File name:

C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a8

Full analysis: https://app.any.run/tasks/6b53b2c9-8b80-44de-a10f-9e30f8eb54a2
Verdict: Malicious activity
Analysis date: November 15, 2023, 07:12:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

BB24BFE6B03ED859D38D7AC653617417

SHA1:

583C4CC65A1AF4A1EEB31586E89CD6AAE96EE177

SHA256:

D50A46E7FFB799D501D60D9D3689D0B3FBE668D16AA421D67216269F83974220

SSDEEP:

98304:EJ8pX14oqWQJKRpJVuNRijNTnEMeK/wyGHHIPdmHSSzGPYWhZm0s2tlOnsmMz4Hf:Ejpe7AOlODE+D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • f_0000a8.exe (PID: 3228)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • f_0000a8.exe (PID: 3228)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • f_0000a8.exe (PID: 3228)

  • INFO

    • Checks supported languages

      • f_0000a8.exe (PID: 3228)

    • Reads the computer name

      • f_0000a8.exe (PID: 3228)

    • Create files in a temporary directory

      • f_0000a8.exe (PID: 3228)

    • Reads Environment values

      • f_0000a8.exe (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 23:56:47+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.5.8.0
ProductVersionNumber: 8.5.8.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Don HO don.h@free.fr
FileDescription: Notepad++ : a free (GNU) source code editor
FileVersion: 8.5.8.0
LegalCopyright: Copyleft 1998-2017 by Don HO
ProductName: Notepad++
ProductVersion: 8.58
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start f_0000a8.exe f_0000a8.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3228"C:\Users\admin\Desktop\f_0000a8.exe" C:\Users\admin\Desktop\f_0000a8.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
HIGH
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
2
Version:
8.5.8.0
Modules
Images
c:\users\admin\desktop\f_0000a8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3448"C:\Users\admin\Desktop\f_0000a8.exe" C:\Users\admin\Desktop\f_0000a8.exeexplorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
3221226540
Version:
8.5.8.0
Modules
Images
c:\users\admin\desktop\f_0000a8.exe
c:\windows\system32\ntdll.dll
Total events
60
Read events
60
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3228f_0000a8.exeC:\Users\admin\AppData\Local\Temp\nsp69BC.tmpbinary
MD5:909412BC2CC22ADFB48FF6AB6F1A31EC
SHA256:178F5DD5434A309B5D3366D9F57A5EAC9DB7E517E78619184655DC797E9B860E
3228f_0000a8.exeC:\Users\admin\AppData\Local\Temp\nsu69DC.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
3228f_0000a8.exeC:\Users\admin\AppData\Local\Temp\nsu69DC.tmp\LangDLL.dllexecutable
MD5:68B287F4067BA013E34A1339AFDB1EA8
SHA256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a8