Sample details: 3b508cae5debcba928b5bc355517e2e6 --

Hashes
MD5: 3b508cae5debcba928b5bc355517e2e6
SHA1: 40f2e778cf1effa957c719d2398e641eff20e613
SHA256: da0acee8f60a460cfb5249e262d3d53211ebc4c777579e99c8202b761541110a
SSDEEP: 3072:I9icXWs8CmX+e059nAK/WDXa3ZKvvkro5P3fL/JLgf7nDVF6PUp1Yo3ICgY:gonX+x9nAs4q3KUIT/5gfzDVlVXg
Details
File Type: PE32+
Added: 2018-03-06 19:29:38
Yara Hits
YRP/Microsoft_Visual_Cpp_80_DLL | YRP/IsPE64 | YRP/IsWindowsGUI | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/anti_dbg | YRP/screenshot | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation |
Source
http://13.82.96.22/exploit/notepad.exe
Strings
		!This program cannot be run in DOS mode.
t$Richs
`.rdata
@.data
.pdata
@.rsrc
@.reloc
|$01u"
UWATAVAWH
0A_A^A\_]
t$ UWATAUAVH
A^A]A\_]
D$P9D$H
UATAUAVAWH
A_A^A]A\]
@USVWATAUAVAWH
A_A^A]A\_^[]
UWATAVAWH
A_A^A\_]
UVWAVAWH
 A_A^_^]
WAVAWH
 A_A^_
@SUVWAVH
T$p+T$hL
D$p+D$h9D$xu]L
0A^_^][
L$ SUVWH
WATAUAVAWH
A_A^A]A\_
x UATAUAVAWH
t$X95(
L$PtKD95l
D9t$\u
fD94pu
D9t$Pt	H
A_A^A]A\]
WATAUAVAWH
D$x9|$<tv
<$.u fA
A_A^A]A\_
0Hc\$`I
WATAUAVAWH
 A_A^A]A\_
\$ UVWATAUAVAWH
A_A^A]A\_^]
fD9<Fu
fD9<Fu
D9e|vAA
fD9$Gu
D9|$xv>H
D;L$xs
fD9<Au
L9}ptu3
u(D9\$pt
u"D9|$pt
fD9<Ou
fD9<Gu
UVWATAUAVAWH
@A_A^A]A\_^]
t$ WAVAWH
L$x+T$t+L$p
@SUVWATAUAVAWH
8A_A^A]A\_^][
t$ WAVAWH
0A_A^_
x UATAUAVAWH
L$|f9=
9t$4t)95a
A_A^A]A\]
x UATAUAVAWH
t|fA;@
t?fA;@
t8fA;@
t$fA;@
A_A^A]A\]
L$ SVWH
@SUVWAVH
A^_^][
\$ VWAVH
WATAUAVAWH
t]@8-k
A_A^A]A\_
x UAVAWH
tiHcL$ HcD$$H
t$ WATAUAVAWH
L9sPs@
D$`L9o
fE9,pu
 A_A^A]A\_
T$8H!\$8
D9K(t	H
t$ UWAVH
fD94Gu
USVWAVH
 A^_^[]
USVWATAVAWH
`A_A^A\_^[]
fD94Yu
|$ UATAUAVAWH
D$8L!d$8H
A_A^A]A\]
UVWATAUAVAWH
A_A^A]A\_^]
p WAVAWH
@A_A^_
@USVWAVH
0A^_^[]
u*9Q<|%
LcA<E3
 H3E H3E
X\?E/5
sQPI[5T
@W=7A=
d|BNeU
Vving1
gxI3!'
WAxK0i
FWph?r
7T})gW
hwp1p0
hgtlCm
^BNQ,^
z?801i:It6
1o?-XfF
VG2/iI
w9X!P/
NtQuerySystemInformation
Exception
ReturnHr
FailFast
RtlDllShutdownInProgress
internal\sdk\inc\wil\resultmacros.h
internal\sdk\inc\wil\resource.h
WilError_01
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
FreshWindow
SessionId
SequenceNumber
IsAdminMode
AppExit
SessionId
SequenceNumber
FileNewCount
FileSaveCount
FileSaveAsCount
FilePrintCount
EditUndoCount
EditCutCount
EditCopyCount
EditPasteCount
EditDeleteCount
EditFindCount
EditReplaceCount
EditGotoCount
FormatFontCount
EdpFileOpenCount
EdpFileSaveCount
EdpPasteToNoContextCount
EdpFileOpenAttemptFailCount
FileSize
IsWordWrap
StatusBarVisibility
SaveComplete
SessionId
SequenceNumber
SaveComplete
SessionId
SequenceNumber
ContentType
FileSize
IsNetworkPath
SaveStart
SessionId
SequenceNumber
FileOpenComplete
SessionId
SequenceNumber
ContentType
FileSize
IsNetworkPath
FileOpenStart
SessionId
SequenceNumber
LaunchNotepadComplete
SessionId
SequenceNumber
IsAdminMode
LaunchNotepadStart
SessionId
SequenceNumber
Microsoft.Notepad
notepad.pdb
.text$di
.text$mn
.text$mn$00
.text$x
.text$yd
.rdata$brc
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIY
.CRT$XIZ
.cfguard
.rdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.xdata
.idata$2
.idata$3
.idata$4
.idata$6
.data$brc
.pdata
.rsrc$01
.rsrc$02
OpenProcessToken
GetTokenInformation
DuplicateEncryptionInfoFile
RegSetValueExW
RegQueryValueExW
RegCreateKeyW
RegCloseKey
RegOpenKeyExW
EventSetInformation
EventRegister
EventUnregister
EventWriteTransfer
IsTextUnicode
ADVAPI32.dll
LocalFree
lstrcmpiW
SetErrorMode
CreateFileW
ReadFile
CloseHandle
LocalAlloc
GlobalFree
GetLocaleInfoW
MulDiv
GetCurrentProcess
GetCommandLineW
HeapSetInformation
GetCurrentProcessId
lstrcmpW
FindFirstFileW
FindClose
FormatMessageW
LocalLock
LocalUnlock
FoldStringW
GetUserDefaultUILanguage
GetLocalTime
GetDateFormatW
GetTimeFormatW
WideCharToMultiByte
SetLastError
WriteFile
GetFileAttributesW
GetLastError
GetACP
DeleteFileW
SetEndOfFile
GetFullPathNameW
GetFileAttributesExW
GetFileInformationByHandle
CreateFileMappingW
MapViewOfFile
MultiByteToWideChar
LocalReAlloc
UnmapViewOfFile
LocalSize
GetStartupInfoW
FindNLSString
GlobalAlloc
GlobalLock
GlobalUnlock
KERNEL32.dll
GetDeviceCaps
CreateFontIndirectW
DeleteObject
SelectObject
GetTextFaceW
EnumFontsW
TextOutW
GetTextExtentPoint32W
SetMapMode
SetViewportExtEx
SetWindowExtEx
LPtoDP
SetBkMode
GetTextMetricsW
EndPage
AbortDoc
EndDoc
DeleteDC
SetAbortProc
StartDocW
StartPage
CreateDCW
GDI32.dll
SendMessageW
GetClientRect
MoveWindow
SetThreadDpiAwarenessContext
PostMessageW
GetMenu
EnableMenuItem
GetSubMenu
SetFocus
DialogBoxParamW
LoadIconW
GetFocus
MessageBoxW
CheckMenuItem
ShowWindow
ReleaseDC
SetCursor
SetActiveWindow
LoadStringW
DefWindowProcW
IsIconic
PostQuitMessage
DestroyWindow
MessageBeep
GetForegroundWindow
GetDlgCtrlID
SetWindowPos
RedrawWindow
GetKeyboardLayout
CharNextW
SetWinEventHook
GetMessageW
IsDialogMessageW
TranslateAcceleratorW
TranslateMessage
DispatchMessageW
UnhookWinEvent
SetWindowTextW
GetMenuState
OpenClipboard
IsClipboardFormatAvailable
CloseClipboard
SetDlgItemTextW
GetDlgItemTextW
EndDialog
SendDlgItemMessageW
WinHelpW
GetCursorPos
ScreenToClient
ChildWindowFromPoint
GetParent
SetScrollPos
InvalidateRect
UpdateWindow
GetWindowPlacement
SetWindowPlacement
CharUpperW
GetSystemMenu
LoadAcceleratorsW
SetWindowLongW
RegisterWindowMessageW
LoadCursorW
CreateWindowExW
LoadImageW
RegisterClassExW
GetWindowTextLengthW
GetWindowLongW
PeekMessageW
GetWindowTextW
EnableWindow
CreateDialogParamW
DrawTextExW
USER32.dll
_vsnwprintf
_wcsicmp
wcsnlen
iswctype
_XcptFilter
_amsg_exit
__getmainargs
__set_app_type
_cexit
_ismbblead
__setusermatherr
_initterm
__C_specific_handler
_acmdln
_fmode
_commode
msvcrt.dll
?terminate@@YAXXZ
_unlock
__dllonexit
_onexit
CoTaskMemFree
CoTaskMemAlloc
CoCreateInstance
CoInitializeEx
CoUninitialize
CoCreateGuid
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
GetModuleHandleW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
HeapFree
GetModuleHandleExW
GetModuleFileNameW
HeapAlloc
GetProcessHeap
FreeLibrary
GetProcAddress
GetModuleFileNameA
PropVariantClear
CreateSemaphoreExW
WindowsCreateString
CreateEventExW
ReleaseSemaphore
SetRestrictedErrorInfo
CoWaitForMultipleHandles
CoCreateFreeThreadedMarshaler
CompareStringOrdinal
WindowsCreateStringReference
RoGetActivationFactory
WaitForSingleObject
ReleaseMutex
RoGetMatchingRestrictedErrorInfo
OutputDebugStringW
SetEvent
WaitForSingleObjectEx
OpenSemaphoreW
WindowsDeleteString
RaiseException
WindowsGetStringRawBuffer
CreateMutexExW
LoadLibraryExW
api-ms-win-core-com-l1-1-1.dll
OLEAUT32.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-rtlsupport-l1-2-0.dll
api-ms-win-core-errorhandling-l1-1-1.dll
api-ms-win-core-processthreads-l1-1-2.dll
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-sysinfo-l1-2-1.dll
api-ms-win-core-heap-l1-2-0.dll
api-ms-win-core-winrt-string-l1-1-0.dll
api-ms-win-core-winrt-error-l1-1-1.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-core-winrt-l1-1-0.dll
api-ms-win-core-debug-l1-1-1.dll
CreateStatusWindowW
COMCTL32.dll
CommDlgExtendedError
GetOpenFileNameW
GetSaveFileNameW
ReplaceTextW
FindTextW
GetFileTitleW
ChooseFontW
PageSetupDlgW
PrintDlgExW
COMDLG32.dll
EfsClientDecryptFile
FeClient.dll
WinSqmAddToStream
ntdll.dll
PSGetPropertyDescriptionListFromString
PropVariantToStringVectorAlloc
PROPSYS.dll
SHCreateItemFromParsingName
ShellAboutW
DragQueryFileW
SHAddToRecentDocs
DragFinish
DragAcceptFiles
SHELL32.dll
PathIsFileSpecW
SHStrDupW
PathFileExistsW
PathIsNetworkPathW
PathFindExtensionW
SHLWAPI.dll
OpenPrinterW
GetPrinterDriverW
ClosePrinter
WINSPOOL.DRV
FindMimeFromData
urlmon.dll
strchr
memcpy_s
_purecall
__CxxFrameHandler3
malloc
_callnewh
memcpy
memset
wcscmp
ew|>&=4_
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
    name="Microsoft.Windows.Shell.notepad"
    processorArchitecture="amd64"
    version="5.1.0.0"
    type="win32"/>
<description>Windows Shell</description>
<dependency>
    <dependentAssembly>
        <assemblyIdentity
            type="win32"
            name="Microsoft.Windows.Common-Controls"
            version="6.0.0.0"
            processorArchitecture="*"
            publicKeyToken="6595b64144ccf1df"
            language="*"
        />
    </dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
        </requestedPrivileges>
    </security>
</trustInfo>
<application xmlns="urn:schemas-microsoft-com:asm.v3">
    <windowsSettings>
        <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitor</dpiAwareness>
    </windowsSettings>
</application>
</assembly>
DDEA<::?6
GIIEA<;;?332,'
DNEE<<??>22+(&&&'3
SRRQPE@??>2,,('''',+233
SQRQPNNDDD??,((,(,,+33222',6
MNNEDDDDDI,2,,2233232,2,,2C+
@DIIIICCGIC3>3>2?2??2?C3G63G
?IIIIILILL?GC?CC>GGGG>GCC?C,
DIILOOO
CKGGGGGGDCCCCCGGG
LLLLLILKK
LLLLIIIILIC
p5-h-/z1~
~zxjhj
4+++*(
@?=,+/
===111*!
!!!!!!
'141133!/!(!(!""/""
414;;4
/2/22222////2
;;;;4;3423332
;;;;4:
jZZ \ZdZ^nN
~nnn^^TdUhUlWVkt
gQkQml
%%!!!!!%0
3.r6x.3+,+.0+*!
|r8kr33.33m
xx8rrk3+
f_UUURTP
gbXOOLOZ[dbp
GXXXXXXXXXX
)KK1.-%
$KB>;88$
8KH11.%"
H>KKH;;8)$
;K631-."
(PMKH>;8))
)TE@330."
;LTMMK>;8+$	L
KHFE@330.
8VTMLH>;.(
(WVTMK>;8+
IDATx^
|8?99zEc
sCN $A
mem2KJ
}^=47"
tz80&a%
5eR@PahB
'2+8Ly
UE&c'O
:({?<#k
X&9Lx"
3A%$[w
q27:^u
H~bXGB
J{L6nD
`lX06,?
ieKe|A
,k<.KQ
oon;M=
|*+@F!
0y;:]Z
h;Z|?2
	|JsT@
o	Zxyx
e &!h+
C>_J*A
V&Xax)
2hb6YX
Jvz:OO
]I#!4!
?#Q@i(2YD
& 4 10O
84c%ez
xywSIpg
wf!>Tg
QV+ODc
pL6!	H
>m5l-B
Gmqxg"
	 Hc^YF3 
yT"F]g
YvSfyw/
bJYL^T
.WF"hB
6d@u`+
}x5Jbf
+{	D@k
m;xDv)
!({.}Q0H!
D 	`/J
@M	 41Y
h@W 	`
V.xOx_T
o3noje
!@!$*B
Re.!D:
FZdQ&r
dB!dB!hB
Jx$7}H
%.!$-T
$)IA%:
,(S!Y(Cf
(@!h(d
u@ @p=
YuU8]&ldx
GsS!t"
vfql:>C
|LVz>FE@
9{8d93
APkP<&
B/XoX_
JN}<:5
<:KmJ*0
Ja\-6G
	yz\yWlM~
[qA*68
VL `wZd~
y~qpz:
r	4wt/
ycn3)io
P[a(,E
J!:+_m
,>d=MT
x8K{?3~4
M6W}6kY
B!U~8Hg
 774_kki
4543!! B
yur:QNO[
MML%BBBQ