Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AnyDesk.exe

Overview

General Information

Sample Name:AnyDesk.exe
Analysis ID:1271446
MD5:e546506082b374a0869bdd97b313fe5d
SHA1:082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256:fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses 32bit PE files
Tries to disable installed Antivirus / HIPS / PFW
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
PE file does not import any functions
Sample file is different than original file name gathered from version info
OS version to string mapping found (often used in BOTs)
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

  • System is w7x64
  • AnyDesk.exe (PID: 3160 cmdline: C:\Users\user\Desktop\AnyDesk.exe MD5: E546506082B374A0869BDD97B313FE5D)
    • AnyDesk.exe (PID: 3240 cmdline: "C:\Users\user\Desktop\AnyDesk.exe" --local-service MD5: E546506082B374A0869BDD97B313FE5D)
    • AnyDesk.exe (PID: 3252 cmdline: "C:\Users\user\Desktop\AnyDesk.exe" --local-control MD5: E546506082B374A0869BDD97B313FE5D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: AnyDesk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 185.229.191.39:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.229.191.39:443 -> 192.168.2.22:49186 version: TLS 1.2
Source: unknownHTTPS traffic detected: 57.128.101.74:443 -> 192.168.2.22:49189 version: TLS 1.2
Source: unknownHTTPS traffic detected: 57.128.101.75:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknownHTTPS traffic detected: 92.223.88.41:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: AnyDesk.exeStatic PE information: certificate valid
Source: AnyDesk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-64\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-32\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk.exe, 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000002.1389052190.00000000014EA000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1389419049.00000000014EA000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-64\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-32\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb source: AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SAS.pdbR source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: SAS.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Joe Sandbox ViewJA3 fingerprint: c91bde19008eefabce276152ccd51457
Source: Joe Sandbox ViewIP Address: 92.223.88.41 92.223.88.41
Source: global trafficTCP traffic: 192.168.2.22:49184 -> 185.229.191.39:6568
Source: global trafficTCP traffic: 192.168.2.22:49191 -> 185.229.191.41:6568
Source: global trafficTCP traffic: 192.168.2.22:49194 -> 92.223.88.41:6568
Source: global trafficTCP traffic: 192.168.2.22:49197 -> 57.128.101.74:6568
Source: unknownNetwork traffic detected: HTTP traffic on port 49186 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49186
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/ equals www.facebook.com (Facebook)
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: ad.share.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it%20here%3A%20https%3A//anydesk.com/&source= equals www.linkedin.com (Linkedin)
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000003097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.facebook.com.ti equals www.facebook.com (Facebook)
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000003097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.comfp equals www.linkedin.com (Linkedin)
Source: AnyDesk.exe, 00000003.00000002.1390676766.0000000002E7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobede
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://support.anydesk.com
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.opengl.org/registry/
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.openssl.org/)
Source: AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalue
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390834796.0000000003401000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.1005088110.00000000033FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/
Source: AnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/0
Source: AnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/c
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/company#imprint
Source: AnyDesk.exe, 00000001.00000002.1391542199.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/cont
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/contact/sales
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/contact/sales)
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/order
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/pricing/teams
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/pricing/teams)
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/privacy
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/terms
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/update
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://boot-01.net.anydesk.com
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalid
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://console-ui.myanydesk2.on.anydesk.com
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/$
Source: AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/HelpLinkInstallLocationAnyDesk
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/access
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/backup-alias
Source: AnyDesk.exe, 00000001.00000002.1386224236.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/en/share
Source: AnyDesk.exe, 00000001.00000002.1391542199.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/en/shared
Source: AnyDesk.exe, 00000001.00000002.1391542199.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/en/sharen_
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/it/abuse
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/it/android
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/it/android-battery
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/lt/abuse
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/lt/android
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/lt/android-battery
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/share
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/wol
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://my.anydesk.com
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://my.anydesk.com/password-generator.
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/v2
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000003097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/v2.mF
Source: AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://order.anydesk.com/trial
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://policies.google.com/privacy
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000003097000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://policies.google.com/privacy?hl=$
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://policies.google.com/privacy?hl=it
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/AnyDesk_on_macOS
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/account-migration
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000003097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/account-migration.
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-account
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshooting
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/my-anydesk-ii#user-management
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/users
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://twitter.com/home?status=Do%20you%20know%20%23AnyDesk?%20AnyDesk%20is%20a%20small%20and%20qui
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/intl/$
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.google.com/intl/it/chrome/privacy/eula_text.html
Source: AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Rem
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.nayuki.io/page/qr-code-generator-library
Source: unknownDNS traffic detected: queries for: boot.net.anydesk.com
Source: unknownHTTPS traffic detected: 185.229.191.39:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.229.191.39:443 -> 192.168.2.22:49186 version: TLS 1.2
Source: unknownHTTPS traffic detected: 57.128.101.74:443 -> 192.168.2.22:49189 version: TLS 1.2
Source: unknownHTTPS traffic detected: 57.128.101.75:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknownHTTPS traffic detected: 92.223.88.41:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: DirectDrawCreateEx
Source: C:\Users\user\Desktop\AnyDesk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: AnyDesk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: AnyDesk.exeStatic PE information: No import functions for PE file found
Source: AnyDesk.exe, 00000001.00000002.1386224236.00000000004DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentshrui.dll.muij% vs AnyDesk.exe
Source: AnyDesk.exe, 00000001.00000003.992997617.00000000004C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEhStorShell.dll.muij% vs AnyDesk.exe
Source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000001.00000003.993128545.00000000004DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentshrui.dll.muij% vs AnyDesk.exe
Source: AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000003.00000003.1005162626.00000000004FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentshrui.dll.muij% vs AnyDesk.exe
Source: AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000003.00000002.1386237440.00000000004F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentshrui.dll.muij% vs AnyDesk.exe
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: shcore.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Users\user\Desktop\AnyDesk.exeJump to behavior
Source: AnyDesk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AnyDesk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\AnyDesk.exe C:\Users\user\Desktop\AnyDesk.exe
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-service
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-control
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-serviceJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-controlJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\AnyDesk.exeFile created: C:\Users\user\AppData\Roaming\AnyDeskJump to behavior
Source: classification engineClassification label: mal51.evad.winEXE@5/6@15/5
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_3160_2891499629_1_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Session\1\ad_connect_queue_3240_2918799677_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_3252_2928315693_1_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_3252_2928315693_0_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_718_lsystem_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_3160_2891499629_0_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_trace_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeWindow found: window name: SysTabControl32Jump to behavior
Source: AnyDesk.exeStatic file information: File size 4033096 > 1048576
Source: AnyDesk.exeStatic PE information: certificate valid
Source: AnyDesk.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x3cc400
Source: AnyDesk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: AnyDesk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-64\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-32\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk.exe, 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000002.1389052190.00000000014EA000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1389419049.00000000014EA000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-64\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-32\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb source: AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SAS.pdbR source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: SAS.pdb source: AnyDesk.exe, 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1388738716.00000000013C2000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1388994079.00000000013C2000.00000004.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\AnyDesk.exeUnpacked PE file: 1.2.AnyDesk.exe.840000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\AnyDesk.exeUnpacked PE file: 2.2.AnyDesk.exe.840000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\AnyDesk.exeUnpacked PE file: 3.2.AnyDesk.exe.840000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\AnyDesk.exeCode function: 1_2_00E1BCD5 push ecx; ret 1_2_00E1BCE8

Hooking and other Techniques for Hiding and Protection

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\AnyDesk.exeFile opened: C:\Users\user\Desktop\AnyDesk.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - SELECT SerialNumber FROM Win32_PhysicalMemory
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - SELECT SerialNumber FROM Win32_PhysicalMemory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - SELECT SerialNumber FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - SELECT MACAddress FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3216Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3220Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3336Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3216Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3336Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3236Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3324Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3324Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3292Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3296Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3300Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3292Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: AnyDesk.exe, 00000001.00000003.993208143.00000000004CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vMnetworkmap.dlln.a8
Source: C:\Users\user\Desktop\AnyDesk.exeMemory protected: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile opened: Windows Firewall: C:\Windows\SysWOW64\FirewallAPI.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-serviceJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-controlJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeQueries volume information: C:\Users\user\Desktop\AnyDesk.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeCode function: 1_2_00D07240 _vswprintf_s,WaitForSingleObject,OutputDebugStringA,_strncmp,_strncmp,_strncpy,_strncpy,GetSystemTime,TlsGetValue,__itow,GetCurrentThreadId,GetCurrentProcessId,__snprintf,SetFilePointer,SetFilePointer,ReadFile,_memmove,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,WriteFile,RtlEnterCriticalSection,RaiseException,1_2_00D07240
Source: AnyDesk.exe, 00000003.00000002.1389419049.00000000014EA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: release/win_7.1.x
Source: AnyDesk.exe, 00000002.00000002.1385958567.00000000002FC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 5d7331e4b5c4645fc76f5ae229f8e6427bf0dfc8release/win_7.1.x8ca1648674c15abfd6f9173523e3160b`
Source: AnyDesk.exe, 00000003.00000002.1386119911.000000000042C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 5d7331e4b5c4645fc76f5ae229f8e6427bf0dfc8release/win_7.1.x8ca1648674c15abfd6f9173523e3160b
Source: AnyDesk.exe, 00000003.00000002.1389419049.00000000014EA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .itext.text.custom8ca1648674c15abfd6f9173523e3160brelease/win_7.1.x5d7331e4b5c4645fc76f5ae229f8e6427bf0dfc8

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts421
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		1
Masquerading		1
Input Capture		1
System Time Discovery		Remote Services1
Input Capture		Exfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Disable or Modify Tools		LSASS Memory411
Security Software Discovery		Remote Desktop Protocol1
Clipboard Data		Exfiltration Over Bluetooth1
Non-Standard Port		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)331
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection		NTDS331
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureScheduled Transfer2
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Hidden Files and Directories		LSA Secrets1
Remote System Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Obfuscated Files or Information		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
Software Packing		DCSync134
System Information Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AnyDesk.exe0%ReversingLabs
AnyDesk.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ns.adobede0%URL Reputationsafe
https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalid0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
boot.net.anydesk.com
185.229.191.39
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://support.anydesk.com/knowledge/usersAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://support.anydesk.com/AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
        		high
        https://order.anydesk.com/trialAnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
          		high
          https://anydesk.com/updateAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
            		high
            https://www.google.com/chrome/privacy/eula_text.htmlAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
              		high
              https://www.google.com/intl/$AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                		high
                https://help.anydesk.com/lt/abuseAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://help.anydesk.com/lt/android-batteryAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://my.anydesk.com/v2.mFAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000003097000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://my.anydesk.comAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://help.anydesk.com/it/abuseAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                          		high
                          https://help.anydesk.com/it/android-batteryAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                            		high
                            https://twitter.com/home?status=Do%20you%20know%20%23AnyDesk?%20AnyDesk%20is%20a%20small%20and%20quiAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                              		high
                              https://support.anydesk.com/knowledge/my-anydesk-ii#user-managementAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://anydesk.com/cAnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://help.anydesk.com/en/sharen_AnyDesk.exe, 00000001.00000002.1391542199.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.openssl.org/support/faq.htmlAnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://anydesk.com/AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390834796.0000000003401000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.1005088110.00000000033FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://anydesk.com/privacyAnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                          		high
                                          https://datatracker.ietf.org/ipr/1526/AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                            		high
                                            https://www.nayuki.io/page/qr-code-generator-libraryAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              https://policies.google.com/privacy?hl=itAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                		high
                                                https://policies.google.com/privacy?hl=$AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000003097000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  https://help.anydesk.comAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    https://support.anydesk.com/AnyDesk_on_macOSAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                      		high
                                                      https://anydesk.com/pricing/teamsAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                        		high
                                                        https://help.anydesk.com/en/sharedAnyDesk.exe, 00000001.00000002.1391542199.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://anydesk.com/0AnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://datatracker.ietf.org/ipr/1914/AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                              		high
                                                              https://anydesk.com/termsAnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                		high
                                                                https://support.anydesk.com/knowledge/account-migrationAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.google.com/intl/it/chrome/privacy/eula_text.htmlAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                    		high
                                                                    https://anydesk.com/orderAnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                      		high
                                                                      https://help.anydesk.com/backup-aliasAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                        		high
                                                                        https://help.anydesk.com/en/shareAnyDesk.exe, 00000001.00000002.1386224236.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://anydesk.com/contact/salesAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                            		high
                                                                            https://help.anydesk.com/it/androidAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                              		high
                                                                              https://my.anydesk.com/password-generator.AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                		high
                                                                                https://help.anydesk.com/AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                  		high
                                                                                  https://anydesk.comAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                    		high
                                                                                    https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshootingAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1392491524.0000000003FB0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                      		high
                                                                                      http://www.opengl.org/registry/AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                        		high
                                                                                        https://anydesk.com/contact/sales)AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                          		high
                                                                                          https://help.anydesk.com/lt/androidAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                            		high
                                                                                            https://help.anydesk.com/wolAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                              		high
                                                                                              https://help.anydesk.com/$AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                		high
                                                                                                https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20RemAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                  		high
                                                                                                  https://console-ui.myanydesk2.on.anydesk.comAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                    		high
                                                                                                    http://ns.adobedeAnyDesk.exe, 00000003.00000002.1390676766.0000000002E7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://support.anydesk.comAnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                      		high
                                                                                                      https://help.anydesk.com/HelpLinkInstallLocationAnyDeskAnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                        		high
                                                                                                        https://boot-01.net.anydesk.comAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                          		high
                                                                                                          https://anydesk.com/contAnyDesk.exe, 00000001.00000002.1391542199.0000000002FFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://datatracker.ietf.org/ipr/1524/AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                              		high
                                                                                                              https://my.anydesk.com/v2AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://policies.google.com/privacyAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://anydesk.com/company#imprintAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.openssl.org/)AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://anydesk.com/pricing/teams)AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://support.anydesk.com/knowledge/account-migration.AnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1391542199.0000000003097000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://help.anydesk.com/accessAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalueAnyDesk.exe, 00000001.00000003.990882261.00000000022C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://help.anydesk.com/shareAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalidAnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://support.anydesk.com/knowledge/anydesk-accountAnyDesk.exe, 00000001.00000003.998534080.0000000003078000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000001.00000003.990882261.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.1387433339.0000000000EBE000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.1390881042.0000000003473000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public IPs

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                  57.128.101.74
                                                                                                                                  		unknownBelgium
                                                                                                                                  		2686ATGS-MMD-ASUSfalse
                                                                                                                                  92.223.88.41
                                                                                                                                  		unknownAustria
                                                                                                                                  		199524GCOREATfalse
                                                                                                                                  57.128.101.75
                                                                                                                                  		unknownBelgium
                                                                                                                                  		2686ATGS-MMD-ASUSfalse
                                                                                                                                  185.229.191.39
                                                                                                                                  		boot.net.anydesk.comCzech Republic
                                                                                                                                  		60068CDN77GBfalse
                                                                                                                                  185.229.191.41
                                                                                                                                  		unknownCzech Republic
                                                                                                                                  		60068CDN77GBfalse

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox Version:38.0.0 Beryl
                                                                                                                                  Analysis ID:1271446
                                                                                                                                  Start date and time:2023-07-12 08:42:35 +02:00
                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 11m 4s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                  Run name:Run with higher sleep bypass
                                                                                                                                  Number of analysed new started processes analysed:5
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • HDC enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample file name:AnyDesk.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal51.evad.winEXE@5/6@15/5
                                                                                                                                  EGA Information:Failed
                                                                                                                                  HDC Information:Failed
                                                                                                                                  HCA Information:Failed
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                                                                                                                                  • Excluded IPs from analysis (whitelisted): 8.253.95.121, 8.238.88.254, 8.238.88.120, 8.248.147.254, 8.253.95.249, 209.197.3.8
                                                                                                                                  • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  No simulations

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  57.128.101.74AnyDesk-CM.msiGet hashmaliciousUnknownBrowse
                                                                                                                                    92.223.88.41https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      Microsoft.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          1.msiGet hashmaliciousUnknownBrowse
                                                                                                                                            sJ9Q8UWMAX.exeGet hashmaliciousCryptOne, MofksysBrowse
                                                                                                                                              AnyDesk (5).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                AnyDesk (4).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  AnyDesk.exeGet hashmaliciousVidarBrowse
                                                                                                                                                    AnyDesk (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      Vostel-Anydesk.EXEGet hashmaliciousUnknownBrowse
                                                                                                                                                        AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                          57.128.101.75https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            AnyDesk.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              boot.net.anydesk.comhttps://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.88.232
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.41
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 49.12.130.236
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.44
                                                                                                                                                              92f25a21-b9c1-4aee-af3e-cacf098605e9Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.41
                                                                                                                                                              https://anydesk.com/en/downloads/windows?dv=win_exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 49.12.130.237
                                                                                                                                                              migrate.120.exeGet hashmaliciousDCRat, EICARBrowse
                                                                                                                                                              • 49.12.130.235
                                                                                                                                                              AnyDesk.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              AnyDesk(1).msiGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.44
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.44
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.41
                                                                                                                                                              AnyDesk261022.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 49.12.130.237
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 49.12.130.237
                                                                                                                                                              SuspectFile.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 213.239.219.11
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.88.7
                                                                                                                                                              1.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.88.41

                                                                                                                                                              ASNs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              ATGS-MMD-ASUShttp://gabonplan.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 34.159.132.250
                                                                                                                                                              q0eXCVT3NF.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 32.149.172.251
                                                                                                                                                              vFf3p4ldYv.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 48.185.74.216
                                                                                                                                                              h25L9k22cq.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 57.197.52.184
                                                                                                                                                              25hLREBiQT.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 48.239.46.45
                                                                                                                                                              cVEebeLD8W.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 57.249.90.73
                                                                                                                                                              kzDx4HypWI.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 48.90.235.123
                                                                                                                                                              AA2LVBRNVD.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 32.249.82.32
                                                                                                                                                              eRpXfULExv.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 32.42.58.180
                                                                                                                                                              c55udD7dmP.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 34.40.205.228
                                                                                                                                                              ODt0VWTrhg.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 48.18.72.179
                                                                                                                                                              uvqf3mG6CE.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 34.44.59.88
                                                                                                                                                              x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 48.53.170.209
                                                                                                                                                              armv4l-20230709-1219.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 32.22.246.53
                                                                                                                                                              x86-20230709-1219.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 32.104.91.127
                                                                                                                                                              armv6l-20230709-1219.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 34.11.95.250
                                                                                                                                                              mipsel-20230709-1219.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 48.157.193.183
                                                                                                                                                              armv7l-20230709-1219.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 48.94.195.72
                                                                                                                                                              armv5l-20230709-1219.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 57.141.206.27
                                                                                                                                                              i686-20230709-1219.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 48.101.198.73
                                                                                                                                                              GCOREAThttps://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              http://reg.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.124.62
                                                                                                                                                              x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 185.101.139.100
                                                                                                                                                              http://britobarros.com.de/Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.38.169.194
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.88.232
                                                                                                                                                              https://hacktotherescue.org/registerGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.124.62
                                                                                                                                                              https://hacktotherescue.org/registerGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.124.62
                                                                                                                                                              https://hacktotherescue.org/registerGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.124.62
                                                                                                                                                              KD_MEDICAL_POLSKA_23053371.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                              • 92.38.150.138
                                                                                                                                                              s4YvlK74zJ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                              • 92.38.150.138
                                                                                                                                                              AnyDesk-CM.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.88.7
                                                                                                                                                              mirai.x86Get hashmaliciousMiraiBrowse
                                                                                                                                                              • 92.38.169.68
                                                                                                                                                              jWo6k2nNpZ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 92.38.145.194
                                                                                                                                                              z1Mb_NFEmitida1.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 5.188.0.116
                                                                                                                                                              TCKOnNwV84.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                              • 92.223.113.37
                                                                                                                                                              uTvMn3UZ4D.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 5.188.4.199
                                                                                                                                                              BIHBXRSIVW.rCJ.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.38.169.234
                                                                                                                                                              http://jumeirahdubai.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.124.62
                                                                                                                                                              RGL5ljMc4b.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 5.188.4.166
                                                                                                                                                              https://goo.su/lldmqiaGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 92.223.124.24

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              c91bde19008eefabce276152ccd51457https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk (2).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk (2).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              92f25a21-b9c1-4aee-af3e-cacf098605e9Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk(1).msiGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk261022.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              SuspectFile.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              sJ9Q8UWMAX.exeGet hashmaliciousCryptOne, MofksysBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75
                                                                                                                                                              AnyDesk (5).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 185.229.191.39
                                                                                                                                                              • 57.128.101.74
                                                                                                                                                              • 92.223.88.41
                                                                                                                                                              • 57.128.101.75

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\Users\user\AppData\Roaming\AnyDesk\ad.trace

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                              Category:modified
                                                                                                                                                              Size (bytes):38430
                                                                                                                                                              Entropy (8bit):4.408547122914089
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:384:Wuj98rnwVEqnRyggXePcUUe7UQ5GpSFI5VB+E4S91UWvCliqlNGDt8/xe4Y:F98rnwVEqnRygKI7UQ5G8Fm3JyQEY
                                                                                                                                                              MD5:F31FBC9626A0A3343D17671CBD1CDD96
                                                                                                                                                              SHA1:0B1620661AD07B807AF65015D4D939785D58581D
                                                                                                                                                              SHA-256:EEF9DE24661FC6C597A564C2A0921922E1F0F8187F70075B54B5812993D824B5
                                                                                                                                                              SHA-512:37F480392CA46FA7360235788AE7CDAA1ABFD158FC2843AEADC19C65E7F72DBD5BD455996AF6CD43481224B9E7D7B08C4CB00E31356B0A841EE1279CB592C810
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: * * * * * * * * * * * * * * * * * *.. info 2023-07-12 15:44:00.525 front 3160 3164 main - * AnyDesk Windows Startup *.. info 2023-07-12 15:44:00.525 front 3160 3164 main - * Version 7.1.8 (release/win_7.1.x 5d7331e4b5c4645fc76f5ae229f8e6427bf0dfc8).. info 2023-07-12 15:44:00.525 front 3160 3164 main - * Checksum 8ca1648674c15abfd6f9173523e3160b.. info 2023-07-12 15:44:00.525 front 3160 3164 main - * Build 20230125122541.. info 2023-07-12 15:44:00.525 front 3160 3164 main - * Copyright (C) 2023 AnyDesk Software GmbH *.. info 2023-07-12 15:44:00.525 front 3160 3164 main - .. info 2023-07-12 15:44:00.525 front 3160 3164 main - Command Line params: "C:\Users\user\Desktop\AnyDesk.exe"..

                                                                                                                                                              C:\Users\user\AppData\Roaming\AnyDesk\service.conf

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (1747)
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):2762
                                                                                                                                                              Entropy (8bit):6.023506324576902
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:uIST74inyP8PeLuBCbptMHjvD5BzVtXL9DOf1XgZHvmXQfp4R/GbsVUjFUfmyBL7:uISTciZPeLu4bptMHHLR69y+XoPs2CVJ
                                                                                                                                                              MD5:60FC906FBE36E6E6FAE757D363F55EAF
                                                                                                                                                              SHA1:23FFA42E65B949F8716A9A7A953B55E964A4B2C6
                                                                                                                                                              SHA-256:2FAD626A5B3EC430BBFFD0ECBDF90793DF632B7E50A7260E7C0E201B3B50CB65
                                                                                                                                                              SHA-512:64BBE0C1794F55B136EA9CB5ECBD2799041D4BC002293D7B74DA0A99CEE2FE1F87B34EC3E9E565686FB7311F54C01B1E08050B41CCFF6F5AF6CB7211C4888A0C
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:ad.anynet.cert=-----BEGIN CERTIFICATE-----\nMIICqDCCAZACAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOQW55RGVzayBD\nbGllbnQwIBcNMjMwNzEyMTU0NDA1WhgPMjA3MzA2MjkxNTQ0MDVaMBkxFzAVBgNV\nBAMMDkFueURlc2sgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAlP9wjXS12LMHWZF4/Bfd/empD9+d2yPp4vsQol2UPuvFWyawfIVP/awIcwjp\n41jsXm8e0d9IxNRF6EUyYsf5vYOuqv/NJRYXZ5RE0n22cZJ0j3xsOXHnnnyJfrSm\nM8QlaO9Gfrp/fwm9CS3QjUye2JQvyxIu9C2Hi+K+FWHJcSLyqItrjvwqusLQFsj/\nuthAsOIxat+u+aWzc8OtcYqHFtULr+GQRi3KZdwlohaELbSQu4KkA9FS0m6KYfJu\nCb7FrEqDcA4t62BrkcgYu6tltoWe+Xtv9Ckrvmcu2O7LBfCvby8slx8Hs0lsWWVa\nAoe5W0ZLZSwBjO9MCiTnL/KbBQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBUSimP\nHgc2SQ12eB5KUEaEU7udn2FrtOtBp3Rfo+eVZ9/HQQUnvaVsNZ7cL63k4L1TaNu0\nUk2MbmNkQKKJc7UbGYfT5OHAHK9G5GEZatn47EupPB2yZLyBZ6/NMhQUxrhMcgqm\nKkhQlsK8APTNXW5jsvXs+XYAuzKThzapb6ZXdjYBUZW4HAhNFj7lG+3I/6qguNta\nFRAn/cBlBPJufjWqArHns1lTRY8CF+7YrnMuoNAknVk6jxai99GupwcJDwOx6HTh\nCD4jmj7LY5nQ195SIeHN3CxupjYwIRWg8wcSAOUkPaEddHtc+te0WPMYQufRCuC+\n6nFEjwrYTsYR+AFI\n-----END CERTI

                                                                                                                                                              C:\Users\user\AppData\Roaming\AnyDesk\system.conf

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              File Type:ASCII text
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):424
                                                                                                                                                              Entropy (8bit):4.544680364292298
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:6:owjFemTqSdBWwwaqQAmvbahOmQgRQUQgRQPYQgRQOYQgfxPZxi3B6QgfxPg3qg3M:omd+BuqQHvWhOLroBGgFBGt
                                                                                                                                                              MD5:C71A9778EE92B4B1684742846B75FB48
                                                                                                                                                              SHA1:74AF017E8D6C8A98FC1A759EF54C4954B9574A4F
                                                                                                                                                              SHA-256:1D5E2435851BCCF5F0822DFF9E0038B30E9136B03A49FF833714C66A279C4B80
                                                                                                                                                              SHA-512:2CB4C8CE9DB155D23CC0972B9BBCAA72F924DA558AED95A157BA2242E0F5914E42D2A843920E9388919E56D5F998064AE160AD31C0214A675A4CF9690F384C5A
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:ad.anynet.fpr=2b99555ddd42431bdfa9f8eb8926af99a318da73.ad.anynet.relay.fatal_result=1.0.ad.anynet.relay.state=0.ad.security.frontend_clipboard=1.ad.security.frontend_clipboard_files=1.ad.security.frontend_clipboard_version=1.ad.security.permission_profiles._default.permissions.sas=1.ad.security.permission_profiles._unattended_access.permissions.sas=1.ad.security.permission_profiles.version=1.ad.security.update_version=1.

                                                                                                                                                              C:\Users\user\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              File Type:ASCII text, with very long lines (508)
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1907
                                                                                                                                                              Entropy (8bit):4.67366120443005
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24:2K9YX1dMMW+d96snKEMXpgKxnSgLoRMTuM2enKEMX5XObdXhUrDeGcTifc+5lQ1t:2tdM9+dNnsgKJP9uM2eniVllOLc8gGl
                                                                                                                                                              MD5:B848A65E09B6D52BD37133CE47C89B5C
                                                                                                                                                              SHA1:D7D92D4B386CFC4F3E8CD9111AAF0ECFE1BB7721
                                                                                                                                                              SHA-256:8306D8762F1986E72DDD98907C2CC429563EBCC1DCD2D674415FA419A0ADB476
                                                                                                                                                              SHA-512:FFD76931600082E3C0CA982E86322775BCB25D24889847702464290AFC8CF8E36CDD67348B96F7C886B35064E6F97D1C15FC75CC228A25F4F763327BCA40A0D5
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:ad.account.info=6fa74c609a01f31f1f670668df954f4642a4aae8018a18dacb3bab857b40b4fca875e3ae9224ba520ff648310f1fa2df0b53d2e90e4e008262013ecaea92b8ae2c0cd71ef0250fc9d8bd2d8cb463a75ee49cad284357cb55df87042c5b67c27374ab0862b47b212f41cf5778b89c8dd8d412f9836dba9fc0550e4b325a30fb27271e0a9a62819c26141ad0be816e6470f0d9b32380589e4325607250babb360074f416dd3ec620850184b45ce64c2d9a071311cc97f00b035f341b6861a47d7b4a67ef6ac98fb9505352b963219225627091a389f10e7e5ad575948b45da837fd263b2a9fa413ffca24948805d37f6c711508bf579cf.ad.invite.created_list_encrypted=6fa74c609a01f31f1f670668df954f4642a4aae8018a18dad65a722a08f552f5ae11a485412c247a0bf648310f1fa2df0b53d2e90e4e008262013ecaea929aa86f9ddc2d677643977d3d8da413f72c412b7d834d5a9cb723f1def44e4302c27374ab0862b47b212f41cf5778b89c7dc4027146f569219b64c8f1982a6fac4a2d8caa25378cc8397b85c5e27ee98f5470f0d9313150997ad0bf7ab814df5a23a9a52b806804e95bd98ac65a3ed91ffe582f3f8583e48c966fda944e52a9e31a11e64a32901f2b4032877e301377afbdab6dad429512906eec14ba8501513d6e8ebe21e0934f

                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0JOX43SAEOZCHK0BPK32.temp

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):3052
                                                                                                                                                              Entropy (8bit):2.932528471560915
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24:yzU+sXXmxOpKWo8yA7yvzU+sXen1OpSjD8yA7yA:y9sXXsmno8yuyv9sXE1mi8yuyA
                                                                                                                                                              MD5:4117E794F63A21F93EC7E0179133BF11
                                                                                                                                                              SHA1:0DD31AAD8688B8A618E44CB1A1177A575ACDD9C2
                                                                                                                                                              SHA-256:B2DBBEF913AD2798E51909191DA971D1BEE4B310D99491936291937E27222387
                                                                                                                                                              SHA-512:AAAD5D4AD30F462D092527C379AA82D51D88DDD27B4B221E061B8CD9A38069CB8D5AB61E1F0033C22A956C5A3E8DC15DD59194FE57182032D91152F156C81FE2
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview:...................................FL..................F.@ . .......3......3.......H.=.....................`.^.2.H.=..V}} .AnyDesk.exe.D......hT.hT.*.../.....4...............A.n.y.D.e.s.k...e.x.e.......u...............-...8...[...........O.?......C:\Users\..#...................\\992547\Users.user\Desktop\AnyDesk.exe...O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e.........%USERPROFILE%\Desktop\AnyDesk.exe...................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e........................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms (copy)

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):3052
                                                                                                                                                              Entropy (8bit):2.932528471560915
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24:yzU+sXXmxOpKWo8yA7yvzU+sXen1OpSjD8yA7yA:y9sXXsmno8yuyv9sXE1mi8yuyA
                                                                                                                                                              MD5:4117E794F63A21F93EC7E0179133BF11
                                                                                                                                                              SHA1:0DD31AAD8688B8A618E44CB1A1177A575ACDD9C2
                                                                                                                                                              SHA-256:B2DBBEF913AD2798E51909191DA971D1BEE4B310D99491936291937E27222387
                                                                                                                                                              SHA-512:AAAD5D4AD30F462D092527C379AA82D51D88DDD27B4B221E061B8CD9A38069CB8D5AB61E1F0033C22A956C5A3E8DC15DD59194FE57182032D91152F156C81FE2
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:...................................FL..................F.@ . .......3......3.......H.=.....................`.^.2.H.=..V}} .AnyDesk.exe.D......hT.hT.*.../.....4...............A.n.y.D.e.s.k...e.x.e.......u...............-...8...[...........O.?......C:\Users\..#...................\\992547\Users.user\Desktop\AnyDesk.exe...O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e.........%USERPROFILE%\Desktop\AnyDesk.exe...................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e........................................................................................................................................................................................................................

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Entropy (8bit):7.9991576976505945
                                                                                                                                                              TrID:
                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                              File name:AnyDesk.exe
                                                                                                                                                              File size:4'033'096 bytes
                                                                                                                                                              MD5:e546506082b374a0869bdd97b313fe5d
                                                                                                                                                              SHA1:082dc6b336b41788391bad20b26f4b9a1ad724fc
                                                                                                                                                              SHA256:fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
                                                                                                                                                              SHA512:15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
                                                                                                                                                              SSDEEP:98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM
                                                                                                                                                              TLSH:1B1633410356D731F9A3B0F67106B22724F25A912CB8BB5768D950EBFEF35A076780B4
                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L......c.........."......*....=..`.........

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:499669d8d82916a8

                                                                                                                                                              Static PE Info

                                                                                                                                                              General

                                                                                                                                                              Entrypoint:0x401ce9
                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                              Digitally signed:true
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                              Time Stamp:0x63D111B8 [Wed Jan 25 11:25:44 2023 UTC]
                                                                                                                                                              TLS Callbacks:
                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                              OS Version Major:5
                                                                                                                                                              OS Version Minor:1
                                                                                                                                                              File Version Major:5
                                                                                                                                                              File Version Minor:1
                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                              Subsystem Version Minor:1
                                                                                                                                                              Import Hash:

                                                                                                                                                              Authenticode Signature

                                                                                                                                                              Signature Valid:true
                                                                                                                                                              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                              Signature Validation Error:The operation completed successfully
                                                                                                                                                              Error Number:0
                                                                                                                                                              Not Before, Not After
                                                                                                                                                              • 12/12/2021 4:00:00 PM 1/8/2025 3:59:59 PM
                                                                                                                                                              Subject Chain
                                                                                                                                                              • CN=philandro Software GmbH, O=philandro Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
                                                                                                                                                              Version:3
                                                                                                                                                              Thumbprint MD5:EAE713DFC05244CF4301BF1C9F68B1BE
                                                                                                                                                              Thumbprint SHA-1:9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE
                                                                                                                                                              Thumbprint SHA-256:9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF
                                                                                                                                                              Serial:0DBF152DEAF0B981A8A938D53F769DB8

                                                                                                                                                              Entrypoint Preview

                                                                                                                                                              Instruction
                                                                                                                                                              push ebp
                                                                                                                                                              mov ebp, esp
                                                                                                                                                              sub esp, 64h
                                                                                                                                                              push esi
                                                                                                                                                              lea ecx, dword ptr [ebp-64h]
                                                                                                                                                              call 00007FD004738AC3h
                                                                                                                                                              lea eax, dword ptr [ebp-64h]
                                                                                                                                                              mov ecx, eax
                                                                                                                                                              mov dword ptr [01477280h], eax
                                                                                                                                                              call 00007FD004738981h
                                                                                                                                                              test al, al
                                                                                                                                                              jne 00007FD0047390E4h
                                                                                                                                                              mov esi, 000003E8h
                                                                                                                                                              lea ecx, dword ptr [ebp-64h]
                                                                                                                                                              call 00007FD00473896Fh
                                                                                                                                                              mov eax, esi
                                                                                                                                                              pop esi
                                                                                                                                                              leave
                                                                                                                                                              ret
                                                                                                                                                              lea eax, dword ptr [ebp-64h]
                                                                                                                                                              push eax
                                                                                                                                                              lea ecx, dword ptr [ebp-30h]
                                                                                                                                                              call 00007FD0047387A3h
                                                                                                                                                              lea eax, dword ptr [ebp-30h]
                                                                                                                                                              mov ecx, eax
                                                                                                                                                              mov dword ptr [01477284h], eax
                                                                                                                                                              call 00007FD00473873Bh
                                                                                                                                                              test al, al
                                                                                                                                                              jne 00007FD0047390E1h
                                                                                                                                                              lea ecx, dword ptr [ebp-30h]
                                                                                                                                                              call 00007FD004738720h
                                                                                                                                                              mov esi, 000003E9h
                                                                                                                                                              jmp 00007FD004739097h
                                                                                                                                                              cmp dword ptr [ebp-10h], 00000000h
                                                                                                                                                              je 00007FD0047390DAh
                                                                                                                                                              push 00000800h
                                                                                                                                                              call dword ptr [ebp-10h]
                                                                                                                                                              cmp dword ptr [ebp-0Ch], 00000000h
                                                                                                                                                              je 00007FD0047390DAh
                                                                                                                                                              push 00008001h
                                                                                                                                                              call dword ptr [ebp-0Ch]
                                                                                                                                                              lea eax, dword ptr [ebp-64h]
                                                                                                                                                              push eax
                                                                                                                                                              lea esi, dword ptr [ebp-30h]
                                                                                                                                                              call 00007FD004739025h
                                                                                                                                                              pop ecx
                                                                                                                                                              mov esi, eax
                                                                                                                                                              push esi
                                                                                                                                                              call dword ptr [ebp-20h]
                                                                                                                                                              lea ecx, dword ptr [ebp-30h]
                                                                                                                                                              call 00007FD0047386E2h
                                                                                                                                                              jmp 00007FD00473905Eh
                                                                                                                                                              mov edx, dword ptr [esp+04h]
                                                                                                                                                              push ebx
                                                                                                                                                              mov ebx, dword ptr [esp+10h]
                                                                                                                                                              push esi
                                                                                                                                                              xor esi, esi
                                                                                                                                                              test ebx, ebx
                                                                                                                                                              je 00007FD004739101h
                                                                                                                                                              push edi
                                                                                                                                                              mov edi, dword ptr [esp+14h]
                                                                                                                                                              sub edi, 01477288h
                                                                                                                                                              imul edx, edx, 0019660Dh
                                                                                                                                                              add edx, 3C6EF35Fh
                                                                                                                                                              mov eax, edx
                                                                                                                                                              shr eax, 0Ch

                                                                                                                                                              Rich Headers

                                                                                                                                                              Programming Language:
                                                                                                                                                              • [C++] VS2010 build 30319
                                                                                                                                                              • [ C ] VS2010 build 30319
                                                                                                                                                              • [RES] VS2010 SP1 build 40219
                                                                                                                                                              • [LNK] VS2010 build 30319

                                                                                                                                                              Data Directories

                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x10780000x4850.rsrc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x3d44000x4648.itext
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x107d0000x84.reloc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xcaa0000x1c.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                              Sections

                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                              .text0x10000x28350x2a00False0.5949590773809523data6.525031500076848IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                              .itext0x40000xca60000x0unknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .rdata0xcaa0000x2fa0x400False0.7265625Matlab v4 mat-file (little endian) \234\242\312, numeric, rows 1674645944, columns 0, imaginary5.6504180612891854IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              .data0xcab0000x3cc68c0x3cc400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .rsrc0x10780000x48500x4a00False0.5123521959459459data6.01750065176338IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              .reloc0x107d0000x3000x400False0.1455078125data1.181265380704217IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                              Resources

                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                              RT_ICON0x10782800x1b8ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9167848029486816
                                                                                                                                                              RT_ICON0x1079e100x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.299390243902439
                                                                                                                                                              RT_ICON0x107a4780x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.478494623655914
                                                                                                                                                              RT_ICON0x107a7600x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.48155737704918034
                                                                                                                                                              RT_ICON0x107a9480x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.597972972972973
                                                                                                                                                              RT_ICON0x107aac00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.09404315196998124
                                                                                                                                                              RT_ICON0x107bb680x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.2047872340425532
                                                                                                                                                              RT_GROUP_ICON0x107aa700x4cdataEnglishUnited States0.8026315789473685
                                                                                                                                                              RT_GROUP_ICON0x107bfd00x22dataEnglishUnited States1.0588235294117647
                                                                                                                                                              RT_VERSION0x107bff80x24cdataEnglishUnited States0.48299319727891155
                                                                                                                                                              RT_MANIFEST0x107c2480x605XML 1.0 document, ASCII textEnglishUnited States0.4536015574302401

                                                                                                                                                              Possible Origin

                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                              EnglishUnited States

                                                                                                                                                              Network Behavior

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jul 12, 2023 08:43:34.032617092 CEST49182443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.032676935 CEST44349182185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.032757998 CEST49182443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.073482990 CEST49182443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.073524952 CEST44349182185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.143347979 CEST44349182185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.143482924 CEST49182443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.144368887 CEST49182443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.144388914 CEST44349182185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.144686937 CEST44349182185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.144738913 CEST49182443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.211982012 CEST49182443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.292520046 CEST4918380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:34.316375017 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.316509008 CEST4918380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:34.364636898 CEST4918380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:34.388437986 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.391180038 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.391206980 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.391223907 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.391242027 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.391259909 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.391264915 CEST4918380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:34.391304970 CEST4918380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:34.447649002 CEST4918380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:34.471566916 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.471606970 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.471664906 CEST4918380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:34.546220064 CEST4918380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:34.570002079 CEST8049183185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.600430012 CEST491846568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.624634981 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.624783993 CEST491846568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.657118082 CEST491846568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.681256056 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.683795929 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.683828115 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.683845043 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.683861971 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.683878899 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.683912039 CEST491846568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.683912039 CEST491846568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.695456028 CEST491846568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.719712973 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.719741106 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.719835997 CEST491846568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.775785923 CEST491846568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:34.800098896 CEST656849184185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.550823927 CEST49186443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:40.550920010 CEST44349186185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.551117897 CEST49186443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:40.576376915 CEST49186443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:40.576425076 CEST44349186185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.635077953 CEST44349186185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.635149956 CEST49186443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:40.637124062 CEST49186443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:40.637136936 CEST44349186185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.637393951 CEST44349186185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.637445927 CEST49186443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:40.677324057 CEST49186443192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:40.705667019 CEST4918780192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:40.729454994 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.729558945 CEST4918780192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:40.739001989 CEST4918780192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:40.762722015 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.764811039 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.764841080 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.764859915 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.764878035 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.764894962 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.764954090 CEST4918780192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:40.764954090 CEST4918780192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:40.789251089 CEST4918780192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:40.813965082 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.814001083 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.814214945 CEST4918780192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:41.159969091 CEST4918780192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:41.183506012 CEST8049187185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:41.198287964 CEST491886568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:41.222390890 CEST656849188185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:41.222948074 CEST491886568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:41.253715992 CEST491886568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:41.277822971 CEST656849188185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:41.280673027 CEST656849188185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:41.280704975 CEST656849188185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:41.280725002 CEST656849188185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:41.280813932 CEST491886568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:41.297316074 CEST491886568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:41.321633101 CEST656849188185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:41.321681023 CEST656849188185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:41.321805000 CEST491886568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:41.555875063 CEST491886568192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:43:41.580178022 CEST656849188185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:56.879014969 CEST49189443192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:56.879081964 CEST4434918957.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:56.879323959 CEST49189443192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:56.895306110 CEST49189443192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:56.895358086 CEST4434918957.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:56.944928885 CEST4434918957.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:56.945024014 CEST49189443192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:56.954989910 CEST49189443192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:56.955017090 CEST4434918957.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:56.955544949 CEST4434918957.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:56.955688000 CEST49189443192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:56.990211010 CEST49189443192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:57.021642923 CEST4919080192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:57.041229963 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.041378975 CEST4919080192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:57.052000046 CEST4919080192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:57.071815014 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.074522972 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.074606895 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.074650049 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.074690104 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.074729919 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.074764013 CEST4919080192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:57.074764013 CEST4919080192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:57.095674038 CEST4919080192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:57.115695000 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.115822077 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.115998983 CEST4919080192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:57.181641102 CEST4919080192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:43:57.201217890 CEST804919057.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.216059923 CEST491916568192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:57.239876032 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.240047932 CEST491916568192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:57.253942966 CEST491916568192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:57.277930021 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.280982018 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.281024933 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.281050920 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.281075954 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.281104088 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.281132936 CEST491916568192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:57.281205893 CEST491916568192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:57.309396029 CEST491916568192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:57.333231926 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.333268881 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.333451033 CEST491916568192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:57.373303890 CEST491916568192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:43:57.397104979 CEST656849191185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.355144024 CEST49192443192.168.2.2257.128.101.75
                                                                                                                                                              Jul 12, 2023 08:44:47.355228901 CEST4434919257.128.101.75192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.355305910 CEST49192443192.168.2.2257.128.101.75
                                                                                                                                                              Jul 12, 2023 08:44:47.369582891 CEST49192443192.168.2.2257.128.101.75
                                                                                                                                                              Jul 12, 2023 08:44:47.369635105 CEST4434919257.128.101.75192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.420644999 CEST4434919257.128.101.75192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.420803070 CEST49192443192.168.2.2257.128.101.75
                                                                                                                                                              Jul 12, 2023 08:44:47.422952890 CEST49192443192.168.2.2257.128.101.75
                                                                                                                                                              Jul 12, 2023 08:44:47.422981024 CEST4434919257.128.101.75192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.423285961 CEST4434919257.128.101.75192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.423398972 CEST49192443192.168.2.2257.128.101.75
                                                                                                                                                              Jul 12, 2023 08:44:47.494409084 CEST49192443192.168.2.2257.128.101.75
                                                                                                                                                              Jul 12, 2023 08:44:47.520896912 CEST4919380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:44:47.545051098 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.545197964 CEST4919380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:44:47.557164907 CEST4919380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:44:47.581295967 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.583511114 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.583547115 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.583556890 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.583566904 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.583576918 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.583749056 CEST4919380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:44:47.604012012 CEST4919380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:44:47.628791094 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.628835917 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.629031897 CEST4919380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:44:47.666508913 CEST4919380192.168.2.22185.229.191.41
                                                                                                                                                              Jul 12, 2023 08:44:47.690606117 CEST8049193185.229.191.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.704391003 CEST491946568192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:44:47.729376078 CEST65684919492.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.729545116 CEST491946568192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:44:47.742523909 CEST491946568192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:44:47.767630100 CEST65684919492.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.769625902 CEST65684919492.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.769664049 CEST65684919492.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.769680977 CEST65684919492.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.769785881 CEST491946568192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:44:47.789756060 CEST491946568192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:44:47.814933062 CEST65684919492.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.814974070 CEST65684919492.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.815069914 CEST491946568192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:44:47.837251902 CEST491946568192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:44:47.862827063 CEST65684919492.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.131794930 CEST49195443192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:45:59.131872892 CEST4434919592.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.131968021 CEST49195443192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:45:59.148627996 CEST49195443192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:45:59.148672104 CEST4434919592.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.207372904 CEST4434919592.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.207487106 CEST49195443192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:45:59.208344936 CEST49195443192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:45:59.208368063 CEST4434919592.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.208590984 CEST4434919592.223.88.41192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.208668947 CEST49195443192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:45:59.241986990 CEST49195443192.168.2.2292.223.88.41
                                                                                                                                                              Jul 12, 2023 08:45:59.321448088 CEST4919680192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:45:59.345643044 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.345731020 CEST4919680192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:45:59.354547977 CEST4919680192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:45:59.378611088 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.381129980 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.381154060 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.381169081 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.381184101 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.381201029 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.381223917 CEST4919680192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:45:59.381223917 CEST4919680192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:45:59.392618895 CEST4919680192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:45:59.416743994 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.416771889 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.416821003 CEST4919680192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:45:59.457401037 CEST4919680192.168.2.22185.229.191.39
                                                                                                                                                              Jul 12, 2023 08:45:59.481631994 CEST8049196185.229.191.39192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.484497070 CEST491976568192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:45:59.504426956 CEST65684919757.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.505155087 CEST491976568192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:45:59.515628099 CEST491976568192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:45:59.535418987 CEST65684919757.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.537399054 CEST65684919757.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.537444115 CEST65684919757.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.537482977 CEST65684919757.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.537523031 CEST65684919757.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.537560940 CEST65684919757.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.537566900 CEST491976568192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:45:59.537888050 CEST491976568192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:45:59.549309969 CEST491976568192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:45:59.569195986 CEST65684919757.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.569241047 CEST65684919757.128.101.74192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.569320917 CEST491976568192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:45:59.613137007 CEST491976568192.168.2.2257.128.101.74
                                                                                                                                                              Jul 12, 2023 08:45:59.632958889 CEST65684919757.128.101.74192.168.2.22

                                                                                                                                                              UDP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jul 12, 2023 08:43:33.985713959 CEST5991553192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:43:34.008976936 CEST53599158.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.234378099 CEST5440853192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:43:34.257759094 CEST53544088.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:34.556231976 CEST5010853192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:43:34.579776049 CEST53501088.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.415570974 CEST5670353192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:43:40.439039946 CEST53567038.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:40.687930107 CEST5924153192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:43:40.702636957 CEST53592418.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:41.169048071 CEST5524453192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:43:41.192698956 CEST53552448.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:56.823744059 CEST5395853192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:43:56.852499962 CEST53539588.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.001923084 CEST5602053192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:43:57.017333984 CEST53560208.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:43:57.189374924 CEST5166353192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:43:57.212779999 CEST53516638.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.337151051 CEST5102053192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:44:47.352293968 CEST53510208.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.503346920 CEST6062253192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:44:47.518215895 CEST53606228.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:44:47.678570032 CEST5316053192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:44:47.701761007 CEST53531608.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.070559978 CEST6494853192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:45:59.094120026 CEST53649488.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.253813982 CEST6428153192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:45:59.277446032 CEST53642818.8.8.8192.168.2.22
                                                                                                                                                              Jul 12, 2023 08:45:59.466974020 CEST6339653192.168.2.228.8.8.8
                                                                                                                                                              Jul 12, 2023 08:45:59.481848955 CEST53633968.8.8.8192.168.2.22

                                                                                                                                                              DNS Queries

                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                              Jul 12, 2023 08:43:33.985713959 CEST192.168.2.228.8.8.80x5189Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:34.234378099 CEST192.168.2.228.8.8.80x9a5dStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:34.556231976 CEST192.168.2.228.8.8.80x48f7Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:40.415570974 CEST192.168.2.228.8.8.80xb5b2Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:40.687930107 CEST192.168.2.228.8.8.80x7ff4Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:41.169048071 CEST192.168.2.228.8.8.80x32c2Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:56.823744059 CEST192.168.2.228.8.8.80xd454Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:57.001923084 CEST192.168.2.228.8.8.80x8b74Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:57.189374924 CEST192.168.2.228.8.8.80x6206Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:44:47.337151051 CEST192.168.2.228.8.8.80x9e10Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:44:47.503346920 CEST192.168.2.228.8.8.80x85bStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:44:47.678570032 CEST192.168.2.228.8.8.80x98a8Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:45:59.070559978 CEST192.168.2.228.8.8.80x941fStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:45:59.253813982 CEST192.168.2.228.8.8.80xc78dStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:45:59.466974020 CEST192.168.2.228.8.8.80xbf7Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false

                                                                                                                                                              DNS Answers

                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                              Jul 12, 2023 08:43:34.008976936 CEST8.8.8.8192.168.2.220x5189No error (0)boot.net.anydesk.com185.229.191.39A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:34.257759094 CEST8.8.8.8192.168.2.220x9a5dNo error (0)boot.net.anydesk.com185.229.191.41A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:34.579776049 CEST8.8.8.8192.168.2.220x48f7No error (0)boot.net.anydesk.com185.229.191.39A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:40.439039946 CEST8.8.8.8192.168.2.220xb5b2No error (0)boot.net.anydesk.com185.229.191.39A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:40.702636957 CEST8.8.8.8192.168.2.220x7ff4No error (0)boot.net.anydesk.com185.229.191.41A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:41.192698956 CEST8.8.8.8192.168.2.220x32c2No error (0)boot.net.anydesk.com185.229.191.39A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:56.852499962 CEST8.8.8.8192.168.2.220xd454No error (0)boot.net.anydesk.com57.128.101.74A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:57.017333984 CEST8.8.8.8192.168.2.220x8b74No error (0)boot.net.anydesk.com57.128.101.74A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:43:57.212779999 CEST8.8.8.8192.168.2.220x6206No error (0)boot.net.anydesk.com185.229.191.41A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:44:47.352293968 CEST8.8.8.8192.168.2.220x9e10No error (0)boot.net.anydesk.com57.128.101.75A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:44:47.518215895 CEST8.8.8.8192.168.2.220x85bNo error (0)boot.net.anydesk.com185.229.191.41A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:44:47.701761007 CEST8.8.8.8192.168.2.220x98a8No error (0)boot.net.anydesk.com92.223.88.41A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:45:59.094120026 CEST8.8.8.8192.168.2.220x941fNo error (0)boot.net.anydesk.com92.223.88.41A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:45:59.277446032 CEST8.8.8.8192.168.2.220xc78dNo error (0)boot.net.anydesk.com185.229.191.39A (IP address)IN (0x0001)false
                                                                                                                                                              Jul 12, 2023 08:45:59.481848955 CEST8.8.8.8192.168.2.220xbf7No error (0)boot.net.anydesk.com57.128.101.74A (IP address)IN (0x0001)false

                                                                                                                                                              HTTP Packets

                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              0192.168.2.2249183185.229.191.4180C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              Jul 12, 2023 08:43:34.364636898 CEST5OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 a7 06 4b 0b c9 b5 b3 9f a7 e2 5b 42 23 16 9b f5 45 47 46 14 81 a6 2d 9f 32 12 a2 40 cf 1f ab 81 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                              Data Ascii: K[B#EGF-2@n0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                              Jul 12, 2023 08:43:34.391180038 CEST5INData Raw: 16 03 03 00 57 02 00 00 53 03 03 bf c6 7e 59 56 97 f6 3f 97 de d6 8f 29 8a 05 e6 38 0c 5f fa 64 e2 6e f0 44 4f 57 4e 47 52 44 01 20 16 7b f2 7c 55 c0 86 cd 46 b0 9f e6 ee e6 95 22 d7 df 1c c7 b7 5e 95 ba a9 c3 fa 5d b1 c4 8f b8 c0 2c 00 00 0b ff
                                                                                                                                                              Data Ascii: WS~YV?)8_dnDOWNGRD {|UF"^],C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                              Jul 12, 2023 08:43:34.391206980 CEST6INData Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0
                                                                                                                                                              Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG|'SO^jl$|XM+")+{n\&9S|4xLp|aZ.qDL\vq$;OroCs4|z\8[TRxU>R
                                                                                                                                                              Jul 12, 2023 08:43:34.391223907 CEST6INData Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30
                                                                                                                                                              Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]|Zx1\{ZQ/3'h;jlaV
                                                                                                                                                              Jul 12, 2023 08:43:34.391242027 CEST7INData Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc
                                                                                                                                                              Data Ascii: <"%B;9*PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00*HG`4%(^0VGv T=#
                                                                                                                                                              Jul 12, 2023 08:43:34.391259909 CEST7INData Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f
                                                                                                                                                              Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jA{>iN=7d^bh[/x3Qh
                                                                                                                                                              Jul 12, 2023 08:43:34.447649002 CEST9OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 37 31 32 31 35 34 34
                                                                                                                                                              Data Ascii: 000*H010UAnyDesk Client0 230712154405Z20730629154405Z010UAnyDesk Client0"0*H0ptYx#]>[&|OsX^oHEE2b%gD}qt
                                                                                                                                                              Jul 12, 2023 08:43:34.471566916 CEST9INData Raw: 15 03 03 00 02 02 2d
                                                                                                                                                              Data Ascii: -


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              1192.168.2.2249187185.229.191.4180C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              Jul 12, 2023 08:43:40.739001989 CEST91OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 08 03 da 4f 28 27 02 1d 46 81 5d c5 98 eb 44 90 39 1e d6 2d 0c de 58 54 92 99 3f a4 3a 97 26 5f 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                              Data Ascii: O('F]D9-XT?:&_n0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                              Jul 12, 2023 08:43:40.764811039 CEST91INData Raw: 16 03 03 00 57 02 00 00 53 03 03 74 1b 75 b8 9a 18 41 39 e3 aa e1 fc a7 5c d8 bc d4 66 de 9d 8f 50 18 a3 44 4f 57 4e 47 52 44 01 20 f5 65 e6 96 7b d8 a8 9a 55 8a af 99 2d 6b fc f1 3a a7 71 56 b9 fe de fa 7e c8 b0 6a 51 21 32 11 c0 2c 00 00 0b ff
                                                                                                                                                              Data Ascii: WStuA9\fPDOWNGRD e{U-k:qV~jQ!2,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                              Jul 12, 2023 08:43:40.764841080 CEST92INData Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0
                                                                                                                                                              Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG|'SO^jl$|XM+")+{n\&9S|4xLp|aZ.qDL\vq$;OroCs4|z\8[TRxU>R
                                                                                                                                                              Jul 12, 2023 08:43:40.764859915 CEST92INData Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30
                                                                                                                                                              Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]|Zx1\{ZQ/3'h;jlaV
                                                                                                                                                              Jul 12, 2023 08:43:40.764878035 CEST93INData Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc
                                                                                                                                                              Data Ascii: <"%B;9*PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00*HG`4%(^0VGv T=#
                                                                                                                                                              Jul 12, 2023 08:43:40.764894962 CEST94INData Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f
                                                                                                                                                              Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jARn}.0X9rQ*<MR_
                                                                                                                                                              Jul 12, 2023 08:43:40.789251089 CEST95OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 37 31 32 31 35 34 34
                                                                                                                                                              Data Ascii: 000*H010UAnyDesk Client0 230712154405Z20730629154405Z010UAnyDesk Client0"0*H0ptYx#]>[&|OsX^oHEE2b%gD}qt
                                                                                                                                                              Jul 12, 2023 08:43:40.813965082 CEST95INData Raw: 15 03 03 00 02 02 2d
                                                                                                                                                              Data Ascii: -


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              2192.168.2.224919057.128.101.7480C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              Jul 12, 2023 08:43:57.052000046 CEST105OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 b2 5f e5 04 b0 47 75 c4 1c 85 4a dc ca 6f c0 71 58 6b b6 4b ef 08 51 d1 68 e8 4d 7c 07 d8 28 18 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                              Data Ascii: _GuJoqXkKQhM|(n0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                              Jul 12, 2023 08:43:57.074522972 CEST106INData Raw: 16 03 03 00 57 02 00 00 53 03 03 e3 a7 0f 9b 8e 62 8c af 5e c3 bd 72 88 1c 8d 56 d3 fd d4 27 1e 93 c6 90 44 4f 57 4e 47 52 44 01 20 bf 9d 74 76 03 f9 1a 17 0e fb 9d 80 d6 e8 17 72 c7 ca 7e a4 eb d0 84 1b 26 bd 14 17 41 d0 7a eb c0 2c 00 00 0b ff
                                                                                                                                                              Data Ascii: WSb^rV'DOWNGRD tvr~&Az,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                              Jul 12, 2023 08:43:57.074606895 CEST106INData Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0
                                                                                                                                                              Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG|'SO^jl$|XM+")+{n\&9S|4xLp|aZ.qDL\vq$;OroCs4|z\8[TRxU>R
                                                                                                                                                              Jul 12, 2023 08:43:57.074650049 CEST107INData Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30
                                                                                                                                                              Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]|Zx1\{ZQ/3'h;jlaV
                                                                                                                                                              Jul 12, 2023 08:43:57.074690104 CEST107INData Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc
                                                                                                                                                              Data Ascii: <"%B;9*PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00*HG`4%(^0VGv T=#
                                                                                                                                                              Jul 12, 2023 08:43:57.074729919 CEST108INData Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f
                                                                                                                                                              Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jAvL@vyc+e *O]#UK
                                                                                                                                                              Jul 12, 2023 08:43:57.095674038 CEST109OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 37 31 32 31 35 34 34
                                                                                                                                                              Data Ascii: 000*H010UAnyDesk Client0 230712154405Z20730629154405Z010UAnyDesk Client0"0*H0ptYx#]>[&|OsX^oHEE2b%gD}qt
                                                                                                                                                              Jul 12, 2023 08:43:57.115695000 CEST109INData Raw: 15 03 03 00 02 02 2d
                                                                                                                                                              Data Ascii: -


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              3192.168.2.2249193185.229.191.4180C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              Jul 12, 2023 08:44:47.557164907 CEST120OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 13 aa a9 83 09 40 5d 0e be 44 2f 20 17 3b 71 36 ba 05 e3 d0 8a 59 26 c4 5c d5 35 0f 41 89 93 23 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                              Data Ascii: @]D/ ;q6Y&\5A#n0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                              Jul 12, 2023 08:44:47.583511114 CEST120INData Raw: 16 03 03 00 57 02 00 00 53 03 03 be de 5d eb 82 53 e6 d5 ca dc c8 25 0f 83 0a 99 33 73 7e cb 96 3f 36 08 44 4f 57 4e 47 52 44 01 20 be d9 88 10 35 f1 66 1c cb a7 0e 80 b0 e1 a8 53 50 8b 2b 3b 5a 16 2b 53 0e 73 01 51 cc 79 ad ec c0 2c 00 00 0b ff
                                                                                                                                                              Data Ascii: WS]S%3s~?6DOWNGRD 5fSP+;Z+SsQy,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                              Jul 12, 2023 08:44:47.583547115 CEST121INData Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0
                                                                                                                                                              Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG|'SO^jl$|XM+")+{n\&9S|4xLp|aZ.qDL\vq$;OroCs4|z\8[TRxU>R
                                                                                                                                                              Jul 12, 2023 08:44:47.583556890 CEST122INData Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30
                                                                                                                                                              Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]|Zx1\{ZQ/3'h;jlaV
                                                                                                                                                              Jul 12, 2023 08:44:47.583566904 CEST122INData Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc
                                                                                                                                                              Data Ascii: <"%B;9*PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00*HG`4%(^0VGv T=#
                                                                                                                                                              Jul 12, 2023 08:44:47.583576918 CEST123INData Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f
                                                                                                                                                              Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jAKN,E.eU~Mn/G}D %5lai
                                                                                                                                                              Jul 12, 2023 08:44:47.604012012 CEST124OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 37 31 32 31 35 34 34
                                                                                                                                                              Data Ascii: 000*H010UAnyDesk Client0 230712154405Z20730629154405Z010UAnyDesk Client0"0*H0ptYx#]>[&|OsX^oHEE2b%gD}qt
                                                                                                                                                              Jul 12, 2023 08:44:47.628791094 CEST124INData Raw: 15 03 03 00 02 02 2d
                                                                                                                                                              Data Ascii: -


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              4192.168.2.2249196185.229.191.3980C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              Jul 12, 2023 08:45:59.354547977 CEST134OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 34 75 75 95 20 3f e1 34 92 65 38 a6 ba 2a ae 80 f5 77 ce ae 70 22 17 76 3f 7c 9e e6 63 74 75 90 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                              Data Ascii: 4uu ?4e8*wp"v?|ctun0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                              Jul 12, 2023 08:45:59.381129980 CEST135INData Raw: 16 03 03 00 57 02 00 00 53 03 03 ba ee 95 22 68 56 5f a6 b6 1c 95 d3 14 4e cf ce 76 27 b7 a7 6c f7 d1 77 44 4f 57 4e 47 52 44 01 20 de e4 7c d9 e6 88 13 75 00 9b fb a2 bc dc d9 00 e6 85 b8 57 b3 66 d4 44 4a 93 a3 2c a6 21 62 dc c0 2c 00 00 0b ff
                                                                                                                                                              Data Ascii: WS"hV_Nv'lwDOWNGRD |uWfDJ,!b,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                              Jul 12, 2023 08:45:59.381154060 CEST136INData Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0
                                                                                                                                                              Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG|'SO^jl$|XM+")+{n\&9S|4xLp|aZ.qDL\vq$;OroCs4|z\8[TRxU>R
                                                                                                                                                              Jul 12, 2023 08:45:59.381169081 CEST136INData Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30
                                                                                                                                                              Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]|Zx1\{ZQ/3'h;jlaV
                                                                                                                                                              Jul 12, 2023 08:45:59.381184101 CEST137INData Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc
                                                                                                                                                              Data Ascii: <"%B;9*PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00*HG`4%(^0VGv T=#
                                                                                                                                                              Jul 12, 2023 08:45:59.381201029 CEST137INData Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f
                                                                                                                                                              Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jAu7D lyk.8<1V
                                                                                                                                                              Jul 12, 2023 08:45:59.392618895 CEST138OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 37 31 32 31 35 34 34
                                                                                                                                                              Data Ascii: 000*H010UAnyDesk Client0 230712154405Z20730629154405Z010UAnyDesk Client0"0*H0ptYx#]>[&|OsX^oHEE2b%gD}qt
                                                                                                                                                              Jul 12, 2023 08:45:59.416743994 CEST139INData Raw: 15 03 03 00 02 02 2d
                                                                                                                                                              Data Ascii: -


                                                                                                                                                              Statistics

                                                                                                                                                              CPU Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Memory Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              General

                                                                                                                                                              Target ID:1
                                                                                                                                                              Start time:08:43:58
                                                                                                                                                              Start date:12/07/2023
                                                                                                                                                              Path:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              Imagebase:0x840000
                                                                                                                                                              File size:4'033'096 bytes
                                                                                                                                                              MD5 hash:E546506082B374A0869BDD97B313FE5D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:low

                                                                                                                                                              General

                                                                                                                                                              Target ID:2
                                                                                                                                                              Start time:08:44:01
                                                                                                                                                              Start date:12/07/2023
                                                                                                                                                              Path:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Users\user\Desktop\AnyDesk.exe" --local-service
                                                                                                                                                              Imagebase:0x840000
                                                                                                                                                              File size:4'033'096 bytes
                                                                                                                                                              MD5 hash:E546506082B374A0869BDD97B313FE5D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:low

                                                                                                                                                              General

                                                                                                                                                              Target ID:3
                                                                                                                                                              Start time:08:44:02
                                                                                                                                                              Start date:12/07/2023
                                                                                                                                                              Path:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Users\user\Desktop\AnyDesk.exe" --local-control
                                                                                                                                                              Imagebase:0x840000
                                                                                                                                                              File size:4'033'096 bytes
                                                                                                                                                              MD5 hash:E546506082B374A0869BDD97B313FE5D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:low

                                                                                                                                                              Disassembly

                                                                                                                                                              Reset < >

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00D07240 Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 343filesynchronizationtimeCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • _vswprintf_s.LIBCMT ref: 00D072A7
                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 00D072C7
                                                                                                                                                                • OutputDebugStringA.KERNEL32(AnyDesk: Mutex broken!), ref: 00D072F3
                                                                                                                                                                • _strncmp.LIBCMT ref: 00D0732B
                                                                                                                                                                • _strncmp.LIBCMT ref: 00D07347
                                                                                                                                                                • _strncpy.LIBCMT ref: 00D073B9
                                                                                                                                                                • _strncpy.LIBCMT ref: 00D073D2
                                                                                                                                                                • GetSystemTime.KERNEL32(?), ref: 00D073F4
                                                                                                                                                                • TlsGetValue.KERNEL32(0000001C), ref: 00D073FE
                                                                                                                                                                • __itow.LIBCMT ref: 00D07430
                                                                                                                                                                • GetCurrentThreadId.KERNEL32(?,?,?), ref: 00D074AE
                                                                                                                                                                • GetCurrentProcessId.KERNEL32(00000000), ref: 00D074B5
                                                                                                                                                                • __snprintf.LIBCMT ref: 00D074F8
                                                                                                                                                                • SetFilePointer.KERNELBASE(00000168,00000000,00000000,00000002), ref: 00D07516
                                                                                                                                                                • SetFilePointer.KERNEL32(00000168,00000000,00000000,00000000), ref: 00D0754F
                                                                                                                                                                • ReadFile.KERNEL32(00000168,00000000,00000000,00000000,00000000), ref: 00D07561
                                                                                                                                                                • _memmove.LIBCMT ref: 00D07595
                                                                                                                                                                • SetFilePointer.KERNEL32(00000168,00000000,00000000,00000000), ref: 00D075A7
                                                                                                                                                                • WriteFile.KERNEL32(00000168,00000000,00000000,00000000,00000000), ref: 00D075C0
                                                                                                                                                                • SetFilePointer.KERNEL32(00000168,00000000,00000000,00000000), ref: 00D075CF
                                                                                                                                                                • SetEndOfFile.KERNEL32(00000168), ref: 00D075D9
                                                                                                                                                                • WriteFile.KERNELBASE(00000168,?,?,?,00000000), ref: 00D0760C
                                                                                                                                                                • RtlEnterCriticalSection.NTDLL(0146AAF0), ref: 00D07668
                                                                                                                                                                • RaiseException.KERNEL32(00002329,00000000,00000000,00000000), ref: 00D07679
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$Pointer$CurrentWrite_strncmp_strncpy$CriticalDebugEnterExceptionObjectOutputProcessRaiseReadSectionSingleStringSystemThreadTimeValueWait__itow__snprintf_memmove_vswprintf_s
                                                                                                                                                                • String ID: %d times: %s$%7s %4i-%02i-%02i %02i:%02i:%02i.%03i %10s %6lu %6lu %4s %32s - %s$AnyDesk: Mutex broken!$AnyDesk: Timeout in trace.$AnyDesk: Wait failed.$auth$crash$debug$error$explode$front$info$intern$invalid$verbose$warning
                                                                                                                                                                • API String ID: 4093955403-2797980505
                                                                                                                                                                • Opcode ID: 14351e6fc61a2d21473a23939fc99efe2b779133f7d9b578075e96c85ee52d3b
                                                                                                                                                                • Instruction ID: bf52706022c556121f28992a883e0580627c06c404683fde7fa2ce6a91663b80
                                                                                                                                                                • Opcode Fuzzy Hash: 14351e6fc61a2d21473a23939fc99efe2b779133f7d9b578075e96c85ee52d3b
                                                                                                                                                                • Instruction Fuzzy Hash: 98C1F0B1E08214AFDB10DF64DC85BEE37A8AB48304F188569FA09AF2C1D774E944CB75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00D07120 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78fileCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CloseHandle.KERNEL32(FFFFFFFF), ref: 00D07177
                                                                                                                                                                • GetLastError.KERNEL32(?), ref: 00D0717D
                                                                                                                                                                • CreateFileW.KERNELBASE(02FFEDF0,C0000000,00000007,00000000,00000004,00000000,00000000), ref: 00D071B9
                                                                                                                                                                • GetLastError.KERNEL32 ref: 00D071CD
                                                                                                                                                                • RevertToSelf.ADVAPI32 ref: 00D071F9
                                                                                                                                                                • CloseHandle.KERNEL32(FFFFFFFF), ref: 00D0720D
                                                                                                                                                                  • Part of subcall function 00D06F20: GetCurrentProcess.KERNEL32(0000000C,?,0146AAF0,?,0146AAF0), ref: 00D06F36
                                                                                                                                                                  • Part of subcall function 00D06F20: OpenProcessToken.ADVAPI32(00000000), ref: 00D06F3D
                                                                                                                                                                  • Part of subcall function 00D06F20: GetTokenInformation.KERNELBASE(FFFFFFFF,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00D06F62
                                                                                                                                                                  • Part of subcall function 00D06F20: GetLastError.KERNEL32 ref: 00D06F68
                                                                                                                                                                  • Part of subcall function 00D06F20: CloseHandle.KERNEL32(FFFFFFFF), ref: 00D06F80
                                                                                                                                                                  • Part of subcall function 00D06ED0: GetCurrentThread.KERNEL32(000F01FF,00000001,?,0146AAF0,?,00D07158,?), ref: 00D06EE6
                                                                                                                                                                  • Part of subcall function 00D06ED0: OpenThreadToken.ADVAPI32(00000000,?,00D07158,?), ref: 00D06EED
                                                                                                                                                                  • Part of subcall function 00D06ED0: CloseHandle.KERNEL32(?), ref: 00D06F06
                                                                                                                                                                  • Part of subcall function 00D06FE0: GetCurrentProcessId.KERNEL32(?,0146AAF0,0146AAF0), ref: 00D07006
                                                                                                                                                                  • Part of subcall function 00D06FE0: ProcessIdToSessionId.KERNEL32(00000000), ref: 00D0700D
                                                                                                                                                                  • Part of subcall function 00D06FE0: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 00D07042
                                                                                                                                                                Strings
                                                                                                                                                                • Couldn't open the trace file (%08lx)., xrefs: 00D071D4
                                                                                                                                                                • Couldn't impersonate (%08lx)., xrefs: 00D07184
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseHandleProcess$CurrentErrorLastToken$OpenThread$CreateFileImpersonateInformationLoggedRevertSelfSessionUser
                                                                                                                                                                • String ID: Couldn't impersonate (%08lx).$Couldn't open the trace file (%08lx).
                                                                                                                                                                • API String ID: 432512558-3770443821
                                                                                                                                                                • Opcode ID: bf1f3d592c28e62927ffad0f99383d7884fbda8d7c85ea4b3bdb4478be4c0b81
                                                                                                                                                                • Instruction ID: 5037d715d10a6a0bd598cc27bc870ae91753141d7eedb544eb924b6268c2f1c8
                                                                                                                                                                • Opcode Fuzzy Hash: bf1f3d592c28e62927ffad0f99383d7884fbda8d7c85ea4b3bdb4478be4c0b81
                                                                                                                                                                • Instruction Fuzzy Hash: CB21A670D0C3006AE7305B75AC097567B94AF11328F184705F89C9A2D1E7B0B45987B3
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00D06F20 Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • GetCurrentProcess.KERNEL32(0000000C,?,0146AAF0,?,0146AAF0), ref: 00D06F36
                                                                                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00D06F3D
                                                                                                                                                                • GetTokenInformation.KERNELBASE(FFFFFFFF,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00D06F62
                                                                                                                                                                • GetLastError.KERNEL32 ref: 00D06F68
                                                                                                                                                                • CloseHandle.KERNEL32(FFFFFFFF), ref: 00D06F80
                                                                                                                                                                • GetTokenInformation.KERNELBASE(FFFFFFFF,00000001(TokenIntegrityLevel),?,00000000,00000000), ref: 00D06FAA
                                                                                                                                                                • CloseHandle.KERNELBASE(FFFFFFFF), ref: 00D06FBD
                                                                                                                                                                • IsWellKnownSid.ADVAPI32(?,00000016,?,00000000,00000000), ref: 00D06FC8
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Token$CloseHandleInformationProcess$CurrentErrorKnownLastOpenWell
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4246584975-0
                                                                                                                                                                • Opcode ID: 2d0fcb2ebc498ddb271e533a8ba59f607588d0199c61309196bc3b2e9544c28b
                                                                                                                                                                • Instruction ID: 2227f663b46697cb9c223c6c4926403738ad9035e6dc51539f7defa4c6e54fa2
                                                                                                                                                                • Opcode Fuzzy Hash: 2d0fcb2ebc498ddb271e533a8ba59f607588d0199c61309196bc3b2e9544c28b
                                                                                                                                                                • Instruction Fuzzy Hash: DF217F7160020AAFDB209BA5AD49BEF7B6CEF44721F240354B918E32D0E670DE1986B1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00E109B2 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 208COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • _malloc.LIBCMT ref: 00E109CC
                                                                                                                                                                  • Part of subcall function 00E126D1: __FF_MSGBANNER.LIBCMT ref: 00E126EA
                                                                                                                                                                  • Part of subcall function 00E126D1: __NMSG_WRITE.LIBCMT ref: 00E126F1
                                                                                                                                                                  • Part of subcall function 00E126D1: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00E12716
                                                                                                                                                                • std::exception::exception.LIBCMT ref: 00E10A01
                                                                                                                                                                • std::exception::exception.LIBCMT ref: 00E10A1B
                                                                                                                                                                • __CxxThrowException@8.LIBCMT ref: 00E10A2C
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                • String ID: $$n
                                                                                                                                                                • API String ID: 615853336-362473900
                                                                                                                                                                • Opcode ID: d8eef1da847ff42fcb9aef0f642848464a7c759645ff61f4c17e916264313841
                                                                                                                                                                • Instruction ID: a6bff22942e9c783f922e5104f95fa6472007613e81340b2d4640278b5bea0a5
                                                                                                                                                                • Opcode Fuzzy Hash: d8eef1da847ff42fcb9aef0f642848464a7c759645ff61f4c17e916264313841
                                                                                                                                                                • Instruction Fuzzy Hash: B461BB7190530AEBEF249F18D846BEE77E5AF4176CF24652AE811B6181D7F08EC0C792
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00D1BE80 Relevance: 7.5, APIs: 5, Instructions: 44comCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • OleInitialize.OLE32(00000000), ref: 00D1BE99
                                                                                                                                                                • SetEvent.KERNEL32(?,?,?,?,00E7D068,000000FF,00D1BE6B), ref: 00D1BEB1
                                                                                                                                                                • OleUninitialize.OLE32 ref: 00D1BED7
                                                                                                                                                                • TlsGetValue.KERNEL32(0000001E,?,?,?,00E7D068,000000FF,00D1BE6B), ref: 00D1BEE7
                                                                                                                                                                • TlsSetValue.KERNEL32(0000001E,00000000), ref: 00D1BEFF
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$EventInitializeUninitialize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 566941487-0
                                                                                                                                                                • Opcode ID: 3a8f85abadddc11ea8d682bfdb3c4620553c9f6ae52c28cc7d6606879b046a18
                                                                                                                                                                • Instruction ID: 8bb1808cd1e39c9d62b8ff635087a4b71bd132e36e52a59a7e87885e505f21ba
                                                                                                                                                                • Opcode Fuzzy Hash: 3a8f85abadddc11ea8d682bfdb3c4620553c9f6ae52c28cc7d6606879b046a18
                                                                                                                                                                • Instruction Fuzzy Hash: 170175B1604740AFD7109F65EC09B9F76A8FF84B10F044A1AF506D3791DB79E4448B61
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 008419FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,00000028,00000004,00000000,00841CCE,?), ref: 00841A84
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,00000028,00000000,00000000), ref: 00841A9B
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID: .itext$.text
                                                                                                                                                                • API String ID: 544645111-3616233406
                                                                                                                                                                • Opcode ID: c2683d5ba7588a07d1f9b2ba2929b93f3c0508b3ce788dbabc7c0ae35f3bc296
                                                                                                                                                                • Instruction ID: 6c86d5d0c3f2c591cdd60981b7c1ff6b92f9b42e63cfd7b0522ace6f23dc60d8
                                                                                                                                                                • Opcode Fuzzy Hash: c2683d5ba7588a07d1f9b2ba2929b93f3c0508b3ce788dbabc7c0ae35f3bc296
                                                                                                                                                                • Instruction Fuzzy Hash: 5C11E176641328AACB20CF948C89ABBB3F8FB04745F114529F942E6141E370E9C4D761
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00D1E950 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • FreeLibrary.KERNELBASE(X,000000FF,00D07870,?), ref: 00D1E973
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1E991
                                                                                                                                                                • _free.LIBCMT ref: 00D1E9BB
                                                                                                                                                                  • Part of subcall function 00E1168E: HeapFree.KERNEL32(00000000,00000000), ref: 00E116A4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Free$ErrorHeapLastLibrary_free
                                                                                                                                                                • String ID: X
                                                                                                                                                                • API String ID: 1013596455-1677210272
                                                                                                                                                                • Opcode ID: 507b03e91b13fa8ee087d046895d7b108addfb02f0ab2983d01ac380d109cc91
                                                                                                                                                                • Instruction ID: c97a640b861e617139cfea1c76521134cef496d6ac7a429511cd850d125dcb9a
                                                                                                                                                                • Opcode Fuzzy Hash: 507b03e91b13fa8ee087d046895d7b108addfb02f0ab2983d01ac380d109cc91
                                                                                                                                                                • Instruction Fuzzy Hash: 570162B1504741AFD710EF64E909B9B77E8AB40700F04896CF95593391DB38D588CB63
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00D1E8D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryW.KERNEL32(advapi32.dll), ref: 00D1E8E9
                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1E909
                                                                                                                                                                • _free.LIBCMT ref: 00D1E934
                                                                                                                                                                  • Part of subcall function 00E1168E: HeapFree.KERNEL32(00000000,00000000), ref: 00E116A4
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ErrorFreeHeapLastLibraryLoad_free
                                                                                                                                                                • String ID: advapi32.dll
                                                                                                                                                                • API String ID: 1383136612-4050573280
                                                                                                                                                                • Opcode ID: 223bcea25bab0a0ad8e8cf4a2d94504a62772f5a54a9ad599df6b38720e91b65
                                                                                                                                                                • Instruction ID: 078002d5a481fd51586454f7901d028288b77fa7ff1a307a17b46fb2ae48b3dd
                                                                                                                                                                • Opcode Fuzzy Hash: 223bcea25bab0a0ad8e8cf4a2d94504a62772f5a54a9ad599df6b38720e91b65
                                                                                                                                                                • Instruction Fuzzy Hash: 610181B0505B81AFD711EF288D0979BBBE8AF40704F444928F895D2352EB38C5488BA3
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00841000 Relevance: 1.6, APIs: 1, Instructions: 107memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,00841B87,?,?,?,00C96000,00844000,00CA6000,?), ref: 00841045
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                • Opcode ID: 8ad0bd426fc4e14450ebb4a25b13beb1236773bfd8cb879707df8a141987a14b
                                                                                                                                                                • Instruction ID: e98e2b109cc4269cda19c917e40257e0f9026c3401f8a8757fb2e140844db0b8
                                                                                                                                                                • Opcode Fuzzy Hash: 8ad0bd426fc4e14450ebb4a25b13beb1236773bfd8cb879707df8a141987a14b
                                                                                                                                                                • Instruction Fuzzy Hash: 02416EB1600B09CFDB24CF59C484A66B7F5FF58304B14892EE59AC7A51E375E8C5CB90
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00E206FA Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00E2073D
                                                                                                                                                                  • Part of subcall function 00E176D1: __getptd_noexit.LIBCMT ref: 00E176D1
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocateHeap__getptd_noexit
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 328603210-0
                                                                                                                                                                • Opcode ID: 2eaf5709d96c0259a68e4b8dcaf200888d0fb5c26817683c3473f2078988ca7e
                                                                                                                                                                • Instruction ID: 04c5b7e5e048ce39277cd37faa74aecdeb91552ff308d67d5bfd21a55e0f7588
                                                                                                                                                                • Opcode Fuzzy Hash: 2eaf5709d96c0259a68e4b8dcaf200888d0fb5c26817683c3473f2078988ca7e
                                                                                                                                                                • Instruction Fuzzy Hash: 8101B5352012259FEB29AE65FC44B6B3794AF817B8F10662BE815BB1E1C7B0AC40CF40
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00E1113A Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00E18161: __lock.LIBCMT ref: 00E18163
                                                                                                                                                                • __onexit_nolock.LIBCMT ref: 00E11152
                                                                                                                                                                  • Part of subcall function 00E11053: RtlDecodePointer.NTDLL(01469CA0), ref: 00E11068
                                                                                                                                                                  • Part of subcall function 00E11053: RtlDecodePointer.NTDLL ref: 00E11075
                                                                                                                                                                  • Part of subcall function 00E11053: __realloc_crt.LIBCMT ref: 00E110B2
                                                                                                                                                                  • Part of subcall function 00E11053: __realloc_crt.LIBCMT ref: 00E110C8
                                                                                                                                                                  • Part of subcall function 00E11053: RtlEncodePointer.NTDLL(00000000), ref: 00E110DA
                                                                                                                                                                  • Part of subcall function 00E11053: RtlEncodePointer.NTDLL(88735C9C), ref: 00E110EE
                                                                                                                                                                  • Part of subcall function 00E11053: RtlEncodePointer.NTDLL(-00000004), ref: 00E110F6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3536590627-0
                                                                                                                                                                • Opcode ID: 2e812334e33a4df77136caf6309eebbb7945f30251d141a119cbd37a83934613
                                                                                                                                                                • Instruction ID: bde8802ab738e08cedd4618d1580e245006893eda1e80ee4a61a9418bae2b5fa
                                                                                                                                                                • Opcode Fuzzy Hash: 2e812334e33a4df77136caf6309eebbb7945f30251d141a119cbd37a83934613
                                                                                                                                                                • Instruction Fuzzy Hash: F2D05E75E01308AADB10BBB4C802BCEBBF06F04360F609144F125762D2CF740BC18A80
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00841E30 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,00841CD9,?,?), ref: 00841E44
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                • Opcode ID: f9fe287b7d84a714d1e327fc389922b7754f75f57adc49133daeb58e72cccf93
                                                                                                                                                                • Instruction ID: 7c624021dce8dc7f20c11a98309ae330e37f9f215adba8f27a38b73cc0698a8f
                                                                                                                                                                • Opcode Fuzzy Hash: f9fe287b7d84a714d1e327fc389922b7754f75f57adc49133daeb58e72cccf93
                                                                                                                                                                • Instruction Fuzzy Hash: A0C04835225201AFEE91AB98D888F497BE4AB8A712F068081F209DB2A6D63099409F11
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00E1B31E Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 00E1B320
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: EncodePointer
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2118026453-0
                                                                                                                                                                • Opcode ID: d940b0dce2c8908dbed1e49d9a04c0a827a99c1ca55c51530f9dba6fcb658c39
                                                                                                                                                                • Instruction ID: 0b5ee3d820ec2b68e6c987c8c31886f4177294c4039971afce55a5a08ab4fcc4
                                                                                                                                                                • Opcode Fuzzy Hash: d940b0dce2c8908dbed1e49d9a04c0a827a99c1ca55c51530f9dba6fcb658c39
                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00841E47 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00841E5A
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: FreeHeap
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3298025750-0
                                                                                                                                                                • Opcode ID: 67a6c1353ff4b68b70334f12a03d7c633f60de99ab589fc78e246d43a9f3eb96
                                                                                                                                                                • Instruction ID: 486b7f980b9ea2ccd18870786d1af7f6f1703f295631572ba7197b08b5f12b45
                                                                                                                                                                • Opcode Fuzzy Hash: 67a6c1353ff4b68b70334f12a03d7c633f60de99ab589fc78e246d43a9f3eb96
                                                                                                                                                                • Instruction Fuzzy Hash: B5C08C32014212EFCF505F94E80CEC6BFA4EF48321F028440F24897071C3309881CF50
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 0084AC90 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 81libraryloaderCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 00D1E8D0: LoadLibraryW.KERNEL32(advapi32.dll), ref: 00D1E8E9
                                                                                                                                                                  • Part of subcall function 00D1E8D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1E909
                                                                                                                                                                  • Part of subcall function 00D1E8D0: _free.LIBCMT ref: 00D1E934
                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,WTSQueryUserToken,0146AAF0,FFFFFFFF,00D07020), ref: 0084ACB6
                                                                                                                                                                • GetProcAddress.KERNEL32(0084A4C0,WTSRegisterSessionNotification,0146AAF0,FFFFFFFF,00D07020), ref: 0084ACD0
                                                                                                                                                                • GetProcAddress.KERNEL32(0084A4C0,WTSUnRegisterSessionNotification,0146AAF0,FFFFFFFF,00D07020), ref: 0084ACEA
                                                                                                                                                                • GetProcAddress.KERNEL32(0086B390,WTSEnumerateServersW,0146AAF0,FFFFFFFF,00D07020), ref: 0084AD04
                                                                                                                                                                • GetProcAddress.KERNEL32(008510D0,WTSEnumerateSessionsW,0146AAF0,FFFFFFFF,00D07020), ref: 0084AD1E
                                                                                                                                                                • GetProcAddress.KERNEL32(008510D0,WTSQuerySessionInformationW,0146AAF0,FFFFFFFF,00D07020), ref: 0084AD38
                                                                                                                                                                • GetProcAddress.KERNEL32(008510D0,WTSFreeMemory,0146AAF0,FFFFFFFF,00D07020), ref: 0084AD52
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressProc$ErrorLastLibraryLoad_free
                                                                                                                                                                • String ID: WTSEnumerateServersW$WTSEnumerateSessionsW$WTSFreeMemory$WTSQuerySessionInformationW$WTSQueryUserToken$WTSRegisterSessionNotification$WTSUnRegisterSessionNotification$wtsapi32.dll
                                                                                                                                                                • API String ID: 1327587910-3108672682
                                                                                                                                                                • Opcode ID: 09221e119a041e3528797ec122bd915c8e4aa11daa282c849823c35e5a8305f0
                                                                                                                                                                • Instruction ID: 5c455d1623d674d66fc7fda02663d8258969cb7f3dbbd45d75d1545f41543fc2
                                                                                                                                                                • Opcode Fuzzy Hash: 09221e119a041e3528797ec122bd915c8e4aa11daa282c849823c35e5a8305f0
                                                                                                                                                                • Instruction Fuzzy Hash: 7F215E70F8030BABAB949E7A8D40F13ABD8FF10B853000479AD18EB644E761DC518BA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00CAF8B0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • TlsAlloc.KERNEL32(00CAF9D7,00000000,?,00CF16BA,?,?,?,00E7D068,000000FF,00D1BE6B), ref: 00CAF8B9
                                                                                                                                                                • TlsGetValue.KERNEL32(0000001E,?,00CAF9D7,00000000,?,00CF16BA,?,?,?,00E7D068,000000FF,00D1BE6B), ref: 00CAF8D1
                                                                                                                                                                • GetLastError.KERNEL32(?,00CF16BA,?,?,?,00E7D068,000000FF,00D1BE6B), ref: 00CAF8DD
                                                                                                                                                                • _memset.LIBCMT ref: 00CAF909
                                                                                                                                                                • TlsSetValue.KERNEL32(0000001E,00000000), ref: 00CAF918
                                                                                                                                                                Strings
                                                                                                                                                                • Please contact support@anydesk.com (B), xrefs: 00CAF8E7
                                                                                                                                                                • Please contact support@anydesk.com (A), xrefs: 00CAF8C9
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Value$AllocErrorLast_memset
                                                                                                                                                                • String ID: Please contact support@anydesk.com (A)$Please contact support@anydesk.com (B)
                                                                                                                                                                • API String ID: 4091103580-43624127
                                                                                                                                                                • Opcode ID: ebc464afa86a7e62ba2572eb5d843be7e67df8c92c8833783612ff7306b5c12f
                                                                                                                                                                • Instruction ID: 87f24aeb30eb88e588ceee81d117ea5f08b221c09d386f1c304abd1e18a80682
                                                                                                                                                                • Opcode Fuzzy Hash: ebc464afa86a7e62ba2572eb5d843be7e67df8c92c8833783612ff7306b5c12f
                                                                                                                                                                • Instruction Fuzzy Hash: 9301D6B1A022216FE63067B97C09BCB3AD4AF46769B050221F911F73A4D378CD8686D0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00E1B2A5 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • __getptd.LIBCMT ref: 00E1B2B1
                                                                                                                                                                  • Part of subcall function 00E1B50B: __getptd_noexit.LIBCMT ref: 00E1B50E
                                                                                                                                                                  • Part of subcall function 00E1B50B: __amsg_exit.LIBCMT ref: 00E1B51B
                                                                                                                                                                • __getptd.LIBCMT ref: 00E1B2C8
                                                                                                                                                                • __amsg_exit.LIBCMT ref: 00E1B2D6
                                                                                                                                                                • __lock.LIBCMT ref: 00E1B2E6
                                                                                                                                                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00E1B2FA
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000001.00000002.1386691662.0000000000846000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                                                                                                • Associated: 00000001.00000002.1386664274.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386670409.0000000000841000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1386686201.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1388231836.0000000000EBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1389925025.00000000013C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.000000000146A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390217707.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390234279.0000000001474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390249455.0000000001475000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390304953.00000000014EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1390310943.00000000014EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                • Associated: 00000001.00000002.1391496657.00000000018B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_1_2_840000_AnyDesk.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 938513278-0
                                                                                                                                                                • Opcode ID: 18146ff3a776b9ad8427792fdd1be65e8a28b5861a32e94d11d83c80eaa0193c
                                                                                                                                                                • Instruction ID: 40652f7b065ca047115ae3c9988ce406edcc6b464a81dd76570a760914cc8ffa
                                                                                                                                                                • Opcode Fuzzy Hash: 18146ff3a776b9ad8427792fdd1be65e8a28b5861a32e94d11d83c80eaa0193c
                                                                                                                                                                • Instruction Fuzzy Hash: 9DF09A329006149ADB31BBA89843BCE72E0AF00728F14610AF425BB2E2CF7459C0DB96
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%