File name:

KDiff3-64bit-Setup_0.9.98-2.exe

Full analysis: https://app.any.run/tasks/10dd027c-8978-460c-9210-3ef0b4b847fa
Verdict: Malicious activity
Analysis date: October 25, 2023, 18:50:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

A26D48BFD976226A026398E006B22D2C

SHA1:

4B7358AEC8DE6A3E719065FCE37DD966C92ED3D4

SHA256:

D630AB0FDCA3B4F1A85AB7E453F669FDC901CB81BB57F7E20DE64C02AC9A1EEB

SSDEEP:

196608:Jh11et4MDKIFlQcaKSIZ7MVpj3IXQGk16EXdPQiTKj0JhxGnYcEaBdaXz9970DD:H1Qt4MSKhIj3J6qlQMKQHGnYNaBdez9U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 3820)
      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Drops the executable file immediately after the start

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Loads dropped or rewritten executable

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • The process creates files with name similar to system file names

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Reads the Internet Settings

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Start notepad (likely ransomware note)

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

  • INFO

    • Creates files in the program directory

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Checks supported languages

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Reads the computer name

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Create files in a temporary directory

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)

    • Creates files or folders in the user directory

      • KDiff3-64bit-Setup_0.9.98-2.exe (PID: 1896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:50:52+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x30fa
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start kdiff3-64bit-setup_0.9.98-2.exe notepad.exe no specs kdiff3-64bit-setup_0.9.98-2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1896"C:\Users\admin\AppData\Local\Temp\KDiff3-64bit-Setup_0.9.98-2.exe" C:\Users\admin\AppData\Local\Temp\KDiff3-64bit-Setup_0.9.98-2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\kdiff3-64bit-setup_0.9.98-2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
2564"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\KDiff3\README_WIN.txtC:\Windows\System32\notepad.exeKDiff3-64bit-Setup_0.9.98-2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\notepad.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3820"C:\Users\admin\AppData\Local\Temp\KDiff3-64bit-Setup_0.9.98-2.exe" C:\Users\admin\AppData\Local\Temp\KDiff3-64bit-Setup_0.9.98-2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\kdiff3-64bit-setup_0.9.98-2.exe
c:\windows\system32\ntdll.dll
Total events
810
Read events
810
Write events
0
Delete events
0

Modification events

No data
Executable files
31
Suspicious files
62
Text files
114
Unknown types
0

Dropped files

PID
Process
Filename
Type
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\kdiff3.exe.manifestxml
MD5:B338AC1F2686CD2335322932DA630E2E
SHA256:C23E29E65E73D9574E2331260B013E09B0A2C720D6FA5EF9E0650912542FA98E
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\InstallOptions.dllexecutable
MD5:325B008AEC81E5AAA57096F05D4212B5
SHA256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\modern-header.bmpimage
MD5:A91596AEFE973A8DFE1C6C58B29792BB
SHA256:793249178667BB55EBDF437CB4CA92589F72C2684E4C3FA81B938BB2B5E04B39
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\kdiff3.exeexecutable
MD5:DAFFCA45191A993DF74FA3AA3E73FC28
SHA256:CF848D6BFD46909AE119F0036D298AD3C7CDE58B1F6DAF35190E16032B17FA44
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\README_WIN.txttext
MD5:FC342EF4D2DDB181F3D915448800DC20
SHA256:EE132BD0AC4DA2668A52233019CE257A775AC14F19D8E0D13869C2EA1DFA833E
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\qt.conftext
MD5:211F955805FFA1E8DFED5B1F66D6F32C
SHA256:A151083A62F2EAF6BE4CAF0BB02FFE2284C4BDF2CBFAF0C5C640896D9E8B6F39
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\bin\Qt5Gui.dllexecutable
MD5:6EC056D07756158BEC2E2CBDE0C31DF1
SHA256:6C5C932DF7DE5B017BE8A277762155F3704FD7F2D2F7775DFD1485DA632B0AF6
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\COPYING.txttext
MD5:07962667F7EF7EB3226CAD43DAD63DA8
SHA256:AC7CA423F7071B5509012519806522786BAADFEE800E030202D5576573F8A5B3
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Program Files\KDiff3\ChangeLog.txttext
MD5:04026C8F61790DD9B1EF34C415279287
SHA256:AE011B9259D3FE1161F75E777667CA65DED53F2325B48AC17CCD6589DFE8870B
1896KDiff3-64bit-Setup_0.9.98-2.exeC:\Users\admin\AppData\Local\Temp\nsfCC86.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KDiff3-64bit-Setup_0.9.98-2.exe