File name:

f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe

Full analysis: https://app.any.run/tasks/47faa4dd-f065-48d6-9c1c-67c1ef69b2f8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 27, 2024, 11:55:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D3F42950472326BCA3051521650155BD

SHA1:

97F81696DD2B9F0289C6A6002017007AB2A7B463

SHA256:

F85BA2E1604219D15C2B7816312F0C530411416CF3789FCC0AB73D7EE6DCE36A

SSDEEP:

98304:A3pzQVJp/pkNpnna0z73ya2FoPlS95lLzpMUQpDdBLGV19VH4sJdXWIi6PPPmPBT:GOT6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

    • Checks Windows Trust Settings

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

    • Reads security settings of Internet Explorer

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

  • INFO

    • Creates files or folders in the user directory

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

    • Reads the machine GUID from the registry

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

    • Reads the computer name

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

    • Checks proxy server information

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

    • Disables trace logs

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

    • Create files in a temporary directory

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

    • Reads the software policy settings

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)

    • Checks supported languages

      • f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe (PID: 6436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:11 10:15:09+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1129984
InitializedDataSize: 2402816
UninitializedDataSize: -
EntryPoint: 0xd98e4
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1184"C:\Users\admin\Desktop\f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe" C:\Users\admin\Desktop\f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6436"C:\Users\admin\Desktop\f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe" C:\Users\admin\Desktop\f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 167
Read events
4 152
Write events
15
Delete events
0

Modification events

(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_CURRENT_USER\SOFTWARE\lden
Operation:writeName:pcmac
Value:
ab4f691c61c6e017c718b6b3d2e4b71e
(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6436) f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6436f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exeC:\Users\admin\AppData\Local\Temp\Setup\ds.dllexecutable
MD5:F45A92ABA92BE451667F7771EDECDD32
SHA256:22E95EB59A7CB402FADC1783C7F3C613AA18EBD09480E30F4A6557DF8D066B26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
41
DNS requests
11
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
163.181.92.230:443
https://res.ldrescdn.com/player_files/en/leidian
unknown
unknown
7108
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
163.181.92.233:443
https://res.ldrescdn.com/download/package/LDPlayer9.0.exe
unknown
unknown
POST
204
172.217.18.14:443
https://www.google-analytics.com/mp/collect?measurement_id=G-QZ5MJDY2B8&api_secret=ff3gG5UWT6aG4JetBAw8oQ
unknown
whitelisted
GET
163.181.92.231:443
https://res.ldrescdn.com/download/package/LDPlayer9.0.exe
unknown
unknown
GET
200
18.245.62.20:443
https://d1odpp2eg70dto.cloudfront.net/assets/schema/1.0/schema.xsd
unknown
xml
18.6 Kb
whitelisted
POST
204
172.217.18.14:443
https://www.google-analytics.com/mp/collect?measurement_id=G-QZ5MJDY2B8&api_secret=ff3gG5UWT6aG4JetBAw8oQ
unknown
whitelisted
POST
200
8.219.48.146:443
https://middledata.ldplayer.net/collection/biz/upload
unknown
unknown
POST
200
18.245.86.79:443
https://api.playanext.com/httpapi
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7108
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6436
f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe
163.181.92.229:443
res.ldrescdn.com
Zhejiang Taobao Network Co.,Ltd
DE
unknown
6436
f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe
142.250.185.142:443
www.google-analytics.com
GOOGLE
US
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7108
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
res.ldrescdn.com
  • 163.181.92.229
  • 163.181.92.233
  • 163.181.92.234
  • 163.181.92.231
  • 163.181.92.232
  • 163.181.92.235
  • 163.181.92.228
  • 163.181.92.230
unknown
www.google-analytics.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
dagswotxcmrj6.cloudfront.net
  • 13.33.216.223
  • 13.33.216.40
  • 13.33.216.208
  • 13.33.216.185
whitelisted
d1odpp2eg70dto.cloudfront.net
  • 18.245.62.20
  • 18.245.62.87
  • 18.245.62.49
  • 18.245.62.123
whitelisted
api.playanext.com
  • 18.245.86.105
  • 18.245.86.26
  • 18.245.86.84
  • 18.245.86.79
whitelisted
middledata.ldplayer.net
  • 8.219.136.97
  • 8.219.4.49
  • 8.219.48.146
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a.exe