File name:

KDiff3-64bit-Setup_0.9.98-2.exe

Full analysis: https://app.any.run/tasks/10dd027c-8978-460c-9210-3ef0b4b847fa
Verdict: Malicious activity
Analysis date: October 25, 2023, 18:50:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

A26D48BFD976226A026398E006B22D2C

SHA1:

4B7358AEC8DE6A3E719065FCE37DD966C92ED3D4

SHA256:

D630AB0FDCA3B4F1A85AB7E453F669FDC901CB81BB57F7E20DE64C02AC9A1EEB

SSDEEP:

196608:Jh11et4MDKIFlQcaKSIZ7MVpj3IXQGk16EXdPQiTKj0JhxGnYcEaBdaXz9970DD:H1Qt4MSKhIj3J6qlQMKQHGnYNaBdez9U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 3820)
      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Loads dropped or rewritten executable

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Drops the executable file immediately after the start

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Start notepad (likely ransomware note)

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Reads the Internet Settings

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

  • INFO

    • Reads the computer name

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Checks supported languages

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Creates files in the program directory

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Creates files or folders in the user directory

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Create files in a temporary directory

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:50:52+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x30fa
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start kdiff3-64bit-setup_0.9.98-2.exe notepad.exe no specs kdiff3-64bit-setup_0.9.98-2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1896"C:\Users\admin\AppData\Local\Temp\KDiff3-64bit-Setup_0.9.98-2.exe" C:\Users\admin\AppData\Local\Temp\KDiff3-64bit-Setup_0.9.98-2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\kdiff3-64bit-setup_0.9.98-2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
2564"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\KDiff3\README_WIN.txtC:\Windows\System32\notepad.exeKDiff3-64bit-Setup_0.9.98-2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\notepad.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3820"C:\Users\admin\AppData\Local\Temp\KDiff3-64bit-Setup_0.9.98-2.exe" C:\Users\admin\AppData\Local\Temp\KDiff3-64bit-Setup_0.9.98-2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\kdiff3-64bit-setup_0.9.98-2.exe
c:\windows\system32\ntdll.dll
Total events
810
Read events
810
Write events
0
Delete events
0

Modification events

No data
Executable files
31
Suspicious files
62
Text files
114
Unknown types
0

Dropped files

PID
Process
Filename
Type
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\modern-header.bmpimage
MD5:A91596AEFE973A8DFE1C6C58B29792BB
SHA256:793249178667BB55EBDF437CB4CA92589F72C2684E4C3FA81B938BB2B5E04B39
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\installForAllUsersPage.initext
MD5:B49667C2B0C65D8687DE5D67F362B195
SHA256:49D934132B4CE8D987FB17AE563DA50A1EBE0DA3C2CD9764D2D8213AC475902A
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\LangDLL.dllexecutable
MD5:9384F4007C492D4FA040924F31C00166
SHA256:60A964095AF1BE79F6A99B22212FEFE2D16F5A0AFD7E707D14394E4143E3F4F5
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\InstallOptions.dllexecutable
MD5:325B008AEC81E5AAA57096F05D4212B5
SHA256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\kdiff3.exe.manifestxml
MD5:B338AC1F2686CD2335322932DA630E2E
SHA256:C23E29E65E73D9574E2331260B013E09B0A2C720D6FA5EF9E0650912542FA98E
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\StartMenu.dllexecutable
MD5:A4173B381625F9F12AADB4E1CDAEFDB8
SHA256:7755FF2707CA19344D489A5ACEC02D9E310425FA6E100D2F13025761676B875B
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\qt.conftext
MD5:211F955805FFA1E8DFED5B1F66D6F32C
SHA256:A151083A62F2EAF6BE4CAF0BB02FFE2284C4BDF2CBFAF0C5C640896D9E8B6F39
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\COPYING.txttext
MD5:07962667F7EF7EB3226CAD43DAD63DA8
SHA256:AC7CA423F7071B5509012519806522786BAADFEE800E030202D5576573F8A5B3
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KDiff3-64bit-Setup_0.9.98-2.exe