download:

dotnetfx.exe

Full analysis: https://app.any.run/tasks/f7e4c338-c466-4538-8714-fe616311f9fe
Verdict: Suspicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 04, 2019, 15:59:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

926EA5374135F3833959804CCEEEE69E

SHA1:

6EA6B2F56DDE4C7414D676C726DBB36CF5AD00CC

SHA256:

4DDEA8C750DFABEC113E255B4BFA97ADD5818CF18E6232E75BBA3A196D3B21D8

SSDEEP:

3072:u1Ile6TsC81qprFCcJ6g+5XxJX8lxlmXGPnHTOAj2qYmZ2UdlN/qkhQ/mHlRJfoF:n/Tst1sQ0+X8TlmOHTOAjZ1ThNrIp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dotnetfx.exe (PID: 2484)
      • 1033dotnetredist.exe (PID: 3484)

    • Changes settings of System certificates

      • dotnetfx.exe (PID: 3112)

    • Downloads executable files from the Internet

      • dotnetfx.exe (PID: 3112)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • dotnetfx.exe (PID: 3112)
      • 1033dotnetredist.exe (PID: 3484)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2004:12:16 23:37:19+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 196608
InitializedDataSize: 200704
UninitializedDataSize: -
EntryPoint: 0x25c17
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Dec-2004 22:37:19
Detected languages:
  • Chinese - PRC
  • Chinese - Taiwan
  • Czech - Czech Republic
  • Danish - Denmark
  • Dutch - Netherlands
  • English - United States
  • Finnish - Finland
  • French - France
  • German - Germany
  • Greek - Greece
  • Hungarian - Hungary
  • Italian - Italy
  • Japanese - Japan
  • Korean - Korea
  • Norwegian - Norway (Bokmal)
  • Polish - Poland
  • Portuguese - Brazil
  • Portuguese - Portugal
  • Russian - Russia
  • Spanish - Spain (International sort)
  • Swedish - Sweden
  • Turkish - Turkey

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 16-Dec-2004 22:37:19
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002FB26
0x00030000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.56264
.rdata
0x00031000
0x00004E00
0x00005000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.66391
.data
0x00036000
0x00006100
0x00005000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.23908
.rsrc
0x0003D000
0x00024B28
0x00025000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.04603

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.12221
280
UNKNOWN
Spanish - Spain (International sort)
RT_STRING
2
3.44886
1384
UNKNOWN
English - United States
RT_ICON
3
3.91708
744
UNKNOWN
English - United States
RT_ICON
4
3.78674
2216
UNKNOWN
English - United States
RT_ICON
69
1.63436
58
UNKNOWN
Spanish - Spain (International sort)
RT_STRING
72
2.38262
116
UNKNOWN
Spanish - Spain (International sort)
RT_STRING
73
2.25737
98
UNKNOWN
Spanish - Spain (International sort)
RT_STRING
101
2.82108
214
UNKNOWN
Spanish - Spain (International sort)
RT_STRING
102
3.11201
272
UNKNOWN
Spanish - Spain (International sort)
RT_STRING
103
3.54012
1580
UNKNOWN
Spanish - Spain (International sort)
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
OLEPRO32.DLL
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start dotnetfx.exe 1033dotnetredist.exe dotnetfx.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2484"C:\Users\admin\AppData\Local\Temp\ISF68C.tmp\dotnetfx.exe" C:\Users\admin\AppData\Local\Temp\ISF68C.tmp\dotnetfx.exedotnetfx.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
IExpress Setup
Exit code:
3221226540
Version:
1.0.3705.0
Modules
Images
c:\users\admin\appdata\local\temp\isf68c.tmp\dotnetfx.exe
c:\systemroot\system32\ntdll.dll
3112"C:\Users\admin\AppData\Local\Temp\dotnetfx.exe" C:\Users\admin\AppData\Local\Temp\dotnetfx.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1155
Modules
Images
c:\users\admin\appdata\local\temp\dotnetfx.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3484"C:\Users\admin\AppData\Local\Temp\ISE812.tmp\1033dotnetredist.exe" /T:"C:\Users\admin\AppData\Local\Temp\ISF68C.tmp" /C /QC:\Users\admin\AppData\Local\Temp\ISE812.tmp\1033dotnetredist.exe
dotnetfx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
4.71.1015.0
Modules
Images
c:\users\admin\appdata\local\temp\ise812.tmp\1033dotnetredist.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
57
Read events
26
Write events
30
Delete events
1

Modification events

(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3112) dotnetfx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dotnetfx_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
5
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3112dotnetfx.exeC:\Users\admin\AppData\Local\Temp\ISF283.tmpbinary
MD5:
SHA256:
3112dotnetfx.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\dotnetredist[1].exeexecutable
MD5:E45CF233A672EDEF5C1D978A3722EE61
SHA256:47EF88FF28E70C63E4D8CE7CA8B2316DDCC64329D0AB9F8F3B979519F91DF456
3112dotnetfx.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\NDP1.0sp3-KB867461-X86-Enu[1].exeexecutable
MD5:
SHA256:
3112dotnetfx.exeC:\Users\admin\AppData\Local\Temp\ISF66C.tmpbinary
MD5:
SHA256:
3112dotnetfx.exeC:\Users\admin\AppData\Local\Temp\ISE812.tmp\1033dotnetredistSp3.exeexecutable
MD5:
SHA256:
34841033dotnetredist.exeC:\Users\admin\AppData\Local\Temp\ISF68C.tmp\dotnetfx.exeexecutable
MD5:023EF925A76F33F990DE1EA832D11324
SHA256:C90051404D9723F7CDB73FAA7713AE7E7EF1B72EB49EEE25CF1E2AD4A1788DE9
3112dotnetfx.exeC:\Users\admin\AppData\Local\Temp\ISE812.tmp\1033dotnetredist.exeexecutable
MD5:E45CF233A672EDEF5C1D978A3722EE61
SHA256:47EF88FF28E70C63E4D8CE7CA8B2316DDCC64329D0AB9F8F3B979519F91DF456
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3112
dotnetfx.exe
GET
200
2.18.233.19:80
http://download.microsoft.com/download/d/b/0/db03c2e9-f8d6-41e4-b389-3027c48dcb33/NDP1.0sp3-KB867461-X86-Enu.exe
unknown
executable
9.64 Mb
whitelisted
3112
dotnetfx.exe
GET
200
2.18.233.19:80
http://download.microsoft.com/download/e/b/2/eb247c2a-e6b3-4694-98a2-b27111d233dd/dotnetredist.exe
unknown
executable
19.7 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3112
dotnetfx.exe
2.18.233.19:80
download.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
download.microsoft.com
  • 2.18.233.19
whitelisted

Threats

PID
Process
Class
Message
3112
dotnetfx.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3112
dotnetfx.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dotnetfx.exe