File name:

HopToDesk.exe

Full analysis: https://app.any.run/tasks/e7118407-1868-447d-baf8-62752d47d7f7
Verdict: Malicious activity
Analysis date: February 06, 2024, 20:47:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

E7F8E468320521203FA50B202F5925E4

SHA1:

7120E4F990E99E89840482F32501BE69168A485E

SHA256:

B85D91231F81820547DF65A29074CB209D20EDEA8ADC74A51C1DF48E6F71E8EE

SSDEEP:

98304:E0+iMn8ssVIER4T5BQbPHAg+bsx37kDSq9TYIPOjAUzBXeXPc+89ACadiROBeiGN:pVIUje2kosAW/Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • HopToDesk.exe (PID: 1652)

  • SUSPICIOUS

    • Reads the Internet Settings

      • HopToDesk.exe (PID: 1652)
      • HopToDesk.exe (PID: 3136)

    • Suspicious use of NETSH.EXE

      • HopToDesk.exe (PID: 1652)

    • Application launched itself

      • HopToDesk.exe (PID: 1652)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • HopToDesk.exe (PID: 3136)

    • Executable content was dropped or overwritten

      • HopToDesk.exe (PID: 1652)

    • Starts CMD.EXE for commands execution

      • HopToDesk.exe (PID: 1652)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3584)

    • Reads settings of System Certificates

      • HopToDesk.exe (PID: 1652)

    • Connects to unusual port

      • HopToDesk.exe (PID: 1652)

  • INFO

    • Checks supported languages

      • HopToDesk.exe (PID: 1652)
      • HopToDesk.exe (PID: 3136)

    • Reads the computer name

      • HopToDesk.exe (PID: 1652)
      • HopToDesk.exe (PID: 3136)

    • Create files in a temporary directory

      • HopToDesk.exe (PID: 1652)

    • Checks proxy server information

      • HopToDesk.exe (PID: 1652)

    • Creates files or folders in the user directory

      • HopToDesk.exe (PID: 1652)

    • Reads the machine GUID from the registry

      • HopToDesk.exe (PID: 1652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:24 20:05:04+01:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.36
CodeSize: 7585792
InitializedDataSize: 24576
UninitializedDataSize: 12148736
EntryPoint: 0x12d2130
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.41.5.0
ProductVersionNumber: 1.41.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
LegalCopyright: Copyright © 2024 Begonia Holdings. Copyright © 2023 Purslane, Inc.
FileDescription: HopToDesk
FileVersion: 1.41.5
ProductVersion: 1.41.5
ProductName: HopToDesk
CompanyName: Begonia Holdings
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hoptodesk.exe netsh.exe no specs hoptodesk.exe netsh.exe no specs cmd.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1632"netsh" advfirewall firewall show rule name= HopToDesk verboseC:\Windows\System32\netsh.exeHopToDesk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1652"C:\Users\admin\AppData\Local\Temp\HopToDesk.exe" C:\Users\admin\AppData\Local\Temp\HopToDesk.exe
explorer.exe
User:
admin
Company:
Begonia Holdings
Integrity Level:
MEDIUM
Description:
HopToDesk
Exit code:
0
Version:
1.41.5
Modules
Images
c:\users\admin\appdata\local\temp\hoptodesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
2612taskkill /F /IM RuntimeBroker_hoptodesk.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2776"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="HopToDesk" dir=in action=allow program="C:\Users\admin\AppData\Local\Temp\HopToDesk.exe" enable=yesC:\Windows\System32\netsh.exeHopToDesk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
3136"C:\Users\admin\AppData\Local\Temp\HopToDesk.exe" --fwC:\Users\admin\AppData\Local\Temp\HopToDesk.exe
HopToDesk.exe
User:
admin
Company:
Begonia Holdings
Integrity Level:
HIGH
Description:
HopToDesk
Exit code:
3221225547
Version:
1.41.5
Modules
Images
c:\users\admin\appdata\local\temp\hoptodesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
3584"cmd" /c "taskkill /F /IM RuntimeBroker_hoptodesk.exe"C:\Windows\System32\cmd.exeHopToDesk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
5 731
Read events
5 600
Write events
128
Delete events
3

Modification events

(PID) Process:(1632) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1652) HopToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1652) HopToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1652) HopToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1652) HopToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3136) HopToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3136) HopToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3136) HopToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3136) HopToDesk.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2776) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
0
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
1652HopToDesk.exeC:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk2.tomltext
MD5:FE2899FA46EC2100D53AFB75CDCF74CB
SHA256:3F282AD8CDD1D5CA74F145833AAB4A5D93637539F93600C313C35A84ECFA464B
1652HopToDesk.exeC:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk2.1652_ThreadId(1)_1707252432585375000text
MD5:FE2899FA46EC2100D53AFB75CDCF74CB
SHA256:3F282AD8CDD1D5CA74F145833AAB4A5D93637539F93600C313C35A84ECFA464B
1652HopToDesk.exeC:\Users\admin\AppData\Local\Temp\sciter.dllexecutable
MD5:FC2311CA280C197F5ED16DEF6D464B6B
SHA256:285F3E6A051A7C61845CD7E4D2120781B6BDF411239F70A85C65B38A52D38F28
1652HopToDesk.exeC:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk.1652_ThreadId(16)_1707252432819750000text
MD5:E3C5C2F9E1451E390A1407B97CC92F8B
SHA256:4E16E5EEFF20CBE6B71669DB12D66590F88A66B8D811B271A96AB716B065DB00
1652HopToDesk.exeC:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk2.1652_ThreadId(17)_1707252433179125000text
MD5:AC400F8EB63C7E58C1C4FC99250DF313
SHA256:4850CA145D2ABDEF233C16E1BD5A507EB4A2EE1A5E4AF9ECE028BF0ABE28DA29
1652HopToDesk.exeC:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk.1652_ThreadId(18)_1707252433726000000text
MD5:E255A7DD758226C4F85CD891A0F89CE1
SHA256:2C7E843DD69C032F00F597C5891704C4428327188E4EA263120D9250BC1DA690
1652HopToDesk.exeC:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk.tomltext
MD5:E3C5C2F9E1451E390A1407B97CC92F8B
SHA256:4E16E5EEFF20CBE6B71669DB12D66590F88A66B8D811B271A96AB716B065DB00
1652HopToDesk.exeC:\Users\admin\AppData\Roaming\HopToDesk\config\HopToDesk.1652_ThreadId(17)_1707252433179125000text
MD5:B3C519BCEB03775A222B250477B2822E
SHA256:B04CBA8240B5D1C402B65F776CB40F4EE8FC1D687DD730C0E1305EE970A75D69
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
14
DNS requests
3
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1652
HopToDesk.exe
GET
101
45.77.249.125:80
http://signal.hoptodesk.com:80/?user=379658196
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1652
HopToDesk.exe
188.114.97.3:443
api.hoptodesk.com
CLOUDFLARENET
NL
unknown
1652
HopToDesk.exe
81.181.108.49:3478
M247 Ltd
GB
unknown
1652
HopToDesk.exe
139.99.170.75:3478
OVH SAS
AU
unknown
1652
HopToDesk.exe
81.181.108.236:3478
M247 Ltd
GB
unknown
1652
HopToDesk.exe
107.174.93.216:3478
AS-COLOCROSSING
US
unknown
1652
HopToDesk.exe
165.227.228.229:443
turn.hoptodesk.com
DIGITALOCEAN-ASN
GB
unknown
1652
HopToDesk.exe
45.77.249.125:80
signal.hoptodesk.com
AS-CHOOPA
SG
unknown

DNS requests

Domain
IP
Reputation
api.hoptodesk.com
  • 188.114.97.3
  • 188.114.96.3
unknown
turn.hoptodesk.com
  • 165.227.228.229
unknown
signal.hoptodesk.com
  • 45.77.249.125
unknown

Threats

PID
Process
Class
Message
1652
HopToDesk.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Websocket update request to external network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HopToDesk.exe