b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9

Analysis

max time kernel
98s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
Size

2.9MB
MD5

845b03a8f6ec388e0f48cd9b4a5a34cd
SHA1

46eb8f831ea4344d0ca9988b59898781800026d3
SHA256

b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9
SHA512

b0dafb902e81732ccd5875877ff125f356e6cfa2577d73bfe465eb3912e5ec155450cb98891827c3465dca534005d23967c64a003f20436f85547dec29dc9f83
SSDEEP

49152:LgwRLML6727St6ROhoyFgrNu0ucsw0kRscQRgCVMoFs6zMGPJR0I3KVooUyEHIFx:LgwRw3DROho6oE06kqcG9vAKJR3aUyEY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

mshta.exeWScript.exe

pid process

1696 mshta.exe
1748 WScript.exe

pid	process
1696	mshta.exe
1748	WScript.exe

Drops file in Program Files directory 64 IoCs

Processes:

b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.execmd.exe

description	ioc	process
File opened for modification	C:\Program Files\Notepad3_x86\grepWinNP3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng\np3lng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Notepad3.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\卸载.cmd	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Themes\Obsidian.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Themes\Obsidian.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\minipath.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\lng\mplng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\lng\np3lng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\卸载.cmd	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng\zh-CN	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\minipath.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\Themes\Sombra.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\lng\zh-CN\np3lng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\minipath.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\Notepad3.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng\zh-CN\mplng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\grepWinNP3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3\minipath.ini	cmd.exe
File created	C:\Program Files\Notepad3_x64\minipath.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\lng\zh-CN\np3lng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\minipath.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Notepad3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\Themes\Obsidian.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Notepad3.exe	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\zh-CN	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\zh-CN\mplng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\lng\mplng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\mplng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3\Notepad3.ini	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\Themes\Sombra.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\minipath.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\lng\zh-CN\mplng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng\zh-CN\np3lng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\grepWinNP3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\minipath.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\Notepad3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\用Notepad3打开.CMD	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\Notepad3.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Notepad3.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\Themes\Obsidian.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\Themes\Sombra.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\lng\zh-CN\mplng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\np3lng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\Themes\Dark.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\Themes\Dark.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\lng\zh-CN\np3lng.dll.mui	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Themes	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3\Win7.vbs	cmd.exe
File opened for modification	C:\Program Files\Notepad3_x86\卸载.cmd	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x86\lng\np3lng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\grepWinNP3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\minipath.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\lng\mplng.dll	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Themes\Dark.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Themes\Sombra.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File created	C:\Program Files\Notepad3_x64\Notepad3.exe	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x64\Themes	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\Notepad3_x86\Themes\Dark.ini	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
File opened for modification	C:\Program Files\用Notepad3打开.CMD	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 4 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Open with Notepad3\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Open with Notepad3\command\ = "\"C:\\Program Files\\Notepad3\\Notepad3.exe\" \"%1\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Open with Notepad3	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Open with Notepad3\Icon = "C:\\Program Files\\Notepad3\\Notepad3.exe,0"	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1896 PING.EXE
1724 PING.EXE

pid	process
1896	PING.EXE
1724	PING.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.execmd.execmd.exe

description	pid	process	target process
PID 1440 wrote to memory of 268	1440	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe	cmd.exe
PID 1440 wrote to memory of 268	1440	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe	cmd.exe
PID 1440 wrote to memory of 268	1440	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe	cmd.exe
PID 1440 wrote to memory of 268	1440	b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe	cmd.exe
PID 268 wrote to memory of 752	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 752	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 752	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1428	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1428	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1428	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1812	268	cmd.exe	xcopy.exe
PID 268 wrote to memory of 1812	268	cmd.exe	xcopy.exe
PID 268 wrote to memory of 1812	268	cmd.exe	xcopy.exe
PID 268 wrote to memory of 1564	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1564	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1564	268	cmd.exe	reg.exe
PID 268 wrote to memory of 544	268	cmd.exe	reg.exe
PID 268 wrote to memory of 544	268	cmd.exe	reg.exe
PID 268 wrote to memory of 544	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1016	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1016	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1016	268	cmd.exe	cmd.exe
PID 1016 wrote to memory of 736	1016	cmd.exe	reg.exe
PID 1016 wrote to memory of 736	1016	cmd.exe	reg.exe
PID 1016 wrote to memory of 736	1016	cmd.exe	reg.exe
PID 268 wrote to memory of 1696	268	cmd.exe	mshta.exe
PID 268 wrote to memory of 1696	268	cmd.exe	mshta.exe
PID 268 wrote to memory of 1696	268	cmd.exe	mshta.exe
PID 268 wrote to memory of 1896	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 1896	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 1896	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 1748	268	cmd.exe	WScript.exe
PID 268 wrote to memory of 1748	268	cmd.exe	WScript.exe
PID 268 wrote to memory of 1748	268	cmd.exe	WScript.exe
PID 268 wrote to memory of 1724	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 1724	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 1724	268	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe
"C:\Users\Admin\AppData\Local\Temp\b9e274bd68a5098e9ebf3616c5573c61741e69dc8fee5f682afab6ae82cd7ca9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\system32\cmd.exe
cmd /c ""C:\Program Files\用Notepad3打开.CMD" "
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
3⤵
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo d"
3⤵
PID:1428

C:\Windows\system32\xcopy.exe
xcopy /h /e Themes "C:\Users\Admin\AppData\Roaming\Rizonesoft\Notepad3\Themes"
3⤵
PID:1812

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Classes\*\shell\Open with Notepad3" /f /v "Icon" /t REG_SZ /d "C:\Program Files\Notepad3\Notepad3.exe,0"
3⤵
- Modifies registry class
PID:1564

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Classes\*\shell\Open with Notepad3\command" /f /ve /t REG_SZ /d "\"C:\Program Files\Notepad3\Notepad3.exe\" \"%1\""
3⤵
- Modifies registry class
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Programs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Programs"
4⤵
PID:736

C:\Windows\system32\mshta.exe
mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad3.lnk""):b.TargetPath=""C:\Program Files\Notepad3\Notepad3.EXE"":b.WorkingDirectory=""C:\Program Files\Notepad3\"":b.Save:close")
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
PID:1696

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:1896

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\Notepad3\Win7.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad3.lnk"
3⤵
- Loads dropped DLL
PID:1748

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 5
3⤵
- Runs ping.exe
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Notepad3\Notepad3.exe
Filesize
4.1MB

MD5
a515b278964f9cef43b57e7b347a5efb

SHA1
768dcdeea59589921c89d41ea745d1b93944e86c

SHA256
27d99690f13a25354b31765c5c9ac14ca5f746f021eef13c4b62aff90e595ac6

SHA512
ff0db02b77f4d60c7d8446988f9fbd1c4510f1a3c432660bcc23b18226b58b2c4659c869b36979df6c46b7f46ff07d21eafc27f9304583c0d8ebc7532d61b143

Download Submit
C:\Program Files\Notepad3\Notepad3.ini
Filesize
4KB

MD5
ec3cdc5c801f2a9e185e9026befff401

SHA1
64f312fa60663e28bbfc2c94400ce881e5e71c5e

SHA256
16748ed97496fedbc33814211b0f8890b5b88e25a26f8509f0b6d919aac7510f

SHA512
e118f6c19a101c6fbb836234aaedb3b9820de572a22f9e3c8a0fc4d16616d677ae419a6d316829c4d04f6d351dea60005ee37da921d653948b8cde0536d63f69

Download Submit
C:\Program Files\Notepad3\Themes\Dark.ini
Filesize
18KB

MD5
da74cf834e686c51ae6952d86c2f3a2b

SHA1
ecc20f62f35cb7fa4d4186bad30f5e18a3a3c3d9

SHA256
f49417e55e64b0649fa8308f3fe337cdf38589981fdf017240830ef9fe782380

SHA512
f780d4cd766227510f087438d155d7df36121671054d795abaedbae1b9f90ec0271caba518faef1684b300ffa66273f5895e07c31e8af2dbab2b96d27c522379

Download Submit
C:\Program Files\Notepad3\Themes\Obsidian.ini
Filesize
18KB

MD5
88f0328d12fc95ffdb03cb54104dd5ad

SHA1
2505e0383b11881b63606237f1cff7e4dfe3f6ac

SHA256
23df89332abd4803f37770793364357d050f32b7fe8607fc84fe1b299acf759e

SHA512
baa28fa95f3d17525288a11fd20f8ee7e201ee22347234f6e4774ab94c0a1db108457cdf4d14eddd53e7b982b46f4389e671a513fa69dc4fd6ab525643078314

Download Submit
C:\Program Files\Notepad3\Themes\Sombra.ini
Filesize
18KB

MD5
92e069b51a1367083e93ac8f9dc62355

SHA1
35b659c34ecae695e8cee868616c57c152b9c2b0

SHA256
0e254e9623f8256bb20fb8bfdcd73e94aab120bf3afb801155686f8e3c2412e4

SHA512
e9308e8cd1f2fc4a13944683e628ea954963069a5eb15e7198c3a5145bc0ac9dccc4fc5b72b0afdd30cd47dc52039bbb7a39117cfe4fb4d76c5fba2f1957b266

Download Submit
C:\Program Files\Notepad3\Win7.vbs
Filesize
580B

MD5
f8d9c484ad60682cfd9649fd5c29bbb1

SHA1
2bc495046a806870b10f4fe6eadb6df4b8699e84

SHA256
661815c94631b7d2c459f5688232b66c595b8c99a48cb3b745363b4a1877e7ea

SHA512
5e6c1b9e57377d1b62425081a2d854e119565bbcaf23af6111fcd7969633972cd4032ee804b45218f61f7898a7ce156bc4c9a54494cc1e9b2842851cb8922d0d

Download Submit
C:\Program Files\Notepad3\minipath.ini
Filesize
4KB

MD5
74442050efaf0ebfd26fa5e7654f5c7e

SHA1
822d865d8fc05eb53d7e34388a943e89119d948c

SHA256
da1801467202a178271798527a7bb3fbe7b5c7793ade3c923835f205cb7801b4

SHA512
ba7c568fc779928c8b5ab695710416d26c71f41d447047cb768c04af3f46bb831fc9ad48d39f7948ef5cec198b3200f727a2ba4edf17c0def2bd57b7bed26219

Download Submit
C:\Program Files\Notepad3_x86\0DE1~1.CMD
Filesize
3KB

MD5
693b21d715d618712b2016b4b3bc456b

SHA1
c8dbbab692839f8f01b320fcd10c47259e8af1e3

SHA256
fb0f69c2295ffde66f5af7919c9069f0dde7e7f2730149380864d1b8f426b9ef

SHA512
95c9580c2ccc020cfbc3707dab903e4b64d97ce28ec88654d833864f3fee8756af9f27f28f2ad3ae2762d17863d333c04e5c30e6ccfa03a9b3b856a02d3d986e

Download Submit
C:\Program Files\Notepad3_x86\GREPWI~1.EXE
Filesize
1.1MB

MD5
e7fd612088003210d7c560fc1ae22ce7

SHA1
7f2d99eb93b77b6ef2eafebaed36d955466efdc4

SHA256
061e3c57c9ba346a108a8bbfbbf9916cff4114acf6ef90968408541148583165

SHA512
155200a1df7929b02257905656246d42c79f47f8269989064576170a186c3b70dbbc93ac713d10a579f1302e2b33a1db6d12caf368a597ee8f44ec25f4c2c068

Download Submit
C:\Program Files\Notepad3_x86\Notepad3.exe
Filesize
3.7MB

MD5
7b1fd97e51570bbe68d48151fcef0157

SHA1
2bbe9b61cd8607bf5f2b3fe8b336132bd17c9a89

SHA256
d1229a282ca69c4e8f0e6af5b392d53cec65cc7df53a158874d5b909372a3ce4

SHA512
8c8fc9c99dcb93436859831e607ecdc231095b7c8dc34b72ba307b53978ba1a7bb475499a97b18db0efd9ff31f88212e0589debb6ab0d027620d1cffd72a227d

Download Submit
C:\Program Files\Notepad3_x86\Notepad3.ini
Filesize
4KB

MD5
ec3cdc5c801f2a9e185e9026befff401

SHA1
64f312fa60663e28bbfc2c94400ce881e5e71c5e

SHA256
16748ed97496fedbc33814211b0f8890b5b88e25a26f8509f0b6d919aac7510f

SHA512
e118f6c19a101c6fbb836234aaedb3b9820de572a22f9e3c8a0fc4d16616d677ae419a6d316829c4d04f6d351dea60005ee37da921d653948b8cde0536d63f69

Download Submit
C:\Program Files\Notepad3_x86\Themes\Dark.ini
Filesize
18KB

MD5
da74cf834e686c51ae6952d86c2f3a2b

SHA1
ecc20f62f35cb7fa4d4186bad30f5e18a3a3c3d9

SHA256
f49417e55e64b0649fa8308f3fe337cdf38589981fdf017240830ef9fe782380

SHA512
f780d4cd766227510f087438d155d7df36121671054d795abaedbae1b9f90ec0271caba518faef1684b300ffa66273f5895e07c31e8af2dbab2b96d27c522379

Download Submit
C:\Program Files\Notepad3_x86\Themes\Obsidian.ini
Filesize
18KB

MD5
88f0328d12fc95ffdb03cb54104dd5ad

SHA1
2505e0383b11881b63606237f1cff7e4dfe3f6ac

SHA256
23df89332abd4803f37770793364357d050f32b7fe8607fc84fe1b299acf759e

SHA512
baa28fa95f3d17525288a11fd20f8ee7e201ee22347234f6e4774ab94c0a1db108457cdf4d14eddd53e7b982b46f4389e671a513fa69dc4fd6ab525643078314

Download Submit
C:\Program Files\Notepad3_x86\Themes\Sombra.ini
Filesize
18KB

MD5
92e069b51a1367083e93ac8f9dc62355

SHA1
35b659c34ecae695e8cee868616c57c152b9c2b0

SHA256
0e254e9623f8256bb20fb8bfdcd73e94aab120bf3afb801155686f8e3c2412e4

SHA512
e9308e8cd1f2fc4a13944683e628ea954963069a5eb15e7198c3a5145bc0ac9dccc4fc5b72b0afdd30cd47dc52039bbb7a39117cfe4fb4d76c5fba2f1957b266

Download Submit
C:\Program Files\Notepad3_x86\lng\mplng.dll
Filesize
18KB

MD5
bc3795d69643740772716c66b6856ef7

SHA1
dfdb788b9466748be3e514aeb1d9925cd8d4a832

SHA256
8da7e326335b7ac4b3c47cee5f88f088ca8beda7654a87395ec874c99d78b470

SHA512
733514513c37d41d429742cda5a39ceccbf557bbaf67f29f3d13ce12c4568f9b1280f8b683350351c7f4fa1e147f2e198910e322936653c212ab800af27862b5

Download Submit
C:\Program Files\Notepad3_x86\lng\np3lng.dll
Filesize
18KB

MD5
662b349c0bfad28068cff6ef88f4a01c

SHA1
8177b76e4356fe403313e2030fabfa812b8ba622

SHA256
fd4d476578b52aad9470aedb6c9337fa547bf183b98ae519751c1ec625ad5928

SHA512
f7ddd6fba6c9fb2d1b1ba6c89e1a629b12d2faec0aafc6d96d8f87ecc016828d4f64cea93a84ad6ab6fb54497584ee3d9fa14d45980596009e7b1e49173d8ffa

Download Submit
C:\Program Files\Notepad3_x86\lng\zh-CN\MPLNGD~1.MUI
Filesize
143KB

MD5
68d722e61e42502f4c95a2467a7901b0

SHA1
2fc7a32eb02f39da718ac5117cae911220877224

SHA256
ac3db310402281afd2fbf1e84b2c93c45d867e08212b2b357b99095a03587d35

SHA512
0704cf18aa867307f57b97a17b21b8e3b09567af397e3b52298ed4e999349d7cb5828f58a4431267123485042d606134a4660b6c207e1d9d70f64c523940448b

Download Submit
C:\Program Files\Notepad3_x86\lng\zh-CN\NP3LNG~1.MUI
Filesize
307KB

MD5
6cf1c4390e2e4fbc8a1628212ddd0c35

SHA1
15e68382bc5642f1f6432275a47e4e3d82ea715a

SHA256
57789e75c59ce179dabba39883f657262abc70a3958df5eb6c216cc60a8e6ba6

SHA512
0e526a57ec682e402c4442b7136e0b9ac0eb620a48f630906bea7b08e88b80fbe99728c91e5f142a771ec1aba38eb658fb2e503afe1b2b07a37c8c1af4cd3911

Download Submit
C:\Program Files\Notepad3_x86\minipath.exe
Filesize
937KB

MD5
ea34b7087241c749f5d533c0a3685cfe

SHA1
3e137440093b4d217d13e666dc934226db694bab

SHA256
009a0f766cbe9b5a972bc26ef649aabae0a2a62319133a747d3fc915168b7260

SHA512
bab976b9ed87a5d3664d6d869400b1118731261646b8a7c6f8f2984d56f4c265f1edbca14da96c8b652704a2cd64118927824250864cf4d38c2c18f5b9f5fca8

Download Submit
C:\Program Files\Notepad3_x86\minipath.ini
Filesize
4KB

MD5
74442050efaf0ebfd26fa5e7654f5c7e

SHA1
822d865d8fc05eb53d7e34388a943e89119d948c

SHA256
da1801467202a178271798527a7bb3fbe7b5c7793ade3c923835f205cb7801b4

SHA512
ba7c568fc779928c8b5ab695710416d26c71f41d447047cb768c04af3f46bb831fc9ad48d39f7948ef5cec198b3200f727a2ba4edf17c0def2bd57b7bed26219

Download Submit
C:\Program Files\用Notepad3打开.CMD
Filesize
16KB

MD5
82320cc2587c6eb1f408365b2684de92

SHA1
ac5997ea30cddafac8cf22962d2a650e376a69aa

SHA256
ee042523849005185b464337dfa508c3a33b120f9442a3c7f7dd6fb33bf010f8

SHA512
276063245c24530562ccc0d3c9443bf58b22770b3a07ff6c90d2b2b85131250f07e105686e9ca1ca9533bd3efdd0d9c90977680a067b16f6cd8e64b76e06a6a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad3.lnk
Filesize
1004B

MD5
e80ecbfc020a7b1d667588dd98057621

SHA1
e7f58a4fd826220ac0498094d7754198c592c1fe

SHA256
1207201ad818e23423fca78d62b7c5b3df01a817ec85e3bbe73fe1946573ed24

SHA512
d7f5e8a3046729e07f2306a32a146ab83fc7a4803a00cc64d4e3cb6cc00f65c830d801a9140348e2134cb36790a01f181a904a76f2077f89b2b53d9d4963df44

Download Submit
\Program Files\Notepad3\Notepad3.exe
Filesize
4.1MB

MD5
a515b278964f9cef43b57e7b347a5efb

SHA1
768dcdeea59589921c89d41ea745d1b93944e86c

SHA256
27d99690f13a25354b31765c5c9ac14ca5f746f021eef13c4b62aff90e595ac6

SHA512
ff0db02b77f4d60c7d8446988f9fbd1c4510f1a3c432660bcc23b18226b58b2c4659c869b36979df6c46b7f46ff07d21eafc27f9304583c0d8ebc7532d61b143

Download Submit
\Program Files\Notepad3\Notepad3.exe
Filesize
4.1MB

MD5
a515b278964f9cef43b57e7b347a5efb

SHA1
768dcdeea59589921c89d41ea745d1b93944e86c

SHA256
27d99690f13a25354b31765c5c9ac14ca5f746f021eef13c4b62aff90e595ac6

SHA512
ff0db02b77f4d60c7d8446988f9fbd1c4510f1a3c432660bcc23b18226b58b2c4659c869b36979df6c46b7f46ff07d21eafc27f9304583c0d8ebc7532d61b143

Download Submit
memory/268-86-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/268-55-0x0000000000000000-mapping.dmp

Download
memory/544-79-0x0000000000000000-mapping.dmp

Download
memory/736-81-0x0000000000000000-mapping.dmp

Download
memory/752-57-0x0000000000000000-mapping.dmp

Download
memory/1016-80-0x0000000000000000-mapping.dmp

Download
memory/1428-73-0x0000000000000000-mapping.dmp

Download
memory/1440-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1564-78-0x0000000000000000-mapping.dmp

Download
memory/1696-82-0x0000000000000000-mapping.dmp

Download
memory/1724-106-0x0000000000000000-mapping.dmp

Download
memory/1748-98-0x0000000000000000-mapping.dmp

Download
memory/1812-74-0x0000000000000000-mapping.dmp

Download
memory/1896-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads