933b53a44e49709193a3304d45c70176
Summary
| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2008-Apr-13 18:35:51 |
| Detected languages |
English - United States
|
| Debug artifacts |
notepad.pdb
|
| CompanyName | Microsoft Corporation |
| FileDescription | Notepad |
| FileVersion | 5.1.2600.5512 (xpsp.080413-2105) |
| InternalName | Notepad |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | NOTEPAD.EXE |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion | 5.1.2600.5512 |
Plugin Output
| Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
| Suspicious | The PE is possibly packed. | Section .text is both writable and executable. |
| Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
| Malicious | VirusTotal score: 13/70 (Scanned on 2019-12-12 07:23:38) |
CMC:
Trojan.Win32.Diple!O
Sangfor: Malware CrowdStrike: win/malicious_confidence_90% (W) Cyren: W32/Patched.AZ.gen!Eldorado Symantec: ML.Attribute.HighConfidence APEX: Malicious Invincea: heuristic Trapmine: malicious.high.ml.score FireEye: Generic.mg.933b53a44e497091 Ikarus: Virus.Win32.Heur F-Prot: W32/Patched.AZ.gen!Eldorado Acronis: suspicious Cybereason: malicious.7d03c4 |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0xe0 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 3 |
| TimeDateStamp | 2008-Apr-13 18:35:51 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Image Optional Header
| Magic | PE32 |
|---|---|
| LinkerVersion | 7.1 |
| SizeOfCode | 0x7800 |
| SizeOfInitializedData | 0xa600 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x0000739D (Section: .text) |
| BaseOfCode | 0x1000 |
| BaseOfData | 0x9000 |
| ImageBase | 0x1000000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 5.1 |
| ImageVersion | 5.1 |
| SubsystemVersion | 4.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x14000 |
| SizeOfHeaders | 0x400 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
| SizeofStackReserve | 0x40000 |
| SizeofStackCommit | 0x11000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.data
.rsrc
Imports
| comdlg32.dll |
PageSetupDlgW
FindTextW PrintDlgExW ChooseFontW GetFileTitleW GetOpenFileNameW ReplaceTextW CommDlgExtendedError GetSaveFileNameW |
|---|---|
| SHELL32.dll |
DragFinish
DragQueryFileW DragAcceptFiles ShellAboutW |
| WINSPOOL.DRV |
GetPrinterDriverW
ClosePrinter OpenPrinterW |
| COMCTL32.dll |
CreateStatusWindowW
|
| msvcrt.dll |
_XcptFilter
_exit _c_exit time localtime _cexit iswctype _except_handler3 _wtol wcsncmp _snwprintf exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type _controlfp wcsncpy |
| ADVAPI32.dll |
RegQueryValueExW
RegCloseKey RegCreateKeyW IsTextUnicode RegQueryValueExA RegOpenKeyExA RegSetValueExW |
| KERNEL32.dll |
GetCurrentThreadId
GetTickCount QueryPerformanceCounter GetLocalTime GetUserDefaultLCID GetDateFormatW GetTimeFormatW GlobalLock GlobalUnlock GetFileInformationByHandle CreateFileMappingW GetSystemTimeAsFileTime TerminateProcess GetCurrentProcess SetUnhandledExceptionFilter LoadLibraryA GetModuleHandleA GetStartupInfoA GlobalFree GetLocaleInfoW LocalFree LocalAlloc lstrlenW LocalUnlock CompareStringW LocalLock FoldStringW CloseHandle lstrcpyW ReadFile CreateFileW lstrcmpiW GetCurrentProcessId GetProcAddress GetCommandLineW lstrcatW FindClose FindFirstFileW GetFileAttributesW lstrcmpW MulDiv lstrcpynW LocalSize GetLastError WriteFile SetLastError WideCharToMultiByte LocalReAlloc FormatMessageW GetUserDefaultUILanguage SetEndOfFile DeleteFileW GetACP UnmapViewOfFile MultiByteToWideChar MapViewOfFile UnhandledExceptionFilter |
| GDI32.dll |
EndPage
AbortDoc EndDoc DeleteDC StartPage GetTextExtentPoint32W CreateDCW SetAbortProc GetTextFaceW TextOutW StartDocW EnumFontsW GetStockObject GetObjectW GetDeviceCaps CreateFontIndirectW DeleteObject GetTextMetricsW SetBkMode LPtoDP SetWindowExtEx SetViewportExtEx SetMapMode SelectObject |
| USER32.dll |
GetClientRect
SetCursor ReleaseDC GetDC DialogBoxParamW SetActiveWindow GetKeyboardLayout DefWindowProcW DestroyWindow MessageBeep ShowWindow GetForegroundWindow IsIconic GetWindowPlacement CharUpperW LoadStringW LoadAcceleratorsW GetSystemMenu RegisterClassExW LoadImageW LoadCursorW SetWindowPlacement CreateWindowExW GetDesktopWindow GetFocus LoadIconW SetWindowTextW PostQuitMessage RegisterWindowMessageW UpdateWindow SetScrollPos CharLowerW PeekMessageW EnableWindow DrawTextExW CreateDialogParamW GetWindowTextW GetSystemMetrics MoveWindow InvalidateRect WinHelpW GetDlgCtrlID ChildWindowFromPoint ScreenToClient GetCursorPos SendDlgItemMessageW SendMessageW CharNextW CheckMenuItem CloseClipboard IsClipboardFormatAvailable OpenClipboard GetMenuState EnableMenuItem GetSubMenu GetMenu MessageBoxW SetWindowLongW GetWindowLongW GetDlgItem SetFocus SetDlgItemTextW wsprintfW GetDlgItemTextW EndDialog GetParent UnhookWinEvent DispatchMessageW TranslateMessage TranslateAcceleratorW IsDialogMessageW PostMessageW GetMessageW SetWinEventHook |
Delayed Imports
1
2
3
4
5
6
7
8
9
1 (#2)
NPENCODINGDIALOG
11
12
14
1 (#3)
2 (#2)
3 (#2)
30
MAINACC
SLIPUPACC
2 (#3)
1 (#4)
1 (#5)
String Table contents
| Cannot open the %% file. |
| Make sure a disk is in the drive you specified. |
| Cannot find the %% file. |
| Do you want to create a new file? |
| The text in the %% file has changed. |
| Do you want to save the changes? |
| Untitled |
| - Notepad |
| Cannot find "%%" |
| Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again. |
| The %% file is too large for Notepad. |
| Use another editor to edit the file. |
| Notepad |
| Failed to Initialize File Dialogs. Change the Filename and try again. |
| Failed to Initialize Print Dialogs. Make sure that your printer is connected properly and use Control Panel to verify that the printer is configured properly. |
| Cannot print the %% file. Be sure that your printer is connected properly and use Control Panel to verify that the printer is configured properly. |
| Not a valid file name. |
| Cannot create the %% file. |
| Make sure that the path and filename are correct. |
| Cannot carry out the Word Wrap command because there is too much text in the file. |
| %% |
| notepad.hlp |
| &f |
| Page &p |
| Text Documents (*.txt) |
| All Files |
| Open |
| Save As |
| You cannot quit Windows because the Save As dialog |
| box in Notepad is open. Switch to Notepad, close this |
| dialog box, and then try quitting Windows again. |
| Cannot access your printer. |
| Be sure that your printer is connected properly and use Control Panel to verify that the printer is configured properly. |
| %% |
| You do not have permission to open this file. See the owner of the file or an administrator to obtain permission. |
| %% |
| This file contains characters in Unicode format which will be lost if you save this file as an ANSI encoded text file. To keep the Unicode information, click Cancel below and then select one of the Unicode options from the Encoding drop down list. Continue? |
| Page too small to print one line. |
| Try printing using smaller font. |
| Common Dialog error (0x%04x) |
| Notepad - Goto Line |
| Line number out of range |
| ANSI |
| Unicode |
| Unicode big endian |
| UTF-8 |
| Page %d |
| Ln %d, Col %d |
| Compressed, |
| Encrypted, |
| Hidden, |
| Offline, |
| ReadOnly, |
| System, |
| File |
| fFpPtTdDcCrRlL |
| Text Document |
Version Info
| Signature | 0xfeef04bd |
|---|---|
| StructVersion | 0x10000 |
| FileVersion | 5.1.2600.5512 |
| ProductVersion | 5.1.2600.5512 |
| FileFlags | (EMPTY) |
| FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
| FileType |
VFT_APP
|
| Language | English - United States |
| CompanyName | Microsoft Corporation |
| FileDescription | Notepad |
| FileVersion (#2) | 5.1.2600.5512 (xpsp.080413-2105) |
| InternalName | Notepad |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | NOTEPAD.EXE |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion (#2) | 5.1.2600.5512 |
| Resource LangID | English - United States |
|---|
IMAGE_DEBUG_TYPE_CODEVIEW
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 2008-Apr-13 18:35:51 |
| Version | 0.0 |
| SizeofData | 36 |
| AddressOfRawData | 0x18f0 |
| PointerToRawData | 0xcf0 |
| Referenced File | notepad.pdb |
TLS Callbacks
Load Configuration
| Size | 0x48 |
|---|---|
| TimeDateStamp | 1970-Jan-01 00:00:00 |
| Version | 0.0 |
| GlobalFlagsClear | (EMPTY) |
| GlobalFlagsSet | (EMPTY) |
| CriticalSectionDefaultTimeout | 0 |
| DeCommitFreeBlockThreshold | 0 |
| DeCommitTotalFreeThreshold | 0 |
| LockPrefixTable | 0 |
| MaximumAllocationSize | 0 |
| VirtualMemoryThreshold | 0 |
| ProcessAffinityMask | 0 |
| ProcessHeapFlags | (EMPTY) |
| CSDVersion | 0 |
| Reserved1 | 0 |
| EditList | 0 |
| SecurityCookie | 0x1009604 |
| SEHandlerTable | 0x1001920 |
| SEHandlerCount | 1 |
RICH Header
| XOR Key | 0xf235e4a8 |
|---|---|
| Unmarked objects | 0 |
| ASM objects (VS2003 (.NET) build 4035) | 1 |
| C++ objects (VS2003 (.NET) build 4035) | 1 |
| Imports (VS2003 (.NET) build 4035) | 19 |
| Total imports | 203 |
| 94 (VS2003 (.NET) build 4035) | 1 |
| C objects (VS2003 (.NET) build 4035) | 23 |
| Linker (VS2003 (.NET) build 4035) | 1 |