File name: | npp.7.7.1.Installer.exe |
Full analysis: | https://app.any.run/tasks/20851705-dc85-4be2-a192-cd46b4a3be8f |
Verdict: | Malicious activity |
Analysis date: | September 11, 2019, 02:01:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | A327DD44A4E2F0E35364BDE7C4A59718 |
SHA1: | 071A81782D88810B0084BD2162C67CF0FF3AD13F |
SHA256: | 6787C524B0AC30A698237FFB035F932D7132343671B8FE8F0388ED380D19A51C |
SSDEEP: | 98304:LvP59bXolEMWzIcUKUwQOC8bz3JICi29jv:LzXol70/U5wBf3Jli29jv |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
ProductVersion: | 7.71 |
---|---|
ProductName: | Notepad++ |
LegalCopyright: | Copyleft 1998-2017 by Don HO |
FileVersion: | 7.7.1.0 |
FileDescription: | Notepad++ : a free (GNU) source code editor |
CompanyName: | Don HO [email protected] |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 7.7.1.0 |
FileVersionNumber: | 7.7.1.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x34a5 |
UninitializedDataSize: | 2048 |
InitializedDataSize: | 141824 |
CodeSize: | 26112 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2018:12:15 23:24:36+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 15-Dec-2018 22:24:36 |
Detected languages: |
|
CompanyName: | Don HO [email protected] |
FileDescription: | Notepad++ : a free (GNU) source code editor |
FileVersion: | 7.7.1.0 |
LegalCopyright: | Copyleft 1998-2017 by Don HO |
ProductName: | Notepad++ |
ProductVersion: | 7.71 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 15-Dec-2018 22:24:36 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006409 | 0x00006600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.41619 |
.rdata | 0x00008000 | 0x00001396 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.15491 |
.data | 0x0000A000 | 0x00020358 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.0044 |
.ndata | 0x0002B000 | 0x0001A000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00045000 | 0x000261E0 | 0x00026200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.73113 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.27873 | 1260 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 7.98841 | 51130 | UNKNOWN | English - United States | RT_ICON |
3 | 4.21656 | 9640 | UNKNOWN | English - United States | RT_ICON |
4 | 4.57578 | 4264 | UNKNOWN | English - United States | RT_ICON |
5 | 5.04764 | 1128 | UNKNOWN | English - United States | RT_ICON |
102 | 2.71813 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.67841 | 76 | UNKNOWN | English - United States | RT_GROUP_ICON |
104 | 2.67285 | 344 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.67385 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3728 | "C:\Users\admin\AppData\Local\Temp\npp.7.7.1.Installer.exe" | C:\Users\admin\AppData\Local\Temp\npp.7.7.1.Installer.exe | — | explorer.exe |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 3221226540 Version: 7.7.1.0 | ||||
2624 | "C:\Users\admin\AppData\Local\Temp\npp.7.7.1.Installer.exe" | C:\Users\admin\AppData\Local\Temp\npp.7.7.1.Installer.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: HIGH Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.7.1.0 | ||||
3716 | regsvr32 /s "C:\Program Files\Notepad++\NppShell_06.dll" | C:\Windows\system32\regsvr32.exe | — | npp.7.7.1.Installer.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2428 | "C:\Windows\explorer.exe" "C:\Program Files\Notepad++\notepad++.exe" | C:\Windows\explorer.exe | — | npp.7.7.1.Installer.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3176 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1073807364 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
408 | "C:\Program Files\Notepad++\notepad++.exe" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.71 | ||||
3784 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.71 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: WinGup for Notepad++ Exit code: 0 Version: 5.1 | ||||
3468 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\Notepad++\change.log" | C:\Program Files\Notepad++\notepad++.exe | npp.7.7.1.Installer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: HIGH Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.71 | ||||
852 | C:\Windows\system32\svchost.exe -k netsvcs | C:\Windows\System32\svchost.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
276 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1073807364 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
852 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:12B7DAAEAC62822D64B1DC9CF00A1959 | SHA256:D0B7F56E9304F87E9F14ABF6C9D4349A9778C2FA788DA8B62B5D31C286CA87A1 | |||
2624 | npp.7.7.1.Installer.exe | C:\Users\admin\AppData\Local\Temp\nswA186.tmp\ioSpecial.ini | text | |
MD5:CBB9A2BC1EF4DBB61FE57108860B3746 | SHA256:9FDB9E92AE8826AA8952CABCFAB5F11219212B8F7220EEEB812D151ADBBA9782 | |||
2624 | npp.7.7.1.Installer.exe | C:\Program Files\Notepad++\autoCompletion\cpp.xml | xml | |
MD5:E60CA42B12A8E816892894D321AB8D00 | SHA256:B97FFA556F93EC4C51208B2AEA4F3D69411404C27F6EA12608AE84BEDBD76418 | |||
2624 | npp.7.7.1.Installer.exe | C:\Program Files\Notepad++\autoCompletion\cs.xml | xml | |
MD5:C9BC2ACDE59532D2A9B65E7F9CD55D4F | SHA256:32076A244AFD75A07CD38F1FA27B08EEA3A4A697111CDE8A1CB636C46C708C17 | |||
2624 | npp.7.7.1.Installer.exe | C:\Users\admin\AppData\Local\Temp\nswA186.tmp\modern-wizard.bmp | image | |
MD5:C2CF6928A3AB574A5548B4DC1C38B6C0 | SHA256:2125550C12FA512782F2016E802D70BC51F4A06017CFBD4176B4A994EB2542F0 | |||
2624 | npp.7.7.1.Installer.exe | C:\Users\admin\AppData\Local\Temp\nswA186.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA | |||
2624 | npp.7.7.1.Installer.exe | C:\Users\admin\AppData\Local\Temp\nswA186.tmp\InstallOptions.dll | executable | |
MD5:05BF02DA51E717F79F6B5CBEA7BC0710 | SHA256:CA092BA7F275B0C9000098CDD1A9876FE8DC050FCB40A0E8A1AB8335236E9DC5 | |||
2624 | npp.7.7.1.Installer.exe | C:\Users\admin\AppData\Local\Temp\nswA186.tmp\LangDLL.dll | executable | |
MD5:AB1DB56369412FE8476FEFFFD11E4CC0 | SHA256:6F14C8F01F50A30743DAC68C5AC813451463DFB427EB4E35FCDFE2410E1A913B | |||
2624 | npp.7.7.1.Installer.exe | C:\Users\admin\AppData\Local\Temp\nswA186.tmp\modern-header.bmp | image | |
MD5:56DA15FDB8D96F8F5C649DCB5E79D775 | SHA256:BB90D4338D2474138473E6B16E94B0237EE847BEA45019ED0DD4439C71BD233E | |||
2624 | npp.7.7.1.Installer.exe | C:\Program Files\Notepad++\autoCompletion\perl.xml | xml | |
MD5:244EB5C1E91DC112130252FE58E49B13 | SHA256:E38A882B09330B6DBD56A2A4A90882C371A3C3EB7D29CEAE9520A647C185B627 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3784 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|