analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

zldgfavz.vbs

Full analysis: https://app.any.run/tasks/2a796eae-c1ca-4df3-aa2a-594d492e73bb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 18, 2020, 11:11:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

7B6025A8C007FE3268C095B07CC3625F

SHA1:

7737611AAEF89477E9F6CFA94BF8A39513F2A057

SHA256:

950F2DF4B3AA3CAB48DEFBF6A8416B9CF8C16EBC8C10551FEDF605D5766E8C14

SSDEEP:

96:mYclc2kIlc2EyGjlc21hUofNeO/MM2mgmA/DGrMcfNA:gctMcByGBcKUpO/qvvGO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • npp.7.8.1.Installer.exe (PID: 408)
      • notepad++.exe (PID: 2872)
      • notepad++.exe (PID: 4000)

    • Application was dropped or rewritten from another process

      • npp.7.8.1.Installer.exe (PID: 408)
      • npp.7.8.1.Installer.exe (PID: 388)
      • notepad++.exe (PID: 4000)
      • notepad++.exe (PID: 2872)

    • Downloads executable files from the Internet

      • gup.exe (PID: 2304)

    • Registers / Runs the DLL via REGSVR32.EXE

      • npp.7.8.1.Installer.exe (PID: 408)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • gup.exe (PID: 2304)
      • npp.7.8.1.Installer.exe (PID: 408)

    • Creates files in the user directory

      • notepad++.exe (PID: 3924)
      • npp.7.8.1.Installer.exe (PID: 408)

    • Creates files in the program directory

      • npp.7.8.1.Installer.exe (PID: 408)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 3356)

    • Executed via COM

      • explorer.exe (PID: 2864)

    • Creates a software uninstall entry

      • npp.7.8.1.Installer.exe (PID: 408)

  • INFO

    • Manual execution by user

      • notepad++.exe (PID: 3924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start wscript.exe no specs notepad++.exe gup.exe npp.7.8.1.installer.exe no specs npp.7.8.1.installer.exe regsvr32.exe no specs explorer.exe no specs explorer.exe no specs notepad++.exe notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
2448"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\zldgfavz.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3924"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\zldgfavz.vbs"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
2304"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
388"C:\Users\admin\AppData\Local\Temp\npp.7.8.1.Installer.exe" C:\Users\admin\AppData\Local\Temp\npp.7.8.1.Installer.exegup.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
3221226540
Version:
7.8.1.0
408"C:\Users\admin\AppData\Local\Temp\npp.7.8.1.Installer.exe" C:\Users\admin\AppData\Local\Temp\npp.7.8.1.Installer.exe
gup.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
HIGH
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.8.1.0
3356regsvr32 /s "C:\Program Files\Notepad++\NppShell_06.dll"C:\Windows\system32\regsvr32.exenpp.7.8.1.Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2916"C:\Windows\explorer.exe" "C:\Program Files\Notepad++\notepad++.exe"C:\Windows\explorer.exenpp.7.8.1.Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2864C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2872"C:\Program Files\Notepad++\notepad++.exe" C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.81
4000"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\Notepad++\change.log" C:\Program Files\Notepad++\notepad++.exe
npp.7.8.1.Installer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
HIGH
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.81
Total events
863
Read events
646
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
0
Text files
151
Unknown types
1

Dropped files

PID
Process
Filename
Type
408npp.7.8.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nso289E.tmp\ioSpecial.initext
MD5:5DF122795B20AE5561885A1B0C8607A8
SHA256:EBB31A1EB747B1F7C86016AAE94D29189251B98AE5B1E2B2625371F516AB3E4C
3924notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:D26FCBA34D40AC6F18F21FF79657FE1E
SHA256:F43331B766A2DACB0EB922BD597B60D2584F764278CF84B17BFBE4164438D51F
408npp.7.8.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nso289E.tmp\modern-header.bmpimage
MD5:56DA15FDB8D96F8F5C649DCB5E79D775
SHA256:BB90D4338D2474138473E6B16E94B0237EE847BEA45019ED0DD4439C71BD233E
408npp.7.8.1.Installer.exeC:\Program Files\Notepad++\autoCompletion\cpp.xmlxml
MD5:E60CA42B12A8E816892894D321AB8D00
SHA256:B97FFA556F93EC4C51208B2AEA4F3D69411404C27F6EA12608AE84BEDBD76418
3924notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:6D01C44F66C15CAC6CBEB7681EE89F00
SHA256:6B9C9AF50F3AB883812A0922FE412BE911D27BECE519EBB6161982CDEDF12D2A
2304gup.exeC:\Users\admin\AppData\Local\Temp\npp.7.8.1.Installer.exeexecutable
MD5:741CAB59266B05A277C5DA306ECF1955
SHA256:D99718A113E86BD874AD4AAC3557A7190E8008352EB758716ED568AE3BF6B0E9
408npp.7.8.1.Installer.exeC:\Program Files\Notepad++\autoCompletion\cs.xmlxml
MD5:C9BC2ACDE59532D2A9B65E7F9CD55D4F
SHA256:32076A244AFD75A07CD38F1FA27B08EEA3A4A697111CDE8A1CB636C46C708C17
408npp.7.8.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nso289E.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
408npp.7.8.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nso289E.tmp\modern-wizard.bmpimage
MD5:C2CF6928A3AB574A5548B4DC1C38B6C0
SHA256:2125550C12FA512782F2016E802D70BC51F4A06017CFBD4176B4A994EB2542F0
408npp.7.8.1.Installer.exeC:\Users\admin\AppData\Local\Temp\nso289E.tmp\InstallOptions.dllexecutable
MD5:05BF02DA51E717F79F6B5CBEA7BC0710
SHA256:CA092BA7F275B0C9000098CDD1A9876FE8DC050FCB40A0E8A1AB8335236E9DC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2304
gup.exe
GET
200
31.220.49.230:80
http://download.notepad-plus-plus.org/repository/7.x/7.8.1/npp.7.8.1.Installer.exe
US
executable
3.53 Mb
suspicious
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAxHWpoyfQpCuYL7zNoKQA4%3D
US
der
280 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2304
gup.exe
104.31.89.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared
2304
gup.exe
31.220.49.230:80
download.notepad-plus-plus.org
Hostinger International Limited
US
suspicious

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 104.31.89.28
  • 104.31.88.28
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
download.notepad-plus-plus.org
  • 31.220.49.230
suspicious

Threats

PID
Process
Class
Message
2304
gup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
zldgfavz.vbs