File name:

f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe

Full analysis: https://app.any.run/tasks/903693de-9ce1-4674-9181-2364d5c26586
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 15, 2023, 16:49:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A8FB669B432F8CB16DC95F1902606023

SHA1:

17E23DFE7543719C1CD594BFFCBEEB83E9274D4E

SHA256:

F1F6051AD1372885600952197FCE8613D84E6B385A4101C13863F38AEDAE0A1D

SSDEEP:

384:ih06LY+0L0GJKpoEQX5K9l8nKHpHX4BzEEHqwZ4mh82:s0c7NzQJGHpHXIihmb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe (PID: 3264)

  • SUSPICIOUS

    • Reads the Internet Settings

      • f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe (PID: 3264)

    • Process requests binary or script from the Internet

      • f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe (PID: 3264)

  • INFO

    • Reads the computer name

      • f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe (PID: 3264)
      • AnyDesk.exe (PID: 2820)
      • AnyDesk.exe (PID: 2184)

    • Checks supported languages

      • f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe (PID: 3264)
      • AnyDesk.exe (PID: 2820)
      • AnyDesk.exe (PID: 2184)

    • Reads the machine GUID from the registry

      • f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe (PID: 3264)

    • Reads Environment values

      • f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe (PID: 3264)

    • Creates files in the program directory

      • f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe (PID: 3264)

    • Creates files or folders in the user directory

      • AnyDesk.exe (PID: 2184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:09:15 23:49:33+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 14336
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x565e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: ConsoleApp5
FileVersion: 1.0.0.0
InternalName: ConsoleApp5.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: -
OriginalFileName: ConsoleApp5.exe
ProductName: ConsoleApp5
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe anydesk.exe no specs anydesk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2184"C:\ProgramData\AnyDesk.exe" --install C:\ProgramData\AnyDesk --start-with-win --silentC:\ProgramData\AnyDesk.exef1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
11341828
Version:
8.0.6
Modules
Images
c:\programdata\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2820"C:\ProgramData\anydesk.exe" --set-passwordC:\ProgramData\AnyDesk.exef1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
9099
Version:
8.0.6
Modules
Images
c:\programdata\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3264"C:\Users\admin\AppData\Local\Temp\f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe" C:\Users\admin\AppData\Local\Temp\f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ConsoleApp5
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
502
Read events
494
Write events
8
Delete events
0

Modification events

(PID) Process:(3264) f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3264) f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3264) f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3264) f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2820AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\ad.tracetext
MD5:783823BB202E49A426E98D2843CFA574
SHA256:345F1974A1337770E77CBF207C7F324A821AFE75FF020E584888AA26DFB5B983
3264f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exeC:\ProgramData\AnyDesk.exeexecutable
MD5:75EECC3A8B215C465F541643E9C4F484
SHA256:EC33D8EE9C3881B8FCEA18F9F862D5926D994553AEC1B65081D925AFD3E8B028
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
1
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3264
f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
GET
200
188.40.104.135:80
http://download.anydesk.com/AnyDesk.exe
unknown
executable
5.27 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
3264
f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
188.40.104.135:80
download.anydesk.com
Hetzner Online GmbH
DE
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
download.anydesk.com
  • 188.40.104.135
whitelisted

Threats

PID
Process
Class
Message
3264
f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
3264
f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
Misc activity
ET INFO Packed Executable Download
3264
f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3264
f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f1f6051ad1372885600952197fce8613d84e6b385a4101c13863f38aedae0a1d.exe