!s..Y...!s......!s..Y...!s..Y...!s.Rich.!s.........................PE..d..

    File Icon

    Icon Hash:62747ededed6761e

    Static PE Info

    General

    Entrypoint:0x14009a770
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Time Stamp:0x4DC3C2FE [Fri May 6 09:44:30 2011 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:2
    File Version Major:5
    File Version Minor:2
    Subsystem Version Major:5
    Subsystem Version Minor:2
    Import Hash:37dbcc3aa03d6ea9633e60bf6bdf58bb

    Entrypoint Preview

    Instruction
    dec eax
    sub esp, 28h
    call 00007F08BCC00BB4h
    dec eax
    add esp, 28h
    jmp 00007F08BCC0057Fh
    jmp dword ptr [FFF676F8h]
    jmp dword ptr [FFF676FAh]
    jmp dword ptr [FFF676FCh]
    jmp dword ptr [FFF676FEh]
    int3
    int3
    dec eax
    mov dword ptr [esp+08h], ecx
    dec eax
    sub esp, 00000088h
    dec eax
    lea ecx, dword ptr [0002AC31h]
    call dword ptr [FFF66B8Bh]
    dec esp
    mov ebx, dword ptr [0002AD1Ch]
    dec esp
    mov dword ptr [esp+58h], ebx
    inc ebp
    xor eax, eax
    dec eax
    lea edx, dword ptr [esp+60h]
    dec eax
    mov ecx, dword ptr [esp+58h]
    call 00007F08BCC00C14h
    dec eax
    mov dword ptr [esp+50h], eax
    dec eax
    cmp dword ptr [esp+50h], 00000000h
    je 00007F08BCC008D3h
    dec eax
    mov dword ptr [esp+38h], 00000000h
    dec eax
    lea eax, dword ptr [esp+48h]
    dec eax
    mov dword ptr [esp+30h], eax
    dec eax
    lea eax, dword ptr [esp+40h]
    dec eax
    mov dword ptr [esp+28h], eax
    dec eax
    lea eax, dword ptr [0002ABDCh]
    dec eax
    mov dword ptr [esp+20h], eax
    dec esp
    mov ecx, dword ptr [esp+50h]
    dec esp
    mov eax, dword ptr [esp+58h]
    dec eax
    mov edx, dword ptr [esp+60h]
    xor ecx, ecx
    call 00007F08BCC00BC2h
    jmp 00007F08BCC008B4h
    dec eax
    mov eax, dword ptr [esp+00000088h]
    dec eax
    mov dword ptr [0002ACA8h], eax
    dec eax
    lea eax, dword ptr [esp+00000088h]

    Rich Headers

    Programming Language:
    • [ASM] VS2008 SP1 build 30729
    • [LNK] VS2008 SP1 build 30729
    • [ C ] VS2008 SP1 build 30729
    • [IMP] VS2008 SP1 build 30729
    • [C++] VS2008 SP1 build 30729

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xa3b000x104.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0xcf0000x1a2d8.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xca0000x4d28.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xd68.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x1030.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xa633a0xa6400False0.479179393797data6.44097042111IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0xa80000x21aa80x19600False0.0519839131773data0.837018933287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .pdata0xca0000x4d280x4e00False0.472005208333data5.84155138667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0xcf0000x1a2d80x1a400False0.332282366071data4.69733076355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0xea0000x16020x1800False0.2900390625data3.8290677788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_CURSOR0xdd6b80x134Hitachi SH big-endian COFF object file, not stripped, 2304 sections, symbol offset=0x20000000, 1073741824 symbols, optional header size 256EnglishUnited States
    RT_BITMAP0xd70000x5c28dBase III DBT, version number 0, next free block index 40EnglishUnited States
    RT_BITMAP0xdcc280x8cdataEnglishUnited States
    RT_BITMAP0xdcd480x8cdataEnglishUnited States
    RT_BITMAP0xdccb80x8cdataEnglishUnited States
    RT_BITMAP0xdcdd80xb8dataEnglishUnited States
    RT_BITMAP0xdce900x828dataEnglishUnited States
    RT_ICON0xd07900x668dataEnglishUnited States
    RT_ICON0xd0df80x2e8dataEnglishUnited States
    RT_ICON0xd10e00x128GLS_BINARY_LSB_FIRSTEnglishUnited States
    RT_ICON0xd12080xea8dataEnglishUnited States
    RT_ICON0xd20b00x8a8dataEnglishUnited States
    RT_ICON0xd29580x568GLS_BINARY_LSB_FIRSTEnglishUnited States
    RT_ICON0xd2ec00x25a8dataEnglishUnited States
    RT_ICON0xd54680x10a8dataEnglishUnited States
    RT_ICON0xd65100x468GLS_BINARY_LSB_FIRSTEnglishUnited States
    RT_ICON0xd6a000x2e8dataEnglishUnited States
    RT_ICON0xd6d000x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1317570696, next used block 204EnglishUnited States
    RT_MENU0xdd8080x1d9adataEnglishUnited States
    RT_MENU0xdf5a80x154dataEnglishUnited States
    RT_DIALOG0xdfc480x190dataEnglishUnited States
    RT_DIALOG0xe08100x1dcdataEnglishUnited States
    RT_DIALOG0xe06580x1b8dataEnglishUnited States
    RT_DIALOG0xe09f00x244dataEnglishUnited States
    RT_DIALOG0xe3e100x154dataEnglishUnited States
    RT_DIALOG0xe3ca80x164dataEnglishUnited States
    RT_DIALOG0xe0c380x1fcdataEnglishUnited States
    RT_DIALOG0xe2ac80x1c8dataEnglishUnited States
    RT_DIALOG0xe2c900x144dataEnglishUnited States
    RT_DIALOG0xe0f700x160dataEnglishUnited States
    RT_DIALOG0xe10d00x1e4dataEnglishUnited States
    RT_DIALOG0xe2ed80x36adataEnglishUnited States
    RT_DIALOG0xe3f680x1bcdataEnglishUnited States
    RT_DIALOG0xe34000x198dataEnglishUnited States
    RT_DIALOG0xe32480x1b4dataEnglishUnited States
    RT_DIALOG0xe38000x35cdataEnglishUnited States
    RT_DIALOG0xe2dd80xfcdataEnglishUnited States
    RT_DIALOG0xe0e380x134dataEnglishUnited States
    RT_DIALOG0xdfdd80x3bcdataEnglishUnited States
    RT_DIALOG0xe01980x4bedataEnglishUnited States
    RT_DIALOG0xe12b80x1ccdataEnglishUnited States
    RT_DIALOG0xe14880x5eedataEnglishUnited States
    RT_DIALOG0xe1eb00x598dataEnglishUnited States
    RT_DIALOG0xe1d080x1a4dataEnglishUnited States
    RT_DIALOG0xe1a780x28cdataEnglishUnited States
    RT_DIALOG0xe24480x680dataEnglishUnited States
    RT_DIALOG0xe35980x11cdataEnglishUnited States
    RT_DIALOG0xe36b80x148dataEnglishUnited States
    RT_DIALOG0xe3b600x148dataEnglishUnited States
    RT_STRING0xe43500x2dadataEnglishUnited States
    RT_STRING0xe46300x176dataEnglishUnited States
    RT_STRING0xe47a80x42dataEnglishUnited States
    RT_STRING0xe47f00xfcdataEnglishUnited States
    RT_STRING0xe48f00x5cdataEnglishUnited States
    RT_STRING0xe68700x76dataEnglishUnited States
    RT_STRING0xe49500x9aadataEnglishUnited States
    RT_STRING0xe5bb80x7f6dataEnglishUnited States
    RT_STRING0xe63b00x4c0dataEnglishUnited States
    RT_STRING0xe53000x8b6dataEnglishUnited States
    RT_STRING0xe68e80x1c8dataEnglishUnited States
    RT_STRING0xe6ab00x446dataEnglishUnited States
    RT_STRING0xe6ef80x400dataEnglishUnited States
    RT_STRING0xe72f80x42adataEnglishUnited States
    RT_STRING0xe77280x4b0dataEnglishUnited States
    RT_STRING0xe7bd80x6cdataEnglishUnited States
    RT_STRING0xe7c480x60AmigaOS bitmap fontEnglishUnited States
    RT_STRING0xe7ca80xfcdataEnglishUnited States
    RT_STRING0xe7da80x198dataEnglishUnited States
    RT_STRING0xe7f400xb2dataEnglishUnited States
    RT_STRING0xe7ff80x356dataEnglishUnited States
    RT_STRING0xe83500x1b6dataEnglishUnited States
    RT_STRING0xe85080x1c0dataEnglishUnited States
    RT_STRING0xe86c80x198dataEnglishUnited States
    RT_STRING0xe88600x1c0dataEnglishUnited States
    RT_STRING0xe8a200x1beAmigaOS bitmap fontEnglishUnited States
    RT_STRING0xe8be00x1bedataEnglishUnited States
    RT_STRING0xe8da00x268dataEnglishUnited States
    RT_STRING0xe90080x1ccdataEnglishUnited States
    RT_STRING0xe91d80x100dataEnglishUnited States
    RT_ACCELERATOR0xdf7000x4f8dataEnglishUnited States
    RT_ACCELERATOR0xdfbf80x50dataEnglishUnited States
    RT_GROUP_CURSOR0xdd7f00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
    RT_GROUP_ICON0xd69780x84dataEnglishUnited States
    RT_GROUP_ICON0xd6ce80x14dataEnglishUnited States
    RT_GROUP_ICON0xd6fe80x14dataEnglishUnited States
    RT_VERSION0xe41280x224dataEnglishUnited States
    RT_MANIFEST0xd01700x620XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

    Imports

    DLLImport
    KERNEL32.dllLoadResource, FindResourceW, SearchPathW, GetCommandLineW, GetPrivateProfileStringW, CreateProcessW, GetStartupInfoW, FindNextChangeNotification, CompareFileTime, FindClose, FindFirstFileW, FindCloseChangeNotification, FindFirstChangeNotificationW, GetTimeFormatW, GetDateFormatW, SetFileAttributesW, LockResource, SetErrorMode, SetCurrentDirectoryW, GetVersion, VirtualProtect, Sleep, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SizeofResource, FreeResource, WritePrivateProfileSectionW, GetPrivateProfileSectionW, GetLocaleInfoW, ExpandEnvironmentStringsW, GetLongPathNameW, GetWindowsDirectoryW, GetCurrentProcess, GetModuleHandleA, SetEndOfFile, WriteFile, CreateFileW, GetLastError, GetFileSize, ReadFile, lstrcmpiA, lstrcmpA, lstrcpynA, lstrcatA, lstrlenA, GetOEMCP, LocalSize, lstrcpyA, lstrcmpW, GetPrivateProfileIntW, LocalAlloc, CreateThread, CreateEventW, CloseHandle, ResetEvent, WaitForSingleObject, GetFileAttributesW, SetEvent, ExitThread, lstrcpynW, lstrcatW, lstrcmpiW, GetModuleFileNameW, lstrcpyW, GetCurrentDirectoryW, FormatMessageW, LocalFree, lstrlenW, WritePrivateProfileStringW, LCMapStringW, GetTickCount, GlobalFree, GlobalSize, GlobalUnlock, GlobalAlloc, GlobalLock, IsValidCodePage, GetCPInfo, WideCharToMultiByte, GetLocaleInfoA, GetModuleHandleW, GetVersionExW, InitializeCriticalSection, LoadLibraryW, GetProcAddress, FreeLibrary, LoadLibraryA, LeaveCriticalSection, MultiByteToWideChar, DeleteCriticalSection, IsDBCSLeadByteEx, QueryPerformanceFrequency, QueryPerformanceCounter, GetACP, MulDiv, EnterCriticalSection, GetLocalTime
    USER32.dllSetClipboardViewer, IntersectRect, IsWindow, SetMenuDefaultItem, ShowOwnedPopups, TrackPopupMenuEx, GetSubMenu, LoadMenuW, PostQuitMessage, ChangeClipboardChain, RegisterClassW, GetMessageW, IsDialogMessageW, TranslateAcceleratorW, LoadAcceleratorsW, RegisterWindowMessageW, MessageBoxW, CharPrevW, IsCharAlphaNumericW, MessageBoxExW, wsprintfW, IsChild, IsWindowUnicode, SetFocus, GetMessageTime, MsgWaitForMultipleObjects, PostMessageW, GetUpdateRgn, SetCaretPos, RegisterClipboardFormatW, GetCaretBlinkTime, HideCaret, DestroyCaret, CreateCaret, ShowCaret, GetWindowPlacement, EmptyClipboard, SystemParametersInfoW, AppendMenuA, OpenClipboard, GetClipboardData, CloseClipboard, SetClipboardData, IsClipboardFormatAvailable, GetDlgCtrlID, GetScrollInfo, SetScrollInfo, ScrollWindow, UpdateWindow, SetTimer, KillTimer, GetKeyboardLayout, CreatePopupMenu, RegisterClassExW, SetWindowLongW, ReleaseCapture, InflateRect, DrawTextW, DrawTextA, DrawFocusRect, GetDC, ReleaseDC, FrameRect, DestroyCursor, GetKeyState, GetDoubleClickTime, GetSysColor, TrackPopupMenu, DestroyMenu, UnregisterClassW, CallWindowProcW, IsZoomed, EqualRect, OffsetRect, SetWindowPlacement, GetForegroundWindow, EnumWindows, IsIconic, ShowWindowAsync, IsWindowVisible, GetClassNameW, EnableMenuItem, CheckMenuItem, CheckMenuRadioItem, CountClipboardFormats, CopyImage, SetWindowTextW, SetActiveWindow, SetForegroundWindow, DrawAnimatedRects, FindWindowExW, CreateDialogIndirectParamW, DialogBoxIndirectParamW, CharUpperBuffW, GetMenu, GetMenuState, IsWindowEnabled, SetRect, DeferWindowPos, GetMenuStringW, GetSystemMenu, InsertMenuW, ChildWindowFromPoint, GetCapture, GetActiveWindow, GetSysColorBrush, IsCharLowerA, wsprintfA, IsCharUpperW, CharLowerW, IsCharLowerW, CharUpperW, IsCharAlphaNumericA, CharLowerA, CharNextW, SetCursorPos, LoadIconW, LoadImageW, GetDlgItemInt, wvsprintfW, SetDlgItemInt, CheckRadioButton, GetPropW, PeekMessageW, TranslateMessage, DispatchMessageW, SetPropW, CheckDlgButton, RemovePropW, IsDlgButtonChecked, GetWindowTextLengthW, MessageBeep, BeginDeferWindowPos, EndDeferWindowPos, GetDlgItemTextW, EnableWindow, EndDialog, SetDlgItemTextW, SendDlgItemMessageW, GetDlgItem, MessageBoxIndirectW, LoadStringW, ScreenToClient, GetParent, BeginPaint, EndPaint, DefWindowProcW, GetCursorPos, SetCapture, GetSystemMetrics, AdjustWindowRectEx, CreateWindowExW, MapWindowPoints, MonitorFromPoint, SetCursor, LoadCursorW, GetIconInfo, CreateIconIndirect, SendMessageW, InvalidateRect, ShowWindow, GetClientRect, GetWindowLongW, GetWindowLongPtrW, SetWindowLongPtrW, FillRect, DestroyWindow, GetFocus, GetWindowRect, SetWindowPos, GetMonitorInfoW, MonitorFromRect, ClientToScreen
    GDI32.dllRoundRect, Ellipse, BitBlt, GetTextExtentPoint32A, GetTextMetricsW, RealizePalette, IntersectClipRect, StretchBlt, GetObjectW, CreateFontIndirectW, GetStockObject, CreateFontIndirectA, CreateDIBSection, GetTextExtentPoint32W, GetTextExtentExPointA, GetNearestColor, SetTextColor, CreatePatternBrush, SetBkMode, TranslateCharsetInfo, CombineRgn, CreateRectRgn, CreateBitmap, EnumFontsW, SetMapMode, EndDoc, EndPage, StartPage, StartDocW, CreateFontW, DPtoLP, CreateSolidBrush, CreatePen, CreateCompatibleBitmap, CreateCompatibleDC, SetBkColor, ExtTextOutW, Rectangle, Polygon, LineTo, ExtTextOutA, MoveToEx, SetTextAlign, SelectObject, SelectPalette, DeleteDC, DeleteObject, GetTextExtentExPointW, GetDeviceCaps, CreatePalette
    ADVAPI32.dllIsTextUnicode, OpenProcessToken, GetTokenInformation
    SHELL32.dllSHGetPathFromIDListW, ShellExecuteW, ShellExecuteExW, SHGetFileInfoW, SHGetDataFromIDListW, SHGetDesktopFolder, SHGetFolderPathW, SHGetSpecialFolderPathW, SHAppBarMessage, SHCreateDirectoryExW, Shell_NotifyIconW, DragAcceptFiles, SHAddToRecentDocs, DragFinish, DragQueryFileW, SHBrowseForFolderW
    SHLWAPI.dllPathUnExpandEnvStringsW, StrCmpNIW, StrDupA, StrCmpIW, StrDupW, StrCatBuffA, StrChrA, StrCatW, StrCpyW, StrStrA, StrCmpNA, StrChrIA, StrCmpNIA, UrlUnescapeW, UrlEscapeW, StrNCatW, PathCommonPrefixW, StrStrIA, StrCpyNW, StrRetToBufW, PathMatchSpecW, StrChrW, PathUnquoteSpacesW, PathIsUNCW, PathFileExistsW, PathFindFileNameW, PathQuoteSpacesW, PathRemoveFileSpecW, SHAutoComplete, StrTrimW, StrCatBuffW, PathAppendW, PathRelativePathToW, PathIsPrefixW, PathIsRelativeW, StrChrIW, PathCanonicalizeW, PathGetDriveNumberW, PathFindExtensionW, PathIsRootW, StrStrW, PathIsDirectoryW, PathStripToRootW, PathRenameExtensionW, StrRChrW, StrFormatByteSizeW, PathCompactPathExW, StrStrIW, StrCmpW, StrTrimA
    COMDLG32.dllPrintDlgW, ChooseColorW, ChooseFontW, GetSaveFileNameW, GetOpenFileNameW, PageSetupDlgW
    COMCTL32.dllImageList_AddMasked, CreateStatusWindowW, ImageList_Create, ImageList_Destroy, InitCommonControlsEx
    IMM32.dllImmReleaseContext, ImmGetCompositionStringW, ImmGetContext, ImmSetCompositionFontA, ImmNotifyIME, ImmSetCompositionWindow
    ole32.dllCoUninitialize, CoTaskMemFree, RegisterDragDrop, RevokeDragDrop, OleUninitialize, DoDragDrop, OleInitialize, CoInitialize, CoTaskMemAlloc, CoCreateInstance
    msvcrt.dllqsort, strncpy, memmove, abs, strncat, clock, iscntrl, sscanf, rand, srand, _swab, swscanf, wcsftime, mktime, __CxxFrameHandler, ??1type_info@@UEAA@XZ, __C_specific_handler, _unlock, __dllonexit, _lock, _onexit, ?terminate@@YAXXZ, _ismbblead, memset, __getmainargs, _XcptFilter, _exit, _cexit, exit, _acmdln, _initterm, _amsg_exit, __setusermatherr, _commode, _fmode, __set_app_type, isspace, toupper, memcmp, memcpy, isupper, strlen, strcpy, strncmp, strstr, islower, strcmp, sprintf, atoi, _purecall, ??2@YAPEAX_K@Z, strchr, tolower, ispunct, isalpha, isdigit, isalnum, ??3@YAXPEAX@Z
    msvcp60.dll??9std@@YA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z, ??Mstd@@YA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z, ??8std@@YA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PEBD@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@_KDAEBV?$allocator@D@1@@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV01@_K1AEBV?$allocator@D@1@@Z, ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV12@_K0@Z, ?insert@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV12@_KPEBD0@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_KPEBD_K@Z, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2_KB, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@PEBD_KAEBV?$allocator@D@1@@Z, ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAD_K@Z, ??0_Lockit@std@@QEAA@XZ, ??1_Lockit@std@@QEAA@XZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@PEBDAEBV?$allocator@D@1@@Z, ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@AEBV01@@Z, ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@PEBD@Z, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPEBDXZ@4DB, ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@PEBD@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV01@@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV?$allocator@D@1@@Z, ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@D@Z, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ, ??9std@@YA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PEBD@Z

    Version Infos

    DescriptionData
    LegalCopyright Florian Balmer 2004-2011
    InternalNameNotepad2
    FileVersion4.2.25
    OriginalFilenameNotepad2.exe
    FileDescriptionNotepad2 x64
    Translation0x0409 0x04b0

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Start time:11:55:21
    Start date:16/06/2021
    Path:C:\Users\user\Desktop\Notepad2.exe
    Wow64 process (32bit):false
    Commandline:'C:\Users\user\Desktop\Notepad2.exe'
    Imagebase:0x7ff7ec980000
    File size:919552 bytes
    MD5 hash:F6D48867D815D6322199E90AA71A8C69
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >

      Executed Functions

      Non-executed Functions

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.948446001.00007FF7EC981000.00000020.00020000.sdmp, Offset: 00007FF7EC980000, based on PE: true
      • Associated: 00000001.00000002.948438772.00007FF7EC980000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.948608343.00007FF7ECA28000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.948621301.00007FF7ECA29000.00000008.00020000.sdmp Download File
      • Associated: 00000001.00000002.948629860.00007FF7ECA2A000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.948646940.00007FF7ECA43000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.948653685.00007FF7ECA45000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.948660054.00007FF7ECA4A000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ff7ec980000_Notepad2.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: 4b253c0f08e2701c9e35f38b15eb4e78c8dc36cb3f753ea6fd16f111e8960239
      • Instruction ID: ea648e82cf0c9f6dfd0d43ebd0b3d555c5c50e5960894bcc22221d3d6afb042c
      • Opcode Fuzzy Hash: 4b253c0f08e2701c9e35f38b15eb4e78c8dc36cb3f753ea6fd16f111e8960239
      • Instruction Fuzzy Hash: 2C01A566B18A4582E7509F25F540765A360FB08BD0F842632FE5E0B7A4CF3CD894C321
      Uniqueness

      Uniqueness Score: -1.00%