download: | SetupEditPadLite.exe |
Full analysis: | https://app.any.run/tasks/849502f2-198d-4e54-b08c-7b42cffdf097 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 19:40:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 2CF172DE528D320AC093283D19BCCECA |
SHA1: | 53732657D6DEDA76081E87BFC02890D6063CE215 |
SHA256: | 4BE3D58F219A2A17D87531FD8B146ED445F554F8480130143F09AC0084DB3958 |
SSDEEP: | 196608:p3nSMBvRMm4XKPDKjSjmoCsnPK8MjXksqhibrahj9D72+ZU6d/eHSPwpfy2e6L:p5RMm46P2jSj/RnS17ks7rax9/yuwpqW |
.exe | | | Win32 Executable Delphi generic (31.9) |
---|---|---|
.scr | | | Windows screen saver (29.4) |
.dll | | | Win32 Dynamic Link Library (generic) (14.8) |
.exe | | | Win32 Executable (generic) (10.1) |
.exe | | | Win16/32 Executable Delphi generic (4.6) |
Comments: | This installation package is built with Just Great Software DeployMaster. Please visit http://www.DeployMaster.com for more information. |
---|---|
ProductVersion: | 7.6.5 |
ProductName: | DeployMaster |
OriginalFileName: | - |
LegalTrademarks: | - |
LegalCopyright: | Copyright © 1996-2019 Jan Goyvaerts |
InternalName: | Setup |
FileVersion: | 7.6.5 |
FileDescription: | EditPad Lite |
CompanyName: | Just Great Software |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 7.6.5.0 |
FileVersionNumber: | 7.6.5.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x80ac |
UninitializedDataSize: | - |
InitializedDataSize: | 21504 |
CodeSize: | 29184 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 2018:05:09 08:46:10+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-May-2018 06:46:10 |
Detected languages: |
|
CompanyName: | Just Great Software |
FileDescription: | EditPad Lite |
FileVersion: | 7.6.5 |
InternalName: | Setup |
LegalCopyright: | Copyright © 1996-2019 Jan Goyvaerts |
LegalTrademarks: | - |
OriginalFilename: | - |
ProductName: | DeployMaster |
ProductVersion: | 7.6.5 |
Comments: | This installation package is built with Just Great Software DeployMaster. Please visit http://www.DeployMaster.com for more information. |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 09-May-2018 06:46:10 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006F5C | 0x00007000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60788 |
.itext | 0x00008000 | 0x000000C8 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 2.66882 |
.data | 0x00009000 | 0x00000BA8 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.10859 |
.bss | 0x0000A000 | 0x00002848 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0000D000 | 0x000006DC | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.97815 |
.tls | 0x0000E000 | 0x00000008 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x0000F000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.204488 |
.rsrc | 0x00010000 | 0x00003E00 | 0x00003E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.26469 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.41478 | 1146 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.98052 | 872 | UNKNOWN | English - United States | RT_ICON |
3 | 2.72597 | 744 | UNKNOWN | English - United States | RT_ICON |
4 | 2.88001 | 3240 | UNKNOWN | English - United States | RT_ICON |
5 | 4.05871 | 7336 | UNKNOWN | English - United States | RT_ICON |
DVCLAL | 4 | 16 | UNKNOWN | UNKNOWN | RT_RCDATA |
PACKAGEINFO | 5.16681 | 204 | UNKNOWN | UNKNOWN | RT_RCDATA |
MAINICON | 2.91718 | 76 | UNKNOWN | English - United States | RT_GROUP_ICON |
advapi32.dll |
kernel32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3288 | "C:\Users\admin\AppData\Local\Temp\SetupEditPadLite.exe" | C:\Users\admin\AppData\Local\Temp\SetupEditPadLite.exe | explorer.exe | |
User: admin Company: Just Great Software Integrity Level: MEDIUM Description: EditPad Lite Exit code: 0 Version: 7.6.5 | ||||
2504 | "C:\Users\admin\AppData\Local\Temp\SetupEditPadLite2.exe" "C:\Users\admin\AppData\Local\Temp\SetupEditPadLite.exe" /noadmin | C:\Users\admin\AppData\Local\Temp\SetupEditPadLite2.exe | SetupEditPadLite.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3564 | "C:\Users\admin\AppData\Local\Temp\SetupEditPadLite2.exe" "C:\Users\admin\AppData\Local\Temp\SetupEditPadLite.exe" /elevate /noadmin | C:\Users\admin\AppData\Local\Temp\SetupEditPadLite2.exe | SetupEditPadLite2.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
1880 | "C:\Program Files\Just Great Software\EditPad Lite 7\EditPadLite7.exe" | C:\Program Files\Just Great Software\EditPad Lite 7\EditPadLite7.exe | SetupEditPadLite2.exe | |
User: admin Company: Just Great Software Integrity Level: MEDIUM Description: EditPad Lite Exit code: 0 Version: 7.6.5.6974 | ||||
3280 | "C:\Program Files\Just Great Software\EditPad Lite 7\EditPadLite7.exe" | C:\Program Files\Just Great Software\EditPad Lite 7\EditPadLite7.exe | — | explorer.exe |
User: admin Company: Just Great Software Integrity Level: MEDIUM Description: EditPad Lite Exit code: 0 Version: 7.6.5.6974 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1880 | EditPadLite7.exe | C:\Users\admin\AppData\Roaming\JGsoft\EditPad Lite 7\EditPadLite7.ini | text | |
MD5:338ACF0559A2804C66B27FB4AF497C5C | SHA256:F009D1B6B74A7EE6F36A82510C606491A4504DB39B4BDA5E0D92100CCAFA93E2 | |||
3564 | SetupEditPadLite2.exe | C:\Program Files\Just Great Software\EditPad Lite 7\EditPadPro7.chm | chm | |
MD5:1BD34F92FC283B77F36AFE1CAF15DB85 | SHA256:347F6584727B75819DF465CCA5341D05367814A3E17B3EAE986D701DEE928BBA | |||
1880 | EditPadLite7.exe | C:\Users\admin\AppData\Roaming\JGsoft\News.ini | text | |
MD5:7F10445E06A5221836147989DA249B45 | SHA256:3FD44A83C69A953BD9E31AFD49FB04129DFB40BAF156E45E7F7B89CC88FAFF6E | |||
3564 | SetupEditPadLite2.exe | C:\Users\Public\Desktop\EditPad Lite 7.lnk | lnk | |
MD5:B694689C7424D138E380D6C6E9A1B4D6 | SHA256:3DBFF4C230529286BA17A1E5424929B813C41D255B108C38A827883931CEE8DF | |||
3564 | SetupEditPadLite2.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPad Lite 7.lnk | lnk | |
MD5:61C06D252054B85264621691F06128FD | SHA256:7EFBC7839B8B4E41ADC617B7C1E9E3467059BE091C10FC8400AD9FE08903684A | |||
3288 | SetupEditPadLite.exe | C:\Users\admin\AppData\Local\Temp\SetupEditPadLite2.exe | executable | |
MD5:BEA01E5FE84023CE76AFBD432C11C2B8 | SHA256:9FA38C9248940B787F4245CB771AA85DB5C0B28AF204DDC64CF4496F1C953C05 | |||
2504 | SetupEditPadLite2.exe | C:\Users\admin\AppData\Local\Temp\LICENSE_LITE.txt | text | |
MD5:D2C27DD4D55D4B26F83C7E5108DEA30A | SHA256:AD0B33BDE3430477832CCF7F08BF1B2D59376679EF11508647568D03170F5E14 | |||
3564 | SetupEditPadLite2.exe | C:\Program Files\Just Great Software\EditPad Lite 7\Deploy.log | text | |
MD5:D6CD416C0F03C946E96FD8406F2918F1 | SHA256:C5E047F5F45C6BB0DA2A626385C8A487026A614A5B488970F19FE6E6A3A5C979 | |||
3564 | SetupEditPadLite2.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\EditPad Lite 7.lnk | lnk | |
MD5:E8F9A4EA341889D74786FB9770BA2121 | SHA256:7F25EC0CF1BF3452E8251D5DECB26FAC7E252A25516141B1AD231165E275C355 | |||
3564 | SetupEditPadLite2.exe | C:\Program Files\Just Great Software\EditPad Lite 7\EditPadLite7.exe | executable | |
MD5:A3FCA6FCD431B030DA206518A5AD134C | SHA256:ADAA1140DDFB91B9551036BB75861F0EDC11943F4B04FD2A382A3F410F6F1DAC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1880 | EditPadLite7.exe | POST | 200 | 216.92.20.37:80 | http://news.jgsoft.com/cgi-bin/news | US | binary | 19 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1880 | EditPadLite7.exe | 216.92.20.37:80 | news.jgsoft.com | pair Networks | US | suspicious |
Domain | IP | Reputation |
---|---|---|
news.jgsoft.com |
| suspicious |