Edit tour

Windows Analysis Report
livechat.exe

Overview

General Information

Sample Name:	livechat.exe
Analysis ID:	1291241
MD5:	30c9c57aa570088d745fac7bfd05b805
SHA1:	d579d18848859614e219afa6332d410e0ca71fc3
SHA256:	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383
Infos:

Detection

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Connects to many ports of the same IP (likely port scanning)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Found evasive API chain checking for process token information

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

livechat.exe (PID: 7020 cmdline: C:\Users\user\Desktop\livechat.exe MD5: 30C9C57AA570088D745FAC7BFD05B805)

livechat.exe (PID: 1412 cmdline: "C:\Users\user\Desktop\livechat.exe" --local-service MD5: 30C9C57AA570088D745FAC7BFD05B805)

livechat.exe (PID: 2084 cmdline: "C:\Users\user\Desktop\livechat.exe" --local-control MD5: 30C9C57AA570088D745FAC7BFD05B805)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: livechat.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 49.12.130.236:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 141.95.145.210:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 57.128.101.77:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.229.191.44:443 -> 192.168.2.3:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.229.191.44:443 -> 192.168.2.3:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.223.88.41:443 -> 192.168.2.3:49791 version: TLS 1.2

Source: livechat.exe

Static PE information: certificate valid

Source: livechat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dda-64\privacy_feature\privacy_feature.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: livechat.exe, 00000000.00000000.358547188.0000000000E1F000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000001.00000000.364866761.0000000000E1F000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887829452.0000000000E1F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-32\win_dwm\win_dwm.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-64\win_dwm\win_dwm.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dda-32\privacy_feature\privacy_feature.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: SAS.pdbR source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: SAS.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 141.95.145.210 ports 443,5,6,8,6568,80
Source: global traffic	TCP traffic: 92.223.88.41 ports 443,5,6,8,6568,80

Source: Joe Sandbox View

ASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese

Source: Joe Sandbox View

JA3 fingerprint: c91bde19008eefabce276152ccd51457

Source: Joe Sandbox View	IP Address: 185.229.191.44 185.229.191.44
Source: Joe Sandbox View	IP Address: 92.223.88.41 92.223.88.41

Source: global traffic	TCP traffic: 192.168.2.3:49721 -> 141.95.145.210:6568
Source: global traffic	TCP traffic: 192.168.2.3:49742 -> 92.223.88.41:6568
Source: global traffic	TCP traffic: 192.168.2.3:49793 -> 57.128.101.77:6568

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443

Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/ equals www.facebook.com (Facebook)
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/{ equals www.facebook.com (Facebook)
Source: livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ad.share.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it%20here%3A%20https%3A//anydesk.com/&source= equals www.linkedin.com (Linkedin)
Source: livechat.exe, 00000002.00000002.891301393.00000000034BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: f=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it% equals www.linkedin.com (Linkedin)
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hare.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it%20here%3A%20https%3A//anydesk.com/&source=er equals www.linkedin.com (Linkedin)
Source: livechat.exe, 00000000.00000003.363505553.000000000363B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hare.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it%20here%3A%20https%3A//anydesk.com/&source=io equals www.linkedin.com (Linkedin)
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/# equals www.facebook.com (Facebook)
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/1 equals www.facebook.com (Facebook)
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/m equals www.facebook.com (Facebook)
Source: livechat.exe, 00000002.00000002.891193868.0000000003497000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.000000000348D000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.372503777.0000000003494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.compE equals www.facebook.com (Facebook)
Source: livechat.exe, 00000002.00000002.891193868.0000000003497000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.000000000348D000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.372503777.0000000003494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: livechat.exe, 00000000.00000003.364166802.0000000004101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado/1.A
Source: livechat.exe, 00000000.00000003.364166802.0000000004101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g.A
Source: livechat.exe, 00000000.00000003.364166802.0000000004101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cobj.A
Source: livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://support.anydesk.com
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.opengl.org/registry/
Source: livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.openssl.org/)
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://anydesk.com
Source: livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://anydesk.com/
Source: livechat.exe, 00000000.00000003.363324246.0000000003DDF000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371780742.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371889516.00000000034C1000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371814714.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371728310.0000000003482000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371830303.00000000034BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anydesk.com/0
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anydesk.com/company#imprint
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anydesk.com/company#imprintre
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anydesk.com/contact/sales
Source: livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://anydesk.com/contact/sales)
Source: livechat.exe, 00000000.00000003.363324246.0000000003DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anydesk.com/ialsdr
Source: livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://anydesk.com/order
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anydesk.com/order5
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anydesk.com/pricing/teams
Source: livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://anydesk.com/pricing/teams)
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anydesk.com/pricing/teamsy
Source: livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://anydesk.com/privacy
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://anydesk.com/t
Source: livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://anydesk.com/terms
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://anydesk.com/update
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boot-01.net.anydesk.com
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boot-01.net.anydesk.comn
Source: livechat.exe, 00000002.00000002.890733928.000000000172B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boot.net.anydesk.com
Source: livechat.exe, 00000002.00000002.890733928.000000000172B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boot.net.anydesk.com/
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalid
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://console-ui.myanydesk2.on.anydesk.com
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://console-ui.myanydesk2.on.anydesk.comd9
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://console-ui.myanydesk2.on.anydesk.comrd
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.anydesk.com
Source: livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/
Source: livechat.exe, 00000002.00000003.372503777.0000000003494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.anydesk.com/$
Source: livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/HelpLinkInstallLocationAnyDesk
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/access
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/backup-alias
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.anydesk.com/en/anydesk-on-macos
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.anydesk.com/en/anydesk-on-macos..
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.anydesk.com/en/anydesk-on-macoss
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/it/abuse
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/it/android
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/it/android-battery
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/lt/abuse
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/lt/android
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/lt/android-battery
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/share
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://help.anydesk.com/wol
Source: livechat.exe, 00000002.00000002.890733928.000000000172B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://java.sun.com
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.anydesk.com
Source: livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://my.anydesk.com/password-generator.
Source: livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.anydesk.com/v2
Source: livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://order.anydesk.com/trial
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://order.anydesk.com/trial4
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://policies.google.com/privacy
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/privacy?hl=$
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://policies.google.com/privacy?hl=it
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.anydesk.com/
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.anydesk.com/AnyDesk_on_macOS
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.anydesk.com/knowledge/account-migration
Source: livechat.exe, 00000002.00000002.891495956.0000000003C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.anydesk.com/knowledge/account-migration.
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.anydesk.com/knowledge/account-migrationF
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.anydesk.com/knowledge/anydesk-account
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.anydesk.com/knowledge/anydesk-accountn
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000000.00000003.363600146.0000000003651000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.372289549.0000000003CC2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshooting
Source: livechat.exe, 00000002.00000002.891276529.00000000034B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshooting2L
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.891301393.00000000034BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.anydesk.com/knowledge/my-anydesk-ii#user-management
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.000000000348D000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.372598863.0000000003499000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.372503777.0000000003494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.anydesk.com/knowledge/users
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/home?status=Do%20you%20know%20%23AnyDesk?%20AnyDesk%20is%20a%20small%20and%20qui
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.891301393.00000000034BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/$
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/intl/it/chrome/privacy/eula_text.html
Source: livechat.exe, 00000000.00000003.363505553.000000000363B000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.891301393.00000000034BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Rem
Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.nayuki.io/page/qr-code-generator-library

Source: unknown

DNS traffic detected: queries for: boot.net.anydesk.com

Source: unknown	HTTPS traffic detected: 49.12.130.236:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 141.95.145.210:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 57.128.101.77:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.229.191.44:443 -> 192.168.2.3:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.229.191.44:443 -> 192.168.2.3:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.223.88.41:443 -> 192.168.2.3:49791 version: TLS 1.2

Source: livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectDrawCreateEx

Source: livechat.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\livechat.exe

Code function: 0_2_00172DFD

0_2_00172DFD

Source: livechat.exe

Static PE information: No import functions for PE file found

Source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesas.dllj% vs livechat.exe
Source: livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesas.dllj% vs livechat.exe

Source: C:\Users\user\Desktop\livechat.exe

File read: C:\Users\user\Desktop\livechat.exe

Jump to behavior

Source: livechat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\livechat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\livechat.exe C:\Users\user\Desktop\livechat.exe
Source: C:\Users\user\Desktop\livechat.exe	Process created: C:\Users\user\Desktop\livechat.exe "C:\Users\user\Desktop\livechat.exe" --local-service
Source: C:\Users\user\Desktop\livechat.exe	Process created: C:\Users\user\Desktop\livechat.exe "C:\Users\user\Desktop\livechat.exe" --local-control
Source: C:\Users\user\Desktop\livechat.exe	Process created: C:\Users\user\Desktop\livechat.exe "C:\Users\user\Desktop\livechat.exe" --local-service	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Process created: C:\Users\user\Desktop\livechat.exe "C:\Users\user\Desktop\livechat.exe" --local-control	Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2155fee3-2419-4373-b102-6843707eb41f}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\livechat.exe

File created: C:\Users\user\AppData\Roaming\AnyDesk

Jump to behavior

Source: classification engine

Classification label: mal54.troj.evad.winEXE@5/6@18/6

Source: C:\Users\user\Desktop\livechat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_7020_1130025738_1_mtx
Source: C:\Users\user\Desktop\livechat.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2084_1165741326_0_mtx
Source: C:\Users\user\Desktop\livechat.exe	Mutant created: \Sessions\1\BaseNamedObjects\Session\1\ad_connect_queue_1412_1159131313_mtx
Source: C:\Users\user\Desktop\livechat.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_7113_lsystem_mtx
Source: C:\Users\user\Desktop\livechat.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_7020_1130025738_0_mtx
Source: C:\Users\user\Desktop\livechat.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_trace_mtx
Source: C:\Users\user\Desktop\livechat.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2084_1165741326_1_mtx

Source: C:\Users\user\Desktop\livechat.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: livechat.exe

Static file information: File size 4040776 > 1048576

Source: livechat.exe

Static PE information: certificate valid

Source: livechat.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x3ce200

Source: livechat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: livechat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dda-64\privacy_feature\privacy_feature.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: livechat.exe, 00000000.00000000.358547188.0000000000E1F000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000001.00000000.364866761.0000000000E1F000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887829452.0000000000E1F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-32\win_dwm\win_dwm.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-64\win_dwm\win_dwm.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dda-32\privacy_feature\privacy_feature.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: SAS.pdbR source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: SAS.pdb source: livechat.exe, 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.887268972.0000000000CF6000.00000004.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\livechat.exe	Unpacked PE file: 0.2.livechat.exe.170000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\livechat.exe	Unpacked PE file: 1.2.livechat.exe.170000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\livechat.exe	Unpacked PE file: 2.2.livechat.exe.170000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\livechat.exe

Code function: 1_2_0074C415 push ecx; ret

1_2_0074C428

Source: C:\Users\user\Desktop\livechat.exe

Code function: 1_2_0075A6C7 LoadLibraryW,GetProcAddress,GetProcAddress,RtlEncodePointer,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

1_2_0075A6C7

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\livechat.exe

File opened: C:\Users\user\Desktop\livechat.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\livechat.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\livechat.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\livechat.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\livechat.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MACAddress FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE

Source: C:\Users\user\Desktop\livechat.exe TID: 5944	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe TID: 5960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe TID: 5944	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe TID: 1220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe TID: 6876	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe TID: 1276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe TID: 4804	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe TID: 5124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe TID: 6876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-2788

Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-2815

Source: C:\Users\user\Desktop\livechat.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\livechat.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard

Source: C:\Users\user\Desktop\livechat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: livechat.exe, 00000002.00000002.890733928.000000000176C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: livechat.exe, 00000001.00000002.890636886.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.537385613.000000000176F000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.601504792.000000000176F000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.678628531.000000000176F000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.679243885.0000000001773000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.833747901.000000000176A000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.833817552.0000000001779000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.679441069.000000000176D000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.833774946.0000000001773000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.506539831.0000000001768000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\livechat.exe

Code function: 1_2_007538F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_007538F9

Source: C:\Users\user\Desktop\livechat.exe

1_2_0075A6C7

Source: C:\Users\user\Desktop\livechat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe	Code function: 1_2_007538F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_007538F9
Source: C:\Users\user\Desktop\livechat.exe	Code function: 1_2_0074AAED _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_0074AAED

Source: C:\Users\user\Desktop\livechat.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\livechat.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\livechat.exe

Code function: 1_2_005E4B20 _vswprintf_s,WaitForSingleObject,OutputDebugStringA,_strncmp,_strncmp,_strncpy,_strncpy,GetSystemTime,TlsGetValue,__itow,GetCurrentThreadId,GetCurrentProcessId,__snprintf,SetFilePointer,SetFilePointer,ReadFile,_memmove,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,WriteFile,RtlEnterCriticalSection,RaiseException,

1_2_005E4B20

Source: livechat.exe, 00000002.00000002.890733928.000000000172B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\192.168.2.1\all\procexp.exe
Source: livechat.exe, 00000002.00000002.890733928.000000000172B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "c:\users\user\desktop\procexp.exe

Source: livechat.exe, 00000002.00000002.890646627.000000000158B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: b44b97caebbcaac9745bd6b5822bd03ee298d6bfrelease/win_7.1.xcc0bc82657f3409854116e83c8d7018c
Source: livechat.exe, 00000002.00000002.890646627.000000000158B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: release/win_7.1.x
Source: livechat.exe, 00000002.00000002.887829452.0000000000E1F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .itext.text.customcc0bc82657f3409854116e83c8d7018crelease/win_7.1.xb44b97caebbcaac9745bd6b5822bd03ee298d6bf

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	421 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	431 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	331 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	331 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	134 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
livechat.exe	0%	Virustotal		Browse
livechat.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://java.sun.com	0%	URL Reputation	safe
https://console-ui.myanydesk2.on.anydesk.comrd	0%	Avira URL Cloud	safe
http://ns.adobe.cobj.A	0%	Avira URL Cloud	safe
http://ns.ado/1.A	0%	Avira URL Cloud	safe
http://ns.adobe.c/g.A	0%	Avira URL Cloud	safe
https://console-ui.myanydesk2.on.anydesk.comd9	0%	Avira URL Cloud	safe
https://boot-01.net.anydesk.comn	0%	Avira URL Cloud	safe
https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalid	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
boot.net.anydesk.com	49.12.130.236	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://support.anydesk.com/knowledge/anydesk-accountn	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.anydesk.com/knowledge/users	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.000000000348D000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.372598863.0000000003499000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.372503777.0000000003494000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.anydesk.com/	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
http://ns.adobe.cobj.A	livechat.exe, 00000000.00000003.364166802.0000000004101000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anydesk.com/ialsdr	livechat.exe, 00000000.00000003.363324246.0000000003DDF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anydesk.com/order5	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://order.anydesk.com/trial	livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/update	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.html	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.google.com/intl/$	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.891301393.00000000034BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.anydesk.com/en/anydesk-on-macos..	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshooting2L	livechat.exe, 00000002.00000002.891276529.00000000034B4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.anydesk.com/lt/abuse	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://help.anydesk.com/lt/android-battery	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://console-ui.myanydesk2.on.anydesk.comrd	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.anydesk.com/en/anydesk-on-macos	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://my.anydesk.com	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.anydesk.com/it/abuse	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://help.anydesk.com/it/android-battery	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://twitter.com/home?status=Do%20you%20know%20%23AnyDesk?%20AnyDesk%20is%20a%20small%20and%20qui	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
https://boot.net.anydesk.com/	livechat.exe, 00000002.00000002.890733928.000000000172B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.anydesk.com/knowledge/my-anydesk-ii#user-management	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.891301393.00000000034BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anydesk.com/	livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/privacy	livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://datatracker.ietf.org/ipr/1526/	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.nayuki.io/page/qr-code-generator-library	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://policies.google.com/privacy?hl=it	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://policies.google.com/privacy?hl=$	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
https://boot-01.net.anydesk.comn	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.anydesk.com	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.anydesk.com/AnyDesk_on_macOS	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/pricing/teamsy	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://boot.net.anydesk.com	livechat.exe, 00000002.00000002.890733928.000000000172B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anydesk.com/pricing/teams	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anydesk.com/0	livechat.exe, 00000000.00000003.363324246.0000000003DDF000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371780742.00000000034A5000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371889516.00000000034C1000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371814714.00000000034B8000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371728310.0000000003482000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371830303.00000000034BD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/ipr/1914/	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/terms	livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/company#imprintre	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.anydesk.com/knowledge/account-migration	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/intl/it/chrome/privacy/eula_text.html	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/order	livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://help.anydesk.com/backup-alias	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/contact/sales	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.anydesk.com/it/android	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://order.anydesk.com/trial4	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://my.anydesk.com/password-generator.	livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://help.anydesk.com/	livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshooting	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000000.00000003.363600146.0000000003651000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.372289549.0000000003CC2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.opengl.org/registry/	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/contact/sales)	livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://help.anydesk.com/lt/android	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://help.anydesk.com/wol	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://help.anydesk.com/$	livechat.exe, 00000002.00000003.372503777.0000000003494000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.adobe.c/g.A	livechat.exe, 00000000.00000003.364166802.0000000004101000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.anydesk.com/knowledge/account-migrationF	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Rem	livechat.exe, 00000000.00000003.363505553.000000000363B000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000002.891301393.00000000034BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://console-ui.myanydesk2.on.anydesk.com	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
http://support.anydesk.com	livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://help.anydesk.com/en/anydesk-on-macoss	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.ado/1.A	livechat.exe, 00000000.00000003.364166802.0000000004101000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://anydesk.com/t	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.anydesk.com/HelpLinkInstallLocationAnyDesk	livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://boot-01.net.anydesk.com	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
https://java.sun.com	livechat.exe, 00000002.00000002.890733928.000000000172B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datatracker.ietf.org/ipr/1524/	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://my.anydesk.com/v2	livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
https://policies.google.com/privacy	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/company#imprint	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/)	livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://anydesk.com/pricing/teams)	livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://support.anydesk.com/knowledge/account-migration.	livechat.exe, 00000002.00000002.891495956.0000000003C60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://console-ui.myanydesk2.on.anydesk.comd9	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.anydesk.com/access	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://help.anydesk.com/share	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false		high
https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalid	livechat.exe, 00000000.00000003.360203051.00000000019A7000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmp, livechat.exe, 00000002.00000002.886574670.00000000007EE000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://support.anydesk.com/knowledge/anydesk-account	livechat.exe, 00000002.00000003.372658121.00000000034C2000.00000004.00000020.00020000.00000000.sdmp, livechat.exe, 00000002.00000003.371987019.0000000003444000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.229.191.44	unknown	Czech Republic	60068	CDN77GB	false
141.95.145.210	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
92.223.88.41	unknown	Austria	199524	GCOREAT	true
57.128.101.77	unknown	Belgium	2686	ATGS-MMD-ASUS	false
49.12.130.236	boot.net.anydesk.com	Germany	24940	HETZNER-ASDE	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1291241
Start date and time:	2023-08-15 06:33:58 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	livechat.exe
Detection:	MAL
Classification:	mal54.troj.evad.winEXE@5/6@18/6
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, eudb.ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:34:58	API Interceptor	4x Sleep call for process: livechat.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.229.191.44	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	AnyDesk-CM.msi	Get hash	malicious	Unknown	Browse
	AnyDesk (2).exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	https://anydesk.com/en/downloads/windows?dv=win_exe	Get hash	malicious	Unknown	Browse
	AnyDesk(1).msi	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	Microsoft.exe	Get hash	malicious	Unknown	Browse
	http://anydesk.com	Get hash	malicious	Unknown	Browse
	https://ms94.yolasite.com/	Get hash	malicious	Unknown	Browse
141.95.145.210	AnyDesk.exe	Get hash	malicious	Unknown	Browse
141.95.145.210	AnyDesk-CM.msi	Get hash	malicious	Unknown	Browse
92.223.88.41	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	https://download.anydesk.com/AnyDesk.exe	Get hash	malicious	Unknown	Browse
	Microsoft.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	1.msi	Get hash	malicious	Unknown	Browse
	sJ9Q8UWMAX.exe	Get hash	malicious	CryptOne, Mofksys	Browse
	AnyDesk (5).exe	Get hash	malicious	Unknown	Browse
	AnyDesk (4).exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Vidar	Browse
	AnyDesk (1).exe	Get hash	malicious	Unknown	Browse
	Vostel-Anydesk.EXE	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
boot.net.anydesk.com	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.39
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	49.12.130.236
	https://download.anydesk.com/AnyDesk.exe	Get hash	malicious	Unknown	Browse	92.223.88.232
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.39
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	49.12.130.236
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.44
	92f25a21-b9c1-4aee-af3e-cacf098605e9	Get hash	malicious	Unknown	Browse	185.229.191.41
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	49.12.130.236
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	49.12.130.235
	https://anydesk.com/en/downloads/windows?dv=win_exe	Get hash	malicious	Unknown	Browse	49.12.130.237
	migrate.120.exe	Get hash	malicious	DCRat, EICAR	Browse	49.12.130.235
	AnyDesk.msi	Get hash	malicious	Unknown	Browse	185.229.191.39
	AnyDesk(1).msi	Get hash	malicious	Unknown	Browse	185.229.191.44
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.44

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CDN77GB	https://oum70ety43p8lqn9qdsa.xk7O.ru/e9N7i5D/#	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://mymanatee523952ob3lb4.us4.list-manage.com/pages/track/click?u=62fca54c7a62f8cd2c72ce64b&id=39101783ea#ZHJldy5yaWNo=YXJkc29uQG15bWFuYXRlZS5vcmc	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://gcgaming109338hen4af.us4.list-manage.com/pages/track/click?u=62fca54c7a62f8cd2c72ce64b&id=39101783ea#YXBlcm9AZ2NnYW1pbmcuY29t	Get hash	malicious	Unknown	Browse	89.187.165.194
	ATT00001.htm	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://mscfyd.com/anna@gtv.is	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://mscfyd.com/Manna@gtv.is	Get hash	malicious	Unknown	Browse	89.187.165.194
	http://gtadvogados.adv.br/wp-content/intc/Lockton/anna@gtv.is	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://protect-eu.mimecast.com/s/1y1nCNk5JU0gqz3FmcpNK?domain=docs.google.com	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://mfb.social/p/help/	Get hash	malicious	Unknown	Browse	185.59.220.198
	http://23.227.38.74	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://gem.godaddy.com/signups/activate/MS0tTzJxZTE0RlhMQ1Q5YmptTkMzUXpPVmVqQ3dNSWRCSkk2ZGFSV21QelRSTkxyd2ozbHdzNnUwL0RMZkdCeG1kenIvaHY4dFlES0Q3Z1E2V0orcGtwLS1CUjJvYjh4KzQxd3F4bG1ULS1KcWE5QXpWVHVSRWo3R3ZOSUk5aWVnPT0=?signup=6814397#Y2FtQHRlZ25hLmNvbQ==	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=5I2iZQWmvUybZ6s7wcPz5hrapHcDl9lKlw-S-E9DpeBUMjI0QkVFNk5LWlQ0R1EyQU84VllVMVJaSy4u	Get hash	malicious	Unknown	Browse	89.187.165.194
	Employee Handbook Danfoss English z37Hzs7NOVbFLml.htm	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://watermelon17542124.brizy.site/	Get hash	malicious	Unknown	Browse	89.187.165.194
	VM_9837.html	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=-eK-DtogK06HnOwppjrv8BC8M430uFZEnx6scJx_P9xUN0RRU1ZQUDNQRTlRSERURDNPTlJMMkNNVC4u	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://www.linkedin.com/slink?code=g2XSBZvU#a2F0ZS5lbWVydG9uQHRvcHNob3AuY29t	Get hash	malicious	Phisher	Browse	89.187.165.194
	tgmap.exe	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://www.linkedin.com/slink?code=dnKMge7n#ZHN1cHBsZUBoYWFzdGNtLmNvbQ==	Get hash	malicious	Unknown	Browse	89.187.165.194
DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	http://du.greenpee.cc/34546de4235m342356?affsub2=S6k&st=8/14/2023%203:19:37%20AM	Get hash	malicious	Unknown	Browse	141.95.33.111
	imagine-produs-103c3g45d4e2d22c19d3f47611e2e.BAT.bat	Get hash	malicious	Unknown	Browse	141.95.98.64
	http://pool.supportxmr.com	Get hash	malicious	Unknown	Browse	141.94.96.71
	TI.docx	Get hash	malicious	Unknown	Browse	141.94.161.190
	TI.docx	Get hash	malicious	Unknown	Browse	141.94.171.215
	uXINBnIov8.elf	Get hash	malicious	Mirai	Browse	141.65.229.95
	rOtpAxzBT7.elf	Get hash	malicious	Mirai	Browse	137.252.83.128
	Q97881Kjjf.elf	Get hash	malicious	Mirai	Browse	149.203.162.67
	TI.docx	Get hash	malicious	Unknown	Browse	141.95.171.140
	TI.docx	Get hash	malicious	Unknown	Browse	141.95.171.141
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	141.76.151.212
	SbuBAP1Hxv.elf	Get hash	malicious	Mirai	Browse	212.201.52.224
	sora.arm.elf	Get hash	malicious	Mirai	Browse	141.35.98.98
	TB3LA1ldVD.elf	Get hash	malicious	Mirai	Browse	141.50.255.17
	pandora.arm.elf	Get hash	malicious	Mirai	Browse	141.60.54.45
	pandora.arm7.elf	Get hash	malicious	Mirai	Browse	141.88.148.213
	pandora.x86.elf	Get hash	malicious	Mirai	Browse	192.35.112.123
	1T5YhT23m5.elf	Get hash	malicious	Mirai	Browse	141.61.172.144
	UbgNcmvwa4.elf	Get hash	malicious	Mirai	Browse	139.21.213.64
	BSxfRBA1xH.elf	Get hash	malicious	Mirai	Browse	141.55.67.113

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
c91bde19008eefabce276152ccd51457	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	https://download.anydesk.com/AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk (2).exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk (2).exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	92f25a21-b9c1-4aee-af3e-cacf098605e9	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk(1).msi	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	141.95.145.210 185.229.191.44 49.12.130.236 92.223.88.41 57.128.101.77

Process:	C:\Users\user\Desktop\livechat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	68406
Entropy (8bit):	4.322258997167994
Encrypted:	false
SSDEEP:	384:wn2wgNVmd1GgwuW0FUop4X2/LnXNe5z6hDSKSSg+HOE6Qn7eWTsbAwb:wVgN0dKopLG8Q0O8jIb
MD5:	AFABB21A7A17F500A879F8D23DD85F7A
SHA1:	6FFF9C712B71F2ACB8830B96B2867FB3480617DF
SHA-256:	88E846857803356AE3AD313E223D2C7225D676B1DF8FB6AA2A91C6BC0E90A26A
SHA-512:	C64468E570B6F8E73FD43A266C42C0A3B49B38AE9A67DC932B97FF023263AB8860ED5CBEDED328B0D7399569A30E79850211F5DF03FA834A4E4F8A452486BF17
Malicious:	false
Reputation:	low
Preview:	* * * * * * * * * * * * * * * * * .. info 2023-08-15 13:34:51.161 front 7020 5800 main - AnyDesk Windows Startup .. info 2023-08-15 13:34:51.161 front 7020 5800 main - Version 7.1.13 (release/win_7.1.x b44b97caebbcaac9745bd6b5822bd03ee298d6bf).. info 2023-08-15 13:34:51.161 front 7020 5800 main - * Checksum cc0bc82657f3409854116e83c8d7018c.. info 2023-08-15 13:34:51.161 front 7020 5800 main - * Build 20230627141804.. info 2023-08-15 13:34:51.161 front 7020 5800 main - * Copyright (C) 2023 AnyDesk Software GmbH *.. info 2023-08-15 13:34:51.161 front 7020 5800 main - .. info 2023-08-15 13:34:51.161 front 7020 5800 main - Command Line params: "C:\Users\user\Desktop\livechat.exe"

C:\Users\user\AppData\Roaming\AnyDesk\service.conf

Download File

Process:	C:\Users\user\Desktop\livechat.exe
File Type:	ASCII text, with very long lines (1747)
Category:	dropped
Size (bytes):	2762
Entropy (8bit):	6.027982936884784
Encrypted:	false
SSDEEP:	48:uISToqiCW6fILg/PeA6Zx5HuEnvjvUWV5GU4EAPGnyhOq08T6qkSK2Elw5DiVua4:uISTDiCbwLg/PeA6ZPuav7DV5f4EAOnY
MD5:	C97504664035E7D32A8E0DF4A5216A0B
SHA1:	A9CB853B973C70C0794BB81D1911EA9C1D3834A0
SHA-256:	DCED05FA418D83179C43E87B5D91E16F4D8A71D1F036AE92847F96EAA8E31769
SHA-512:	A41FB7FC871A5B3B19AF94B0C403C421F65D1DB0009E3AB1FB190F23701B557D6A618E3C195D0B892454E63F861C8946D32141BC2233B0BA881C87ED9FA10D51
Malicious:	false
Reputation:	low
Preview:	ad.anynet.cert=-----BEGIN CERTIFICATE-----\nMIICqDCCAZACAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOQW55RGVzayBD\nbGllbnQwIBcNMjMwODE1MTMzNDU3WhgPMjA3MzA4MDIxMzM0NTdaMBkxFzAVBgNV\nBAMMDkFueURlc2sgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAqFJcSklt73Nmv29s3Tm2Fm9Ev70uF7MZMi8poYUim2mBejR3OKrlcYuprgT5\n6LxxgJgEyFuX7IYm7lSM0J9oWbZsuVJg+x4Uydl7AvTuW6QfKqLKvk5YsH5tgO1e\n0cIAOjBU7ft6edXcDqFRm/Rx01AzJ/hMNa5TK97KOANM58TWa2n9WNYT57FlSZZN\nQST+8uNLKPFdFWmQa8lTUZY4dAluhjw+ccJiSD7k2Sj9r0gWyXgqlYFs+BJl8InA\nx+rXYGObqyyAuqTEGmFhHQc5dVZW6PBv+LgLZltlB6Evi/TFL7FygZrE35jOFqZV\nysNPdbA/0go44W9HBMx75O1GlQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBn2SMj\nxy0LyjMlZNjuJr5L50V7R6nohLY7Ko+9snUF11L0rjQ2yXYgWHvFdLcuytrhY/UU\nKP+wGy7OH4fluL639t2mPE1gqLQzthMeQrFBsDWKUvrjl0M+jY7xafu8koq0jwT+\nq67mfyZbLRVa2MM8xHjfRRtOsUoxmUlpdLsDRaBsIB+kQw5PB7LdmNkTHeckDH+F\nBjFz9sri8goaHYFBqlZB0t6Bv4oO4l0R+NDGxt2r5lWY0Bp6SVh6BLLgd3CuJ4fU\nAwFcib74DhLxN8ZiEONJYoY31e3Ls2NFjYbKJGob06pT7EeW/tiv+e4ASEDfK+vx\nwQ4rJz2K4LhnlPwf\n-----END CERTI

C:\Users\user\AppData\Roaming\AnyDesk\system.conf

Download File

Process:	C:\Users\user\Desktop\livechat.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	424
Entropy (8bit):	4.48536259750887
Encrypted:	false
SSDEEP:	6:owiXeS736WiraqQAmvbahOmQgRQUQgRQPYQgRQOYQgfxPZxi3B6QgfxPg3qg3B6N:op7XqQHvWhOLroBGgFBGt
MD5:	3F9D71ABB07DB3A5735DD2A579854978
SHA1:	CFFEAD871722C3D7097D6A5446D7781150AC5E19
SHA-256:	C05160A8E8CABD0061A072A35CA5808869906F9F0AAB7488C87A6A45DDA8D7E9
SHA-512:	DE9195E0B3D411F7EA992983E09A6133CD729DC51A6ED0676D2C0A0B891124F98F6416E75D1745BD0A69DA168E32E649FAF99F96B6820A99F2269AE56A3EE730
Malicious:	false
Reputation:	low
Preview:	ad.anynet.fpr=a36eba97f9e4b93b1d341d92ec1e7bca79cda0ee.ad.anynet.relay.fatal_result=1.0.ad.anynet.relay.state=0.ad.security.frontend_clipboard=1.ad.security.frontend_clipboard_files=1.ad.security.frontend_clipboard_version=1.ad.security.permission_profiles._default.permissions.sas=1.ad.security.permission_profiles._unattended_access.permissions.sas=1.ad.security.permission_profiles.version=1.ad.security.update_version=1.

C:\Users\user\AppData\Roaming\AnyDesk\user.conf

Download File

Process:	C:\Users\user\Desktop\livechat.exe
File Type:	ASCII text, with very long lines (508)
Category:	dropped
Size (bytes):	1907
Entropy (8bit):	4.672870916871488
Encrypted:	false
SSDEEP:	48:2c5PHwzs/Eb57nnauCien4GoWuXlOLc8ggl:2c5I0unnq/n4JWD
MD5:	C50EAE863796A5313E05A75B87A51D9B
SHA1:	E2DD36EF8904AB193883CC85319FAB4F5D0076F2
SHA-256:	82CB8921FB0D0839328BD071B69AA7111DBA0857DB86BA68E6939BFCD818E77B
SHA-512:	96E946DD941FCDB728C97C5D651B58D8FAECA151E303F8A9E2D12BFE8712E93456F53071E8E5366D4AB2A7E4BF391D7D77C0F24CBD077E03C976BA70B44617C5
Malicious:	false
Reputation:	low
Preview:	ad.account.info=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da229db91a63f123fa851d415931d639860ff648310f1fa2df0b53d2e90e4e008262013ecaea92336c5834d302ceb6906193542f12adb3da7f06f2f4aa314b1aa8aa4af03d960ec27374ab0862b47b212f41cf5778b89c8f74072c9e5fc2a1c9302b1426d366d02a8102bf1b276e3d833fa20ef45c9f866470f0d980459f94cbc9709989704c583bac1ccff7a4337f2ed66ced753cd123aaa040d511cc97f0b5475f317e1c0a2b39e6661460ddfcb9041a2b4136c7e2e2dd05dbf10ccc2511b5f8fe7a58a5d1f8e162193bdafc823a9c91c2c4353704b1645b92de8d938028.ad.invite.created_list_encrypted=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da2796c8c8febb27f6b9cc844dd2097d1e0bf648310f1fa2df0b53d2e90e4e008262013ecaea9271e1b3edf828036b0925cbf7a3422ba8d02c77b9d984923f924fcca5b2bff01ac27374ab0862b47b212f41cf5778b89c734a8d900070e2198bcf7b68971449e83c273096bce5a7d297ae8cfed122c21a5470f0d9c6371e8f4af971b03bde4f3cab13b094806804e91f54abb33935b26d13156966a8a88da4b7debc09ff1c1e650e321d555446f1c9e5edb330c40429107585ab0708706d603b6e396e6412bb18b90a9c855b7fc1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms (copy)

Download File

Process:	C:\Users\user\Desktop\livechat.exe
File Type:	data
Category:	dropped
Size (bytes):	3216
Entropy (8bit):	3.2607467400738286
Encrypted:	false
SSDEEP:	24:ofxnrpj1IAjnmNhOO0dM8Woymzfxnrpj1IAjOnRhOO0dMeBjDymU:ohrpJLihsAoyUhrpJgRhsHNyH
MD5:	72E69761EC9F2534BF534CE74113EC4D
SHA1:	F3FE46CDF7782C489C626A1921EC47B78DB3060E
SHA-256:	6BFA38636C155ECAC4968FCF154CE82AE33D129F675BFCA0E22F29CC81290993
SHA-512:	2EA3A82C529176AB957FF42C1636DC67220FC73BD71E82A670FB98BBEC0C71C823B20F4A932E8D6208419EE6940A86068FB61180B5483514C5E51B8E6F49C9A8
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.@.. ......l....d..C}......B}...H.=..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&......N....-...}.o.....'.E}.....f.2.H.=..WYl .livechat.exe..J.......W...WYl...........................`..l.i.v.e.c.h.a.t...e.x.e.......R...............-.......Q...........8........C:\Users\user\Desktop\livechat.exe....O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...#.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.e.s.k.t.o.p.\.l.i.v.e.c.h.a.t...e.x.e.........%USERPROFILE%\Desktop\livechat.exe..................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.e.s.k.t.o.p.\.l.i.v.e.c.h.a.t...e.x.e.................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XF7ZTS9N8O6QZ2F7EP2E.temp

Download File

Process:	C:\Users\user\Desktop\livechat.exe
File Type:	data
Category:	dropped
Size (bytes):	3216
Entropy (8bit):	3.2607467400738286
Encrypted:	false
SSDEEP:	24:ofxnrpj1IAjnmNhOO0dM8Woymzfxnrpj1IAjOnRhOO0dMeBjDymU:ohrpJLihsAoyUhrpJgRhsHNyH
MD5:	72E69761EC9F2534BF534CE74113EC4D
SHA1:	F3FE46CDF7782C489C626A1921EC47B78DB3060E
SHA-256:	6BFA38636C155ECAC4968FCF154CE82AE33D129F675BFCA0E22F29CC81290993
SHA-512:	2EA3A82C529176AB957FF42C1636DC67220FC73BD71E82A670FB98BBEC0C71C823B20F4A932E8D6208419EE6940A86068FB61180B5483514C5E51B8E6F49C9A8
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.@.. ......l....d..C}......B}...H.=..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&......N....-...}.o.....'.E}.....f.2.H.=..WYl .livechat.exe..J.......W...WYl...........................`..l.i.v.e.c.h.a.t...e.x.e.......R...............-.......Q...........8........C:\Users\user\Desktop\livechat.exe....O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...#.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.e.s.k.t.o.p.\.l.i.v.e.c.h.a.t...e.x.e.........%USERPROFILE%\Desktop\livechat.exe..................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.e.s.k.t.o.p.\.l.i.v.e.c.h.a.t...e.x.e.................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9991565509956315
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	livechat.exe
File size:	4'040'776 bytes
MD5:	30c9c57aa570088d745fac7bfd05b805
SHA1:	d579d18848859614e219afa6332d410e0ca71fc3
SHA256:	8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383
SHA512:	182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c
SSDEEP:	98304:oOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRF:rmZb0bEds4XFR0OiC/GT
TLSH:	2A1633506BF882E1D1371AB4AE5FE2143F598CFE15F602699C2BA554CDF7C106CC3AA8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L......d.........."......*...8=............

File Icon


Icon Hash:	499669d8d82916a8

Static PE Info

General

Entrypoint:	0x401ce9
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x649AD37F [Tue Jun 27 12:18:07 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/12/2021 4:00:00 PM 1/8/2025 3:59:59 PM
Subject Chain	CN=philandro Software GmbH, O=philandro Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
Version:	3
Thumbprint MD5:	EAE713DFC05244CF4301BF1C9F68B1BE
Thumbprint SHA-1:	9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE
Thumbprint SHA-256:	9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF
Serial:	0DBF152DEAF0B981A8A938D53F769DB8

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 64h
push esi
lea ecx, dword ptr [ebp-64h]
call 00007FE82D249703h
lea eax, dword ptr [ebp-64h]
mov ecx, eax
mov dword ptr [0147E0E8h], eax
call 00007FE82D2495C1h
test al, al
jne 00007FE82D249D24h
mov esi, 000003E8h
lea ecx, dword ptr [ebp-64h]
call 00007FE82D2495AFh
mov eax, esi
pop esi
leave
ret
lea eax, dword ptr [ebp-64h]
push eax
lea ecx, dword ptr [ebp-30h]
call 00007FE82D2493E3h
lea eax, dword ptr [ebp-30h]
mov ecx, eax
mov dword ptr [0147E0ECh], eax
call 00007FE82D24937Bh
test al, al
jne 00007FE82D249D21h
lea ecx, dword ptr [ebp-30h]
call 00007FE82D249360h
mov esi, 000003E9h
jmp 00007FE82D249CD7h
cmp dword ptr [ebp-10h], 00000000h
je 00007FE82D249D1Ah
push 00000800h
call dword ptr [ebp-10h]
cmp dword ptr [ebp-0Ch], 00000000h
je 00007FE82D249D1Ah
push 00008001h
call dword ptr [ebp-0Ch]
lea eax, dword ptr [ebp-64h]
push eax
lea esi, dword ptr [ebp-30h]
call 00007FE82D249C65h
pop ecx
mov esi, eax
push esi
call dword ptr [ebp-20h]
lea ecx, dword ptr [ebp-30h]
call 00007FE82D249322h
jmp 00007FE82D249C9Eh
mov edx, dword ptr [esp+04h]
push ebx
mov ebx, dword ptr [esp+10h]
push esi
xor esi, esi
test ebx, ebx
je 00007FE82D249D41h
push edi
mov edi, dword ptr [esp+14h]
sub edi, 0147E0F0h
imul edx, edx, 0019660Dh
add edx, 3C6EF35Fh
mov eax, edx
shr eax, 0Ch

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[RES] VS2010 SP1 build 40219
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x107f000	0x4850	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3d6200	0x4648	.itext
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1084000	0x84	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xcaf000	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2835	0x2a00	False	0.5949590773809523	data	6.514751266666443	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x4000	0xcaae00	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xcaf000	0x2fa	0x400	False	0.7255859375	Matlab v4 mat-file (little endian) \234\362\312, numeric, rows 1687868287, columns 0, imaginary	5.646642643065067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcb0000	0x3ce4f4	0x3ce200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x107f000	0x4850	0x4a00	False	0.5123521959459459	data	6.017834090303233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1084000	0x300	0x400	False	0.1455078125	data	1.181265380704217	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x107f280	0x1b8e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9167848029486816
RT_ICON	0x1080e10	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.299390243902439
RT_ICON	0x1081478	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.478494623655914
RT_ICON	0x1081760	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States	0.48155737704918034
RT_ICON	0x1081948	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.597972972972973
RT_ICON	0x1081ac0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.09404315196998124
RT_ICON	0x1082b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.2047872340425532
RT_GROUP_ICON	0x1081a70	0x4c	data	English	United States	0.8026315789473685
RT_GROUP_ICON	0x1082fd0	0x22	data	English	United States	1.0588235294117647
RT_VERSION	0x1082ff8	0x250	data	English	United States	0.4814189189189189
RT_MANIFEST	0x1083248	0x606	XML 1.0 document, ASCII text	English	United States	0.45395590142671854

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 15, 2023 06:34:57.971935034 CEST	49719	443	192.168.2.3	49.12.130.236
Aug 15, 2023 06:34:57.971997976 CEST	443	49719	49.12.130.236	192.168.2.3
Aug 15, 2023 06:34:57.972636938 CEST	49719	443	192.168.2.3	49.12.130.236
Aug 15, 2023 06:34:58.010926008 CEST	49719	443	192.168.2.3	49.12.130.236
Aug 15, 2023 06:34:58.010982990 CEST	443	49719	49.12.130.236	192.168.2.3
Aug 15, 2023 06:34:58.083450079 CEST	443	49719	49.12.130.236	192.168.2.3
Aug 15, 2023 06:34:58.084217072 CEST	49719	443	192.168.2.3	49.12.130.236
Aug 15, 2023 06:34:58.084218025 CEST	49719	443	192.168.2.3	49.12.130.236
Aug 15, 2023 06:34:58.084264040 CEST	443	49719	49.12.130.236	192.168.2.3
Aug 15, 2023 06:34:58.084469080 CEST	443	49719	49.12.130.236	192.168.2.3
Aug 15, 2023 06:34:58.086612940 CEST	49719	443	192.168.2.3	49.12.130.236
Aug 15, 2023 06:34:58.396799088 CEST	49719	443	192.168.2.3	49.12.130.236
Aug 15, 2023 06:34:58.434076071 CEST	49720	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:34:58.458750963 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.458945990 CEST	49720	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:34:58.477351904 CEST	49720	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:34:58.501830101 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.503907919 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.503951073 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.503987074 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.504026890 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.504056931 CEST	49720	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:34:58.504085064 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.504129887 CEST	49720	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:34:58.517020941 CEST	49720	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:34:58.541635036 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.541676998 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.542679071 CEST	49720	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:34:58.663991928 CEST	49720	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:34:58.688728094 CEST	80	49720	185.229.191.44	192.168.2.3
Aug 15, 2023 06:34:58.698015928 CEST	49721	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:34:58.719309092 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:34:58.719551086 CEST	49721	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:34:58.730408907 CEST	49721	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:34:58.751492977 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:34:58.753319025 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:34:58.753376961 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:34:58.753417969 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:34:58.753457069 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:34:58.753459930 CEST	49721	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:34:58.753500938 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:34:58.753556013 CEST	49721	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:34:58.767326117 CEST	49721	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:34:58.788739920 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:34:58.788798094 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:34:58.788870096 CEST	49721	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:34:58.908499002 CEST	49721	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:34:58.929836035 CEST	6568	49721	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:04.892626047 CEST	49722	443	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:04.892697096 CEST	443	49722	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:04.892792940 CEST	49722	443	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:04.925278902 CEST	49722	443	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:04.925318003 CEST	443	49722	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:04.983570099 CEST	443	49722	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:04.983664989 CEST	49722	443	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:04.984407902 CEST	49722	443	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:04.984426975 CEST	443	49722	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:04.984778881 CEST	443	49722	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:04.984863043 CEST	49722	443	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:05.064174891 CEST	49722	443	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:05.119487047 CEST	49723	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:35:05.143791914 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.143925905 CEST	49723	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:35:05.150094986 CEST	49723	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:35:05.174338102 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.176543951 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.176584959 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.176624060 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.176656008 CEST	49723	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:35:05.176666975 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.176708937 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.176722050 CEST	49723	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:35:05.188119888 CEST	49723	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:35:05.212649107 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.212704897 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.212779045 CEST	49723	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:35:05.367022991 CEST	49723	80	192.168.2.3	185.229.191.44
Aug 15, 2023 06:35:05.391434908 CEST	80	49723	185.229.191.44	192.168.2.3
Aug 15, 2023 06:35:05.400794983 CEST	49724	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:05.421926975 CEST	6568	49724	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:05.422091961 CEST	49724	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:05.431582928 CEST	49724	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:05.453293085 CEST	6568	49724	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:05.455507040 CEST	6568	49724	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:05.455562115 CEST	6568	49724	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:05.455600023 CEST	6568	49724	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:05.455637932 CEST	49724	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:05.466840029 CEST	49724	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:05.488635063 CEST	6568	49724	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:05.488681078 CEST	6568	49724	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:05.488782883 CEST	49724	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:06.815713882 CEST	49724	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:06.837014914 CEST	6568	49724	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.083888054 CEST	49740	443	192.168.2.3	57.128.101.77
Aug 15, 2023 06:35:22.083966970 CEST	443	49740	57.128.101.77	192.168.2.3
Aug 15, 2023 06:35:22.084081888 CEST	49740	443	192.168.2.3	57.128.101.77
Aug 15, 2023 06:35:22.126836061 CEST	49740	443	192.168.2.3	57.128.101.77
Aug 15, 2023 06:35:22.126877069 CEST	443	49740	57.128.101.77	192.168.2.3
Aug 15, 2023 06:35:22.182857037 CEST	443	49740	57.128.101.77	192.168.2.3
Aug 15, 2023 06:35:22.183068991 CEST	49740	443	192.168.2.3	57.128.101.77
Aug 15, 2023 06:35:22.196669102 CEST	49740	443	192.168.2.3	57.128.101.77
Aug 15, 2023 06:35:22.196700096 CEST	443	49740	57.128.101.77	192.168.2.3
Aug 15, 2023 06:35:22.197355032 CEST	443	49740	57.128.101.77	192.168.2.3
Aug 15, 2023 06:35:22.197555065 CEST	49740	443	192.168.2.3	57.128.101.77
Aug 15, 2023 06:35:22.494823933 CEST	49740	443	192.168.2.3	57.128.101.77
Aug 15, 2023 06:35:22.526674986 CEST	49741	80	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:22.547770977 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.547899008 CEST	49741	80	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:22.558806896 CEST	49741	80	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:22.579732895 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.582060099 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.582149029 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.582190990 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.582231998 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.582262039 CEST	49741	80	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:22.582273960 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.582355976 CEST	49741	80	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:22.594871044 CEST	49741	80	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:22.615772009 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.615823984 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.616173029 CEST	49741	80	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:22.717523098 CEST	49741	80	192.168.2.3	141.95.145.210
Aug 15, 2023 06:35:22.738372087 CEST	80	49741	141.95.145.210	192.168.2.3
Aug 15, 2023 06:35:22.748107910 CEST	49742	6568	192.168.2.3	92.223.88.41
Aug 15, 2023 06:35:22.768697977 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:35:22.768855095 CEST	49742	6568	192.168.2.3	92.223.88.41
Aug 15, 2023 06:35:22.836551905 CEST	49742	6568	192.168.2.3	92.223.88.41
Aug 15, 2023 06:35:22.859886885 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:35:22.863070965 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:35:22.863115072 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:35:22.863176107 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:35:22.863215923 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:35:22.863256931 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:35:22.863264084 CEST	49742	6568	192.168.2.3	92.223.88.41
Aug 15, 2023 06:35:22.863265038 CEST	49742	6568	192.168.2.3	92.223.88.41
Aug 15, 2023 06:35:22.875190973 CEST	49742	6568	192.168.2.3	92.223.88.41
Aug 15, 2023 06:35:22.899612904 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:35:22.899652958 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:35:22.900495052 CEST	49742	6568	192.168.2.3	92.223.88.41
Aug 15, 2023 06:35:22.973586082 CEST	49742	6568	192.168.2.3	92.223.88.41
Aug 15, 2023 06:35:22.997648954 CEST	6568	49742	92.223.88.41	192.168.2.3
Aug 15, 2023 06:36:12.673638105 CEST	49780	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:36:12.673741102 CEST	443	49780	185.229.191.44	192.168.2.3
Aug 15, 2023 06:36:12.673877954 CEST	49780	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:36:12.687165022 CEST	49780	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:36:12.687241077 CEST	443	49780	185.229.191.44	192.168.2.3
Aug 15, 2023 06:36:12.751041889 CEST	443	49780	185.229.191.44	192.168.2.3
Aug 15, 2023 06:36:12.751153946 CEST	49780	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:36:12.751859903 CEST	49780	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:36:12.751885891 CEST	443	49780	185.229.191.44	192.168.2.3
Aug 15, 2023 06:36:12.752183914 CEST	443	49780	185.229.191.44	192.168.2.3
Aug 15, 2023 06:36:12.752264023 CEST	49780	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:36:12.835238934 CEST	49780	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:36:12.857706070 CEST	49781	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:36:12.880258083 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:12.880430937 CEST	49781	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:36:12.890701056 CEST	49781	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:36:12.913146973 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:12.916084051 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:12.916121960 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:12.916162014 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:12.916196108 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:12.916224003 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:12.916244984 CEST	49781	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:36:12.916322947 CEST	49781	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:36:12.927781105 CEST	49781	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:36:12.950247049 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:12.950288057 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:12.950771093 CEST	49781	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:36:13.038983107 CEST	49781	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:36:13.061322927 CEST	80	49781	49.12.130.236	192.168.2.3
Aug 15, 2023 06:36:13.062119007 CEST	49782	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:36:13.082873106 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:36:13.082993984 CEST	49782	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:36:13.092371941 CEST	49782	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:36:13.113101959 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:36:13.115375996 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:36:13.115418911 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:36:13.115457058 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:36:13.115495920 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:36:13.115497112 CEST	49782	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:36:13.115534067 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:36:13.115586996 CEST	49782	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:36:13.126702070 CEST	49782	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:36:13.147608995 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:36:13.147656918 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:36:13.147840023 CEST	49782	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:36:13.236265898 CEST	49782	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:36:13.257014990 CEST	6568	49782	141.95.145.210	192.168.2.3
Aug 15, 2023 06:37:18.729300976 CEST	49786	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:37:18.729367971 CEST	443	49786	185.229.191.44	192.168.2.3
Aug 15, 2023 06:37:18.729485989 CEST	49786	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:37:18.754043102 CEST	49786	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:37:18.754091978 CEST	443	49786	185.229.191.44	192.168.2.3
Aug 15, 2023 06:37:18.819684029 CEST	443	49786	185.229.191.44	192.168.2.3
Aug 15, 2023 06:37:18.819818020 CEST	49786	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:37:18.820550919 CEST	49786	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:37:18.820573092 CEST	443	49786	185.229.191.44	192.168.2.3
Aug 15, 2023 06:37:18.820908070 CEST	443	49786	185.229.191.44	192.168.2.3
Aug 15, 2023 06:37:18.820970058 CEST	49786	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:37:18.910852909 CEST	49786	443	192.168.2.3	185.229.191.44
Aug 15, 2023 06:37:18.942399979 CEST	49787	80	192.168.2.3	92.223.88.41
Aug 15, 2023 06:37:18.962759018 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:18.962861061 CEST	49787	80	192.168.2.3	92.223.88.41
Aug 15, 2023 06:37:18.970153093 CEST	49787	80	192.168.2.3	92.223.88.41
Aug 15, 2023 06:37:18.990576029 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:18.992398977 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:18.992433071 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:18.992456913 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:18.992477894 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:18.992501020 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:18.992505074 CEST	49787	80	192.168.2.3	92.223.88.41
Aug 15, 2023 06:37:18.992552042 CEST	49787	80	192.168.2.3	92.223.88.41
Aug 15, 2023 06:37:19.007570982 CEST	49787	80	192.168.2.3	92.223.88.41
Aug 15, 2023 06:37:19.027920008 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:19.027950048 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:19.028045893 CEST	49787	80	192.168.2.3	92.223.88.41
Aug 15, 2023 06:37:19.166862011 CEST	49787	80	192.168.2.3	92.223.88.41
Aug 15, 2023 06:37:19.187237978 CEST	80	49787	92.223.88.41	192.168.2.3
Aug 15, 2023 06:37:19.190818071 CEST	49788	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:37:19.211740971 CEST	6568	49788	141.95.145.210	192.168.2.3
Aug 15, 2023 06:37:19.211841106 CEST	49788	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:37:19.223881006 CEST	49788	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:37:19.244791031 CEST	6568	49788	141.95.145.210	192.168.2.3
Aug 15, 2023 06:37:19.247097015 CEST	6568	49788	141.95.145.210	192.168.2.3
Aug 15, 2023 06:37:19.247124910 CEST	6568	49788	141.95.145.210	192.168.2.3
Aug 15, 2023 06:37:19.247193098 CEST	6568	49788	141.95.145.210	192.168.2.3
Aug 15, 2023 06:37:19.247220039 CEST	49788	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:37:19.258701086 CEST	49788	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:37:19.279742002 CEST	6568	49788	141.95.145.210	192.168.2.3
Aug 15, 2023 06:37:19.279841900 CEST	6568	49788	141.95.145.210	192.168.2.3
Aug 15, 2023 06:37:19.279923916 CEST	49788	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:37:19.921220064 CEST	49788	6568	192.168.2.3	141.95.145.210
Aug 15, 2023 06:37:19.942542076 CEST	6568	49788	141.95.145.210	192.168.2.3
Aug 15, 2023 06:38:30.970743895 CEST	49791	443	192.168.2.3	92.223.88.41
Aug 15, 2023 06:38:30.970848083 CEST	443	49791	92.223.88.41	192.168.2.3
Aug 15, 2023 06:38:30.970969915 CEST	49791	443	192.168.2.3	92.223.88.41
Aug 15, 2023 06:38:30.974481106 CEST	49791	443	192.168.2.3	92.223.88.41
Aug 15, 2023 06:38:30.974535942 CEST	443	49791	92.223.88.41	192.168.2.3
Aug 15, 2023 06:38:31.030914068 CEST	443	49791	92.223.88.41	192.168.2.3
Aug 15, 2023 06:38:31.031043053 CEST	49791	443	192.168.2.3	92.223.88.41
Aug 15, 2023 06:38:31.031755924 CEST	49791	443	192.168.2.3	92.223.88.41
Aug 15, 2023 06:38:31.031769037 CEST	443	49791	92.223.88.41	192.168.2.3
Aug 15, 2023 06:38:31.032133102 CEST	443	49791	92.223.88.41	192.168.2.3
Aug 15, 2023 06:38:31.032203913 CEST	49791	443	192.168.2.3	92.223.88.41
Aug 15, 2023 06:38:31.158231020 CEST	49791	443	192.168.2.3	92.223.88.41
Aug 15, 2023 06:38:31.190567970 CEST	49792	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:38:31.213768959 CEST	80	49792	49.12.130.236	192.168.2.3
Aug 15, 2023 06:38:31.213912964 CEST	49792	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:38:31.215631008 CEST	49792	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:38:31.238826990 CEST	80	49792	49.12.130.236	192.168.2.3
Aug 15, 2023 06:38:31.241360903 CEST	80	49792	49.12.130.236	192.168.2.3
Aug 15, 2023 06:38:31.241554022 CEST	80	49792	49.12.130.236	192.168.2.3
Aug 15, 2023 06:38:31.241597891 CEST	80	49792	49.12.130.236	192.168.2.3
Aug 15, 2023 06:38:31.241641998 CEST	49792	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:38:31.254540920 CEST	49792	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:38:31.277512074 CEST	80	49792	49.12.130.236	192.168.2.3
Aug 15, 2023 06:38:31.277558088 CEST	80	49792	49.12.130.236	192.168.2.3
Aug 15, 2023 06:38:31.277642965 CEST	49792	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:38:31.451798916 CEST	49792	80	192.168.2.3	49.12.130.236
Aug 15, 2023 06:38:31.474700928 CEST	80	49792	49.12.130.236	192.168.2.3
Aug 15, 2023 06:38:31.482662916 CEST	49793	6568	192.168.2.3	57.128.101.77
Aug 15, 2023 06:38:31.503166914 CEST	6568	49793	57.128.101.77	192.168.2.3
Aug 15, 2023 06:38:31.503439903 CEST	49793	6568	192.168.2.3	57.128.101.77
Aug 15, 2023 06:38:31.505330086 CEST	49793	6568	192.168.2.3	57.128.101.77
Aug 15, 2023 06:38:31.525619984 CEST	6568	49793	57.128.101.77	192.168.2.3
Aug 15, 2023 06:38:31.527625084 CEST	6568	49793	57.128.101.77	192.168.2.3
Aug 15, 2023 06:38:31.527713060 CEST	6568	49793	57.128.101.77	192.168.2.3
Aug 15, 2023 06:38:31.527750969 CEST	6568	49793	57.128.101.77	192.168.2.3
Aug 15, 2023 06:38:31.527806997 CEST	49793	6568	192.168.2.3	57.128.101.77
Aug 15, 2023 06:38:31.539515018 CEST	49793	6568	192.168.2.3	57.128.101.77
Aug 15, 2023 06:38:31.560127020 CEST	6568	49793	57.128.101.77	192.168.2.3
Aug 15, 2023 06:38:31.560152054 CEST	6568	49793	57.128.101.77	192.168.2.3
Aug 15, 2023 06:38:31.560230017 CEST	49793	6568	192.168.2.3	57.128.101.77
Aug 15, 2023 06:38:31.692528009 CEST	49793	6568	192.168.2.3	57.128.101.77
Aug 15, 2023 06:38:31.713016987 CEST	6568	49793	57.128.101.77	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 15, 2023 06:34:57.859107018 CEST	56452	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:34:57.888891935 CEST	53	56452	8.8.8.8	192.168.2.3
Aug 15, 2023 06:34:58.406181097 CEST	59489	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:34:58.421583891 CEST	53	59489	8.8.8.8	192.168.2.3
Aug 15, 2023 06:34:58.672624111 CEST	51739	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:34:58.692795992 CEST	53	51739	8.8.8.8	192.168.2.3
Aug 15, 2023 06:35:04.779010057 CEST	63604	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:35:04.794151068 CEST	53	63604	8.8.8.8	192.168.2.3
Aug 15, 2023 06:35:05.092850924 CEST	60000	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:35:05.116507053 CEST	53	60000	8.8.8.8	192.168.2.3
Aug 15, 2023 06:35:05.374165058 CEST	54193	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:35:05.398300886 CEST	53	54193	8.8.8.8	192.168.2.3
Aug 15, 2023 06:35:21.997332096 CEST	61084	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:35:22.013022900 CEST	53	61084	8.8.8.8	192.168.2.3
Aug 15, 2023 06:35:22.499854088 CEST	61769	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:35:22.523691893 CEST	53	61769	8.8.8.8	192.168.2.3
Aug 15, 2023 06:35:22.730120897 CEST	56944	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:35:22.745779991 CEST	53	56944	8.8.8.8	192.168.2.3
Aug 15, 2023 06:36:12.638498068 CEST	50791	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:36:12.662240028 CEST	53	50791	8.8.8.8	192.168.2.3
Aug 15, 2023 06:36:12.840197086 CEST	54156	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:36:12.855803967 CEST	53	54156	8.8.8.8	192.168.2.3
Aug 15, 2023 06:36:13.043934107 CEST	50959	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:36:13.059293032 CEST	53	50959	8.8.8.8	192.168.2.3
Aug 15, 2023 06:37:18.644133091 CEST	57453	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:37:18.667996883 CEST	53	57453	8.8.8.8	192.168.2.3
Aug 15, 2023 06:37:18.919420958 CEST	65154	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:37:18.934860945 CEST	53	65154	8.8.8.8	192.168.2.3
Aug 15, 2023 06:37:19.172384024 CEST	58750	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:37:19.187690973 CEST	53	58750	8.8.8.8	192.168.2.3
Aug 15, 2023 06:38:30.952872992 CEST	50546	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:38:30.968529940 CEST	53	50546	8.8.8.8	192.168.2.3
Aug 15, 2023 06:38:31.163347006 CEST	64097	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:38:31.187485933 CEST	53	64097	8.8.8.8	192.168.2.3
Aug 15, 2023 06:38:31.461061001 CEST	64730	53	192.168.2.3	8.8.8.8
Aug 15, 2023 06:38:31.476397038 CEST	53	64730	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 15, 2023 06:34:57.859107018 CEST	192.168.2.3	8.8.8.8	0x651c	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:34:58.406181097 CEST	192.168.2.3	8.8.8.8	0xc432	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:34:58.672624111 CEST	192.168.2.3	8.8.8.8	0xf735	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:04.779010057 CEST	192.168.2.3	8.8.8.8	0x7f22	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:05.092850924 CEST	192.168.2.3	8.8.8.8	0x25cf	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:05.374165058 CEST	192.168.2.3	8.8.8.8	0x6840	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:21.997332096 CEST	192.168.2.3	8.8.8.8	0x5f77	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:22.499854088 CEST	192.168.2.3	8.8.8.8	0xa638	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:22.730120897 CEST	192.168.2.3	8.8.8.8	0x89fb	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:36:12.638498068 CEST	192.168.2.3	8.8.8.8	0x7315	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:36:12.840197086 CEST	192.168.2.3	8.8.8.8	0x5309	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:36:13.043934107 CEST	192.168.2.3	8.8.8.8	0xc8f4	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:37:18.644133091 CEST	192.168.2.3	8.8.8.8	0x7cc8	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:37:18.919420958 CEST	192.168.2.3	8.8.8.8	0x34cb	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:37:19.172384024 CEST	192.168.2.3	8.8.8.8	0x873b	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:38:30.952872992 CEST	192.168.2.3	8.8.8.8	0x5004	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:38:31.163347006 CEST	192.168.2.3	8.8.8.8	0xbe7c	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:38:31.461061001 CEST	192.168.2.3	8.8.8.8	0xcf6d	Standard query (0)	boot.net.anydesk.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 15, 2023 06:34:57.888891935 CEST	8.8.8.8	192.168.2.3	0x651c	No error (0)	boot.net.anydesk.com	49.12.130.236	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:34:58.421583891 CEST	8.8.8.8	192.168.2.3	0xc432	No error (0)	boot.net.anydesk.com	185.229.191.44	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:34:58.692795992 CEST	8.8.8.8	192.168.2.3	0xf735	No error (0)	boot.net.anydesk.com	141.95.145.210	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:04.794151068 CEST	8.8.8.8	192.168.2.3	0x7f22	No error (0)	boot.net.anydesk.com	141.95.145.210	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:05.116507053 CEST	8.8.8.8	192.168.2.3	0x25cf	No error (0)	boot.net.anydesk.com	185.229.191.44	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:05.398300886 CEST	8.8.8.8	192.168.2.3	0x6840	No error (0)	boot.net.anydesk.com	141.95.145.210	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:22.013022900 CEST	8.8.8.8	192.168.2.3	0x5f77	No error (0)	boot.net.anydesk.com	57.128.101.77	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:22.523691893 CEST	8.8.8.8	192.168.2.3	0xa638	No error (0)	boot.net.anydesk.com	141.95.145.210	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:35:22.745779991 CEST	8.8.8.8	192.168.2.3	0x89fb	No error (0)	boot.net.anydesk.com	92.223.88.41	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:36:12.662240028 CEST	8.8.8.8	192.168.2.3	0x7315	No error (0)	boot.net.anydesk.com	185.229.191.44	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:36:12.855803967 CEST	8.8.8.8	192.168.2.3	0x5309	No error (0)	boot.net.anydesk.com	49.12.130.236	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:36:13.059293032 CEST	8.8.8.8	192.168.2.3	0xc8f4	No error (0)	boot.net.anydesk.com	141.95.145.210	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:37:18.667996883 CEST	8.8.8.8	192.168.2.3	0x7cc8	No error (0)	boot.net.anydesk.com	185.229.191.44	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:37:18.934860945 CEST	8.8.8.8	192.168.2.3	0x34cb	No error (0)	boot.net.anydesk.com	92.223.88.41	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:37:19.187690973 CEST	8.8.8.8	192.168.2.3	0x873b	No error (0)	boot.net.anydesk.com	141.95.145.210	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:38:30.968529940 CEST	8.8.8.8	192.168.2.3	0x5004	No error (0)	boot.net.anydesk.com	92.223.88.41	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:38:31.187485933 CEST	8.8.8.8	192.168.2.3	0xbe7c	No error (0)	boot.net.anydesk.com	49.12.130.236	A (IP address)	IN (0x0001)	false
Aug 15, 2023 06:38:31.476397038 CEST	8.8.8.8	192.168.2.3	0xcf6d	No error (0)	boot.net.anydesk.com	57.128.101.77	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49720	185.229.191.44	80	C:\Users\user\Desktop\livechat.exe

Timestamp	kBytes transferred	Direction	Data
Aug 15, 2023 06:34:58.477351904 CEST	5	OUT	Data Raw: 16 03 01 01 0d 01 00 01 09 03 03 6b 9c df 30 e4 c7 9b c2 8f 77 b8 28 10 63 b9 76 a6 91 9b a7 12 69 d1 ab 98 2d a2 ee b0 3d 3f 8c 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 Data Ascii: k0w(cvi-=?n0,($kjih98762.*&=5/+'#g@?>32101-)%</r#
Aug 15, 2023 06:34:58.503907919 CEST	5	IN	Data Raw: 16 03 03 00 57 02 00 00 53 03 03 f2 a5 a7 a9 04 9f 8e a5 81 50 cc bb e3 e8 c5 85 5b 64 8d 8f 01 9a 5d 97 44 4f 57 4e 47 52 44 01 20 a8 dc f3 5a 21 b4 da f5 43 60 4a 5f a6 84 42 6d 1f 15 63 dd f2 fc 90 6a 09 77 8b f9 19 e7 6a 3c c0 2c 00 00 0b ff Data Ascii: WSP[d]DOWNGRD Z!C`J_Bmcjwj<,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
Aug 15, 2023 06:34:58.503951073 CEST	6	IN	Data Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0 Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG\|'SO^jl$\|XM+")+{n\&9S\|4xLp\|aZ.qDL\vq$;OroCs4\|z\8[TRxU>R
Aug 15, 2023 06:34:58.503987074 CEST	7	IN	Data Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]\|Zx1\{ZQ/3'h;jlaV
Aug 15, 2023 06:34:58.504026890 CEST	7	IN	Data Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc Data Ascii: <"%B;9PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00HG`4%(^0VGv T=#
Aug 15, 2023 06:34:58.504085064 CEST	8	IN	Data Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jA}&R+@ikbXkSdESG
Aug 15, 2023 06:34:58.517020941 CEST	9	OUT	Data Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 38 31 35 31 33 33 34 Data Ascii: 000H010UAnyDesk Client0 230815133457Z20730802133457Z010UAnyDesk Client0"0H0R\JImsfol9oD.2/)"iz4w8qq[&ThYlR`{[
Aug 15, 2023 06:34:58.541635036 CEST	9	IN	Data Raw: 15 03 03 00 02 02 2d Data Ascii: -

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49723	185.229.191.44	80	C:\Users\user\Desktop\livechat.exe

Timestamp	kBytes transferred	Direction	Data
Aug 15, 2023 06:35:05.150094986 CEST	19	OUT	Data Raw: 16 03 01 01 0d 01 00 01 09 03 03 e3 b8 d8 df 71 e7 0d 4c 2b 7c eb 7e 53 e6 6b 2c 35 9e 06 47 c8 3f 34 aa df 46 29 c7 ca a9 a6 28 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 Data Ascii: qL+\|~Sk,5G?4F)(n0,($kjih98762.*&=5/+'#g@?>32101-)%</r#
Aug 15, 2023 06:35:05.176543951 CEST	20	IN	Data Raw: 16 03 03 00 57 02 00 00 53 03 03 b8 e6 61 e5 6a 9e ed e5 ae 47 52 f9 51 1f 0e 4e 27 a6 3a ec 99 da 3d 59 44 4f 57 4e 47 52 44 01 20 78 58 3c b1 7e 00 aa 6d 7f 79 2b 7f 6f c5 5b aa 8b 00 14 fa 9d 22 f0 4b c4 25 32 00 73 f3 f4 97 c0 2c 00 00 0b ff Data Ascii: WSajGRQN':=YDOWNGRD xX<~my+o["K%2s,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
Aug 15, 2023 06:35:05.176584959 CEST	21	IN	Data Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0 Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG\|'SO^jl$\|XM+")+{n\&9S\|4xLp\|aZ.qDL\vq$;OroCs4\|z\8[TRxU>R
Aug 15, 2023 06:35:05.176624060 CEST	21	IN	Data Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]\|Zx1\{ZQ/3'h;jlaV
Aug 15, 2023 06:35:05.176666975 CEST	22	IN	Data Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc Data Ascii: <"%B;9PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00HG`4%(^0VGv T=#
Aug 15, 2023 06:35:05.176708937 CEST	22	IN	Data Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jACEpln`30jnfl$~n-
Aug 15, 2023 06:35:05.188119888 CEST	24	OUT	Data Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 38 31 35 31 33 33 34 Data Ascii: 000H010UAnyDesk Client0 230815133457Z20730802133457Z010UAnyDesk Client0"0H0R\JImsfol9oD.2/)"iz4w8qq[&ThYlR`{[
Aug 15, 2023 06:35:05.212649107 CEST	24	IN	Data Raw: 15 03 03 00 02 02 2d Data Ascii: -

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49741	141.95.145.210	80	C:\Users\user\Desktop\livechat.exe

Timestamp	kBytes transferred	Direction	Data
Aug 15, 2023 06:35:22.558806896 CEST	2684	OUT	Data Raw: 16 03 01 01 0d 01 00 01 09 03 03 52 a2 7c 3c 2a dd 35 4b d0 be 9b 58 a5 6c 7e 14 f9 16 f8 f9 6d 04 c5 b5 c1 14 a4 bf b6 45 3f be 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 Data Ascii: R\|<5KXl~mE?n0,($kjih98762.&=5/+'#g@?>32101-)%</r#
Aug 15, 2023 06:35:22.582060099 CEST	2684	IN	Data Raw: 16 03 03 00 57 02 00 00 53 03 03 c8 b3 01 31 1e bf a6 5d 82 e5 21 49 21 7c c1 9a d2 5e 44 7a de 4a 6d 47 44 4f 57 4e 47 52 44 01 20 18 7e d1 98 2f ac c8 86 71 7f 05 85 21 3b 77 ff 23 9e 90 8b ff a7 0c 14 26 a1 38 0b 5b b6 a2 e7 c0 2c 00 00 0b ff Data Ascii: WS1]!I!\|^DzJmGDOWNGRD ~/q!;w#&8[,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
Aug 15, 2023 06:35:22.582149029 CEST	2685	IN	Data Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0 Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG\|'SO^jl$\|XM+")+{n\&9S\|4xLp\|aZ.qDL\vq$;OroCs4\|z\8[TRxU>R
Aug 15, 2023 06:35:22.582190990 CEST	2686	IN	Data Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]\|Zx1\{ZQ/3'h;jlaV
Aug 15, 2023 06:35:22.582231998 CEST	2686	IN	Data Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc Data Ascii: <"%B;9PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00HG`4%(^0VGv T=#
Aug 15, 2023 06:35:22.582273960 CEST	2687	IN	Data Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jAY{k6oI2?DRO]n;(+RNaz
Aug 15, 2023 06:35:22.594871044 CEST	2688	OUT	Data Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 38 31 35 31 33 33 34 Data Ascii: 000H010UAnyDesk Client0 230815133457Z20730802133457Z010UAnyDesk Client0"0H0R\JImsfol9oD.2/)"iz4w8qq[&ThYlR`{[
Aug 15, 2023 06:35:22.615772009 CEST	2688	IN	Data Raw: 15 03 03 00 02 02 2d Data Ascii: -

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49781	49.12.130.236	80	C:\Users\user\Desktop\livechat.exe

Timestamp	kBytes transferred	Direction	Data
Aug 15, 2023 06:36:12.890701056 CEST	2826	OUT	Data Raw: 16 03 01 01 0d 01 00 01 09 03 03 c0 3b 9e d2 a8 60 cf 51 94 c3 1f 0e 18 21 69 32 00 2e 98 d6 72 98 17 67 4a 0b d5 70 42 56 6b a4 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 Data Ascii: ;`Q!i2.rgJpBVkn0,($kjih98762.*&=5/+'#g@?>32101-)%</r#
Aug 15, 2023 06:36:12.916084051 CEST	2827	IN	Data Raw: 16 03 03 00 57 02 00 00 53 03 03 c9 5b 93 af 01 d8 bc b0 b5 8c 98 3e 0f b8 2a a7 b5 24 38 a8 50 27 ad 01 44 4f 57 4e 47 52 44 01 20 a7 1b 5b 6f d2 fc 6a 1a 7c 3e 32 4e be 96 38 ad 09 d8 8e 2d a2 5c 42 22 20 4f 60 5a c2 7e a7 88 c0 2c 00 00 0b ff Data Ascii: WS[>$8P'DOWNGRD [oj\|>2N8-\B" O`Z~,C0?0'0vtS$0H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
Aug 15, 2023 06:36:12.916121960 CEST	2827	IN	Data Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0 Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG\|'SO^jl$\|XM+")+{n\&9S\|4xLp\|aZ.qDL\vq$;OroCs4\|z\8[TRxU>R
Aug 15, 2023 06:36:12.916162014 CEST	2828	IN	Data Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]\|Zx1\{ZQ/3'h;jlaV
Aug 15, 2023 06:36:12.916196108 CEST	2828	IN	Data Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc Data Ascii: <"%B;9PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00HG`4%(^0VGv T=#
Aug 15, 2023 06:36:12.916224003 CEST	2829	IN	Data Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jAkXBtxJ!+
Aug 15, 2023 06:36:12.927781105 CEST	2830	OUT	Data Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 38 31 35 31 33 33 34 Data Ascii: 000H010UAnyDesk Client0 230815133457Z20730802133457Z010UAnyDesk Client0"0H0R\JImsfol9oD.2/)"iz4w8qq[&ThYlR`{[
Aug 15, 2023 06:36:12.950247049 CEST	2830	IN	Data Raw: 15 03 03 00 02 02 2d Data Ascii: -

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49787	92.223.88.41	80	C:\Users\user\Desktop\livechat.exe

Timestamp	kBytes transferred	Direction	Data
Aug 15, 2023 06:37:18.970153093 CEST	2861	OUT	Data Raw: 16 03 01 01 0d 01 00 01 09 03 03 c2 e5 97 89 1f d5 9a 40 01 15 4c c5 0a 76 66 db eb 8d 18 b0 c6 50 c1 0f 04 00 fe 15 2b 72 80 07 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 Data Ascii: @LvfP+rn0,($kjih98762.*&=5/+'#g@?>32101-)%</r#
Aug 15, 2023 06:37:18.992398977 CEST	2862	IN	Data Raw: 16 03 03 00 57 02 00 00 53 03 03 19 d0 09 d0 c5 e3 49 0c be b2 2f a5 d6 b3 06 02 7e 75 3c c5 b2 34 3e d1 44 4f 57 4e 47 52 44 01 20 0f d5 f1 fd 30 39 2a 12 9f 11 aa 0d 62 77 d1 c4 48 47 e4 2c cd 26 97 1d c9 93 65 72 aa d7 a4 0c c0 2c 00 00 0b ff Data Ascii: WSI/~u<4>DOWNGRD 09bwHG,&er,C0?0'0vtS$0H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
Aug 15, 2023 06:37:18.992433071 CEST	2862	IN	Data Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0 Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG\|'SO^jl$\|XM+")+{n\&9S\|4xLp\|aZ.qDL\vq$;OroCs4\|z\8[TRxU>R
Aug 15, 2023 06:37:18.992456913 CEST	2863	IN	Data Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]\|Zx1\{ZQ/3'h;jlaV
Aug 15, 2023 06:37:18.992477894 CEST	2864	IN	Data Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc Data Ascii: <"%B;9PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00HG`4%(^0VGv T=#
Aug 15, 2023 06:37:18.992501020 CEST	2864	IN	Data Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jAZ$ %J0A6.\{1k+
Aug 15, 2023 06:37:19.007570982 CEST	2865	OUT	Data Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 38 31 35 31 33 33 34 Data Ascii: 000H010UAnyDesk Client0 230815133457Z20730802133457Z010UAnyDesk Client0"0H0R\JImsfol9oD.2/)"iz4w8qq[&ThYlR`{[
Aug 15, 2023 06:37:19.027920008 CEST	2865	IN	Data Raw: 15 03 03 00 02 02 2d Data Ascii: -

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49792	49.12.130.236	80	C:\Users\user\Desktop\livechat.exe

Timestamp	kBytes transferred	Direction	Data
Aug 15, 2023 06:38:31.215631008 CEST	2889	OUT	Data Raw: 16 03 01 01 0d 01 00 01 09 03 03 cd 38 d1 9e 7f 68 4c b9 62 32 aa 92 93 f1 8b 2f 16 bf 32 3f 48 f7 a2 76 58 d4 96 a3 a2 79 33 1d 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 Data Ascii: 8hLb2/2?HvXy3n0,($kjih98762.*&=5/+'#g@?>32101-)%</r#
Aug 15, 2023 06:38:31.241360903 CEST	2891	IN	Data Raw: 16 03 03 00 57 02 00 00 53 03 03 c2 07 a2 aa 3c 27 07 8b 31 dd 9d ec 82 c2 57 d1 ac ab 68 b9 7d 99 13 62 44 4f 57 4e 47 52 44 01 20 17 68 d9 89 a6 9e 72 8f 0b e7 53 49 1b ee 65 ef c9 74 77 9b 37 64 f0 f1 40 e6 3e 5b 56 04 1e d7 c0 2c 00 00 0b ff Data Ascii: WS<'1Wh}bDOWNGRD hrSIetw7d@>[V,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
Aug 15, 2023 06:38:31.241554022 CEST	2892	IN	Data Raw: 5a eb 51 2f 97 bf f6 fb 33 27 90 b3 d8 e4 e0 cd 68 3b 6a 87 6c a6 0d e7 d8 bd 61 df 56 6b 2a e1 1c 2b f5 9f bf 85 dd 8c 5b 06 1e 71 7f ba 4a a6 40 b0 77 17 ea 2c 3f 5b 94 14 85 2e ad 11 61 ab 88 f6 01 bb b3 47 6b e2 81 18 f1 8e 39 e6 d8 7b 0c 63 Data Ascii: ZQ/3'h;jlaVk*+[qJ@w,?[.aGk9{cpu'-5={{Hy8-&~K2vf/bj@kXScuxI#ph3/L^}a}4AkP+g_R4gs@lo67Jv"rR}uMU#[~.K_e
Aug 15, 2023 06:38:31.241597891 CEST	2892	IN	Data Raw: 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 09 06 03 55 04 06 13 02 44 45 16 03 03 00 04 0e 00 00 00 Data Ascii: philandro Software GmbH10UDE
Aug 15, 2023 06:38:31.254540920 CEST	2893	OUT	Data Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 38 31 35 31 33 33 34 Data Ascii: 000H010UAnyDesk Client0 230815133457Z20730802133457Z010UAnyDesk Client0"0H0R\JImsfol9oD.2/)"iz4w8qq[&ThYlR`{[
Aug 15, 2023 06:38:31.277512074 CEST	2893	IN	Data Raw: 15 03 03 00 02 02 2d Data Ascii: -

Target ID:	0
Start time:	06:34:49
Start date:	15/08/2023
Path:	C:\Users\user\Desktop\livechat.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\livechat.exe
Imagebase:	0x170000
File size:	4'040'776 bytes
MD5 hash:	30C9C57AA570088D745FAC7BFD05B805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	06:34:52
Start date:	15/08/2023
Path:	C:\Users\user\Desktop\livechat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\livechat.exe" --local-service
Imagebase:	0x170000
File size:	4'040'776 bytes
MD5 hash:	30C9C57AA570088D745FAC7BFD05B805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	06:34:52
Start date:	15/08/2023
Path:	C:\Users\user\Desktop\livechat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\livechat.exe" --local-control
Imagebase:	0x170000
File size:	4'040'776 bytes
MD5 hash:	30C9C57AA570088D745FAC7BFD05B805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 001719FE Relevance: 3.1, APIs: 2, Instructions: 71
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00000028,00000004,00000000,00171CCE,?), ref: 00171A84
VirtualProtect.KERNELBASE(?,00000028,00000000,00000000), ref: 00171A9B

Memory Dump Source

Source File: 00000000.00000002.885609202.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.885591090.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885661159.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885683923.0000000000176000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_livechat.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7900f03132aa8ea0f9a3c1586b97cc3ba616970e8717817d8618bc364275d000
Instruction ID: 23f4d6e5bf3472a4e274bc3269ccdc9a09eb5e68c2c15ef6a5699d3bc969362c
Opcode Fuzzy Hash: 7900f03132aa8ea0f9a3c1586b97cc3ba616970e8717817d8618bc364275d000
Instruction Fuzzy Hash: 7611D37A641704BBC720CF988C85AFAB3F8EB14741F018529FD4AE7141E7B0E985D760

Uniqueness

Uniqueness Score: -1.00%

Function 00171000 Relevance: 1.6, APIs: 1, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,00171B87,?,?,?,00C9AE00,00174000,00CAAE00,?), ref: 00171045

Memory Dump Source

Source File: 00000000.00000002.885609202.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.885591090.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885661159.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885683923.0000000000176000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_livechat.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5c3050df081ff192bad6e48b1c04ad2d7857caf7edfc2f1154489a863bab510f
Instruction ID: e04a042704b5c0ec22536322f57244ac5c1547672df37a4988b6f052563fd210
Opcode Fuzzy Hash: 5c3050df081ff192bad6e48b1c04ad2d7857caf7edfc2f1154489a863bab510f
Instruction Fuzzy Hash: BD414FB16007019FC724CF29C880A66B7F5FF58300B65C92EE59E8BA51E375E885CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00171E47 Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00171E5A

Memory Dump Source

Source File: 00000000.00000002.885609202.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.885591090.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885661159.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885683923.0000000000176000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_livechat.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c508b9fb457d150ac8c4667e4f6ac3cc2e4b689755fb035ab84f33263a2c6401
Instruction ID: c0cfe6c82aa4570a8fdf39b789ba4d185c41a4896fbebcfbca768b95fbdf7759
Opcode Fuzzy Hash: c508b9fb457d150ac8c4667e4f6ac3cc2e4b689755fb035ab84f33263a2c6401
Instruction Fuzzy Hash: 68C00236505122EFCB515BD4E80CEC6BBA4AF48765F068844F2499B065C6309885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00171E30 Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,?,00171CD9,?,?), ref: 00171E44

Memory Dump Source

Source File: 00000000.00000002.885609202.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.885591090.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885661159.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885683923.0000000000176000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_livechat.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8e6a1e7e3b3c212856e1278bddcfe216b9ab4a0ee266ef8b0c13965b2a89fb60
Instruction ID: 55e712274459ceff886bbd9faba6cd42d4ab5d0a8a422510eef9bffc4ce9c885
Opcode Fuzzy Hash: 8e6a1e7e3b3c212856e1278bddcfe216b9ab4a0ee266ef8b0c13965b2a89fb60
Instruction Fuzzy Hash: 76C04835215111EFCB969BD8D84CF097BE4BB88B16F0898A4F219CB268C6309880DB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00172DFD Relevance: .5, Instructions: 500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.885609202.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.885591090.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885661159.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.885683923.0000000000176000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_livechat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce03736571f7384aa8c04e8d34d240d6cb8dd275eb8716f0e0fd7af206312961
Instruction ID: dc770f8c9fb6aff1e7d98013d0d698009814ef03ea7a64e35c77aa796a1f8ec6
Opcode Fuzzy Hash: ce03736571f7384aa8c04e8d34d240d6cb8dd275eb8716f0e0fd7af206312961
Instruction Fuzzy Hash: 63125131D00129DFCB18CF68C5945BCBBB2EF84356F25C56AE95AAB291D7309F81DB80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: livechat.exePID: 1412, Parent PID: 7020COMMON

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	93.7%
Signature Coverage:	9.8%
Total number of Nodes:	615
Total number of Limit Nodes:	17

Executed Functions

Function 005E4B20 Relevance: 70.4, APIs: 24, Strings: 16, Instructions: 361
filesynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_vswprintf_s.LIBCMT ref: 005E4B87
WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 005E4BA9
OutputDebugStringA.KERNEL32(AnyDesk: Mutex broken!), ref: 005E4BD5
_strncmp.LIBCMT ref: 005E4C17
_strncmp.LIBCMT ref: 005E4C33
_strncpy.LIBCMT ref: 005E4CC9
_strncpy.LIBCMT ref: 005E4CE2
GetSystemTime.KERNEL32(?), ref: 005E4D20
TlsGetValue.KERNEL32(00000023), ref: 005E4D2A
__itow.LIBCMT ref: 005E4D5C
GetCurrentThreadId.KERNEL32 ref: 005E4DDA
GetCurrentProcessId.KERNEL32(00000000), ref: 005E4DE1
__snprintf.LIBCMT ref: 005E4E24
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005E4E42
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005E4E7B
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005E4E8D
_memmove.LIBCMT ref: 005E4EC1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005E4ED3
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005E4EEC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005E4EFB
SetEndOfFile.KERNEL32(00000000), ref: 005E4F05
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005E4F3B
RtlEnterCriticalSection.NTDLL(00D9F0D0), ref: 005E4F97
RaiseException.KERNEL32(00002329,00000000,00000000,00000000), ref: 005E4FA8

Strings

warning, xrefs: 005E4D9C
lsvc, xrefs: 005E4DE8
%7s %4i-%02i-%02i %02i:%02i:%02i.%03i %10s %6lu %6lu %4s %32s - %s, xrefs: 005E4D69
error, xrefs: 005E4DA3, 005E4E10
%d times: %s, xrefs: 005E4C8B
verbose, xrefs: 005E4DBF
explode, xrefs: 005E4DB8
auth, xrefs: 005E4DB1
AnyDesk: Mutex broken!, xrefs: 005E4BD0
debug, xrefs: 005E4D8E
AnyDesk: Timeout in trace., xrefs: 005E4BC9
AnyDesk: Wait failed., xrefs: 005E4BC2
intern, xrefs: 005E4D87
invalid, xrefs: 005E4DC6
info, xrefs: 005E4D95
crash, xrefs: 005E4DAA

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: File$Pointer$CurrentWrite_strncmp_strncpy$CriticalDebugEnterExceptionObjectOutputProcessRaiseReadSectionSingleStringSystemThreadTimeValueWait__itow__snprintf_memmove_vswprintf_s
String ID: %d times: %s$%7s %4i-%02i-%02i %02i:%02i:%02i.%03i %10s %6lu %6lu %4s %32s - %s$AnyDesk: Mutex broken!$AnyDesk: Timeout in trace.$AnyDesk: Wait failed.$auth$crash$debug$error$explode$info$intern$invalid$lsvc$verbose$warning
API String ID: 4093955403-912371753
Opcode ID: 29f0fda3a7d3da33d5b114fc43f322a2510e02bca47517cefbbd9be3502520e9
Instruction ID: 517bdd6710f2e7851e1718fa361c21e0a849e404b253fc867df8d2eefc538ada
Opcode Fuzzy Hash: 29f0fda3a7d3da33d5b114fc43f322a2510e02bca47517cefbbd9be3502520e9
Instruction Fuzzy Hash: D3D106B1A00284AFDF28CF65DCC4BAE7B68BB48700F144569FA459B285D778DD40CF65

Uniqueness

Uniqueness Score: -1.00%

Function 005E4A00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(FFFFFFFF,?), ref: 005E4A57
GetLastError.KERNEL32(?), ref: 005E4A5D
CreateFileW.KERNEL32(034886F8,C0000000,00000007,00000000,00000004,00000000,00000000,?), ref: 005E4A99
GetLastError.KERNEL32 ref: 005E4AAD
RevertToSelf.ADVAPI32 ref: 005E4AD9
CloseHandle.KERNEL32(FFFFFFFF), ref: 005E4AED

Part of subcall function 005E47F0: GetCurrentProcess.KERNEL32(0000000C,?,00D9F0D0,?,00D9F0D0), ref: 005E4806
Part of subcall function 005E47F0: OpenProcessToken.ADVAPI32(00000000), ref: 005E480D
Part of subcall function 005E47F0: GetTokenInformation.KERNELBASE(FFFFFFFF,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 005E4832
Part of subcall function 005E47F0: GetLastError.KERNEL32 ref: 005E4838
Part of subcall function 005E47F0: CloseHandle.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 005E4850

Part of subcall function 005E47A0: GetCurrentThread.KERNEL32 ref: 005E47B6
Part of subcall function 005E47A0: OpenThreadToken.ADVAPI32(00000000,?,005E4A38,?), ref: 005E47BD
Part of subcall function 005E47A0: CloseHandle.KERNEL32(?,?,005E4A38,?), ref: 005E47D6

Part of subcall function 005E48B0: GetCurrentProcessId.KERNEL32(?,00D9F0D0,00D9F0D0), ref: 005E48D6
Part of subcall function 005E48B0: ProcessIdToSessionId.KERNEL32(00000000), ref: 005E48DD
Part of subcall function 005E48B0: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 005E4912

Strings

Couldn't open the trace file (%08lx)., xrefs: 005E4AB4
Couldn't impersonate (%08lx)., xrefs: 005E4A64

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: CloseHandleProcess$CurrentErrorLastToken$OpenThread$CreateFileImpersonateInformationLoggedRevertSelfSessionUser
String ID: Couldn't impersonate (%08lx).$Couldn't open the trace file (%08lx).
API String ID: 432512558-3770443821
Opcode ID: c823abccb396ab4d232f18f98b85f92538a61eddbddb58b4ca257583cc6e7e63
Instruction ID: e82195acacdf9ec2c222552448c662816e62538afa89cb0d734d0f09f64f3b77
Opcode Fuzzy Hash: c823abccb396ab4d232f18f98b85f92538a61eddbddb58b4ca257583cc6e7e63
Instruction Fuzzy Hash: D52124705847C16BEB385B76AC0C3193F89BF45338F048724F9E8961D1E7B498958FAA

Uniqueness

Uniqueness Score: -1.00%

Function 005E47F0 Relevance: 12.1, APIs: 8, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(0000000C,?,00D9F0D0,?,00D9F0D0), ref: 005E4806
OpenProcessToken.ADVAPI32(00000000), ref: 005E480D
GetTokenInformation.KERNELBASE(FFFFFFFF,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 005E4832
GetLastError.KERNEL32 ref: 005E4838
CloseHandle.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 005E4850
GetTokenInformation.KERNELBASE(FFFFFFFF,00000001(TokenIntegrityLevel),?,00000000,00000000), ref: 005E487A
FindCloseChangeNotification.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 005E488D
IsWellKnownSid.ADVAPI32(?,00000016,?,00000000,00000000), ref: 005E4898

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: Token$CloseInformationProcess$ChangeCurrentErrorFindHandleKnownLastNotificationOpenWell
String ID:
API String ID: 3729429321-0
Opcode ID: 5be8a2e41d0ed4d4a917cf97fe1a3caf08b5bae89241142d6aacba4a344e3faa
Instruction ID: dd16cffecb126aab60a1b7e778b51b3e2dd84b0611d594a584848af8f9189028
Opcode Fuzzy Hash: 5be8a2e41d0ed4d4a917cf97fe1a3caf08b5bae89241142d6aacba4a344e3faa
Instruction Fuzzy Hash: 9221AA31B00285A7DF24DBA5DC85BAE7B7CFB48721F200654FA58E71D0D7349E058A65

Uniqueness

Uniqueness Score: -1.00%

Function 007410F2 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0074110C

Part of subcall function 00742E11: __FF_MSGBANNER.LIBCMT ref: 00742E2A
Part of subcall function 00742E11: __NMSG_WRITE.LIBCMT ref: 00742E31
Part of subcall function 00742E11: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00742E56

std::exception::exception.LIBCMT ref: 00741141
std::exception::exception.LIBCMT ref: 0074115B
__CxxThrowException@8.LIBCMT ref: 0074116C

Strings

$, xrefs: 007411AD

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: $
API String ID: 615853336-3993045852
Opcode ID: a3c0c3c8c13aef889bac3a52c247de4057a4f04330f2e02cb65a1997cc44f42f
Instruction ID: 79f151b6d2add5d6a8cda9d9713223b68ff386dafb213796e29463b06be939e8
Opcode Fuzzy Hash: a3c0c3c8c13aef889bac3a52c247de4057a4f04330f2e02cb65a1997cc44f42f
Instruction Fuzzy Hash: 4F61E031A0021AEBDF24FF58D9467AE77A4BF11364FA0022AE811E7181D7BC8ED1C756

Uniqueness

Uniqueness Score: -1.00%

Function 0064E340 Relevance: 7.5, APIs: 5, Instructions: 44
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0064E359
SetEvent.KERNEL32(?,?,?,?,007AD058,000000FF,0064E32B), ref: 0064E371
OleUninitialize.OLE32(?,?,?,007AD058,000000FF,0064E32B), ref: 0064E397
TlsGetValue.KERNEL32(?,?,?,?,007AD058,000000FF,0064E32B), ref: 0064E3A7
TlsSetValue.KERNEL32(?,00000000), ref: 0064E3BF

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: Value$EventInitializeUninitialize
String ID:
API String ID: 566941487-0
Opcode ID: 5e36dd2b6463bef825982adbd4f0f6f5b73bee922bdece6c1fc9e79c30b01351
Instruction ID: 837ce89874c8ff41560a97fd2b2910248935180189ac9d011345846cbad66eea
Opcode Fuzzy Hash: 5e36dd2b6463bef825982adbd4f0f6f5b73bee922bdece6c1fc9e79c30b01351
Instruction Fuzzy Hash: 870171B5600780ABD711AF64DC49B1B76A9BB84B14F408D2DF446C77A1EB79E4008A56

Uniqueness

Uniqueness Score: -1.00%

Function 001719FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,00000028,00000004,00000000,00171CCE,?), ref: 00171A84
VirtualProtect.KERNEL32(?,00000028,00000000,00000000), ref: 00171A9B

Strings

.itext, xrefs: 00171A54
.text, xrefs: 00171A22

Memory Dump Source

Source File: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: ProtectVirtual
String ID: .itext$.text
API String ID: 544645111-3616233406
Opcode ID: 7900f03132aa8ea0f9a3c1586b97cc3ba616970e8717817d8618bc364275d000
Instruction ID: 23f4d6e5bf3472a4e274bc3269ccdc9a09eb5e68c2c15ef6a5699d3bc969362c
Opcode Fuzzy Hash: 7900f03132aa8ea0f9a3c1586b97cc3ba616970e8717817d8618bc364275d000
Instruction Fuzzy Hash: 7611D37A641704BBC720CF988C85AFAB3F8EB14741F018529FD4AE7141E7B0E985D760

Uniqueness

Uniqueness Score: -1.00%

Function 00171000 Relevance: 1.6, APIs: 1, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,00000040,?,?,?,?,00171B87,?,?,?,00C9AE00,00174000,00CAAE00,?), ref: 00171045

Memory Dump Source

Source File: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8ad0bd426fc4e14450ebb4a25b13beb1236773bfd8cb879707df8a141987a14b
Instruction ID: e04a042704b5c0ec22536322f57244ac5c1547672df37a4988b6f052563fd210
Opcode Fuzzy Hash: 8ad0bd426fc4e14450ebb4a25b13beb1236773bfd8cb879707df8a141987a14b
Instruction Fuzzy Hash: BD414FB16007019FC724CF29C880A66B7F5FF58300B65C92EE59E8BA51E375E885CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00750E3A Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00750E7D

Part of subcall function 00747E11: __getptd_noexit.LIBCMT ref: 00747E11

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 3d8e6161cb5a0c7a8748a8a2afe821a2a51577fbb29df7beebb81e7117dd585d
Instruction ID: 3bbf66c2642ca03061f8ded02b8fe82619536360d262f3fa6752404d453f8bc7
Opcode Fuzzy Hash: 3d8e6161cb5a0c7a8748a8a2afe821a2a51577fbb29df7beebb81e7117dd585d
Instruction Fuzzy Hash: 7401F5352013519EEB29AF21EC06BAB3354AF81722F244E29EC15CA190D7B8CC0487D0

Uniqueness

Uniqueness Score: -1.00%

Function 0074187A Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007488A1: __lock.LIBCMT ref: 007488A3

__onexit_nolock.LIBCMT ref: 00741892

Part of subcall function 00741793: RtlDecodePointer.NTDLL(00D9E280), ref: 007417A8
Part of subcall function 00741793: RtlDecodePointer.NTDLL ref: 007417B5
Part of subcall function 00741793: __realloc_crt.LIBCMT ref: 007417F2
Part of subcall function 00741793: __realloc_crt.LIBCMT ref: 00741808
Part of subcall function 00741793: RtlEncodePointer.NTDLL(00000000), ref: 0074181A
Part of subcall function 00741793: RtlEncodePointer.NTDLL(88735C9C), ref: 0074182E
Part of subcall function 00741793: RtlEncodePointer.NTDLL(-00000004), ref: 00741836

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 075e26d2d8154ef8016ee8dd7c9d7db41917e28f2d4d01f27535b5077b1e1ab1
Instruction ID: 0d2d58e55cee5d0598ecce348ba60fbf4f28477fac3a8db9243279e9ee5d9f46
Opcode Fuzzy Hash: 075e26d2d8154ef8016ee8dd7c9d7db41917e28f2d4d01f27535b5077b1e1ab1
Instruction Fuzzy Hash: F8D05E30C11308EAEB51FFB4D94E7AD7B706F00320FA08224B0206A1E2CF7C4A419B42

Uniqueness

Uniqueness Score: -1.00%

Function 00171E47 Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00171E5A

Memory Dump Source

Source File: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c508b9fb457d150ac8c4667e4f6ac3cc2e4b689755fb035ab84f33263a2c6401
Instruction ID: c0cfe6c82aa4570a8fdf39b789ba4d185c41a4896fbebcfbca768b95fbdf7759
Opcode Fuzzy Hash: c508b9fb457d150ac8c4667e4f6ac3cc2e4b689755fb035ab84f33263a2c6401
Instruction Fuzzy Hash: 68C00236505122EFCB515BD4E80CEC6BBA4AF48765F068844F2499B065C6309885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00171E30 Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,?,00171CD9,?,?), ref: 00171E44

Memory Dump Source

Source File: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8e6a1e7e3b3c212856e1278bddcfe216b9ab4a0ee266ef8b0c13965b2a89fb60
Instruction ID: 55e712274459ceff886bbd9faba6cd42d4ab5d0a8a422510eef9bffc4ce9c885
Opcode Fuzzy Hash: 8e6a1e7e3b3c212856e1278bddcfe216b9ab4a0ee266ef8b0c13965b2a89fb60
Instruction Fuzzy Hash: 76C04835215111EFCB969BD8D84CF097BE4BB88B16F0898A4F219CB268C6309880DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0074BA5E Relevance: 1.5, APIs: 1, Instructions: 3
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0074BA60

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: ac7dfc82c00515bf74ee9bcb2f37eeee2ce121bd993bac7a670c84228f2675b6
Instruction ID: 2d8256fbddac3722b679238a7f8fd15a7d6588dec95be3af0a0b84cdb7b0ca5e
Opcode Fuzzy Hash: ac7dfc82c00515bf74ee9bcb2f37eeee2ce121bd993bac7a670c84228f2675b6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 007538F9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0075CA3A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0075CA4F
UnhandledExceptionFilter.KERNEL32(007F7B44), ref: 0075CA5A
GetCurrentProcess.KERNEL32(C0000409), ref: 0075CA76
TerminateProcess.KERNEL32(00000000), ref: 0075CA7D

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: cf2638cbafc91d9d16660ca674f77feb2e921bf8c25477e12f528ca26eeae0ad
Instruction ID: 580341cd387ff3eca4ac1698192ec83ff2df9ba161add387c2f32b736f842c8f
Opcode Fuzzy Hash: cf2638cbafc91d9d16660ca674f77feb2e921bf8c25477e12f528ca26eeae0ad
Instruction Fuzzy Hash: C821C0B8515344EFD700DF24E989A547BB4FB08301F14591BF949CB360E7B85985CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 003B42D0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00650D10: LoadLibraryW.KERNEL32(advapi32.dll,00D9F0D0,?,005E512D), ref: 00650D29
Part of subcall function 00650D10: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00650D49
Part of subcall function 00650D10: _free.LIBCMT ref: 00650D74

GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorW), ref: 003B42F6
GetProcAddress.KERNEL32(003B6560,OpenEventLogA), ref: 003B4310
GetProcAddress.KERNEL32(003BED80,CloseEventLog), ref: 003B432A
GetProcAddress.KERNEL32(005DF960,ReportEventA), ref: 003B4344
GetProcAddress.KERNEL32(003B6570,CreateProcessWithTokenW), ref: 003B435E

Strings

ReportEventA, xrefs: 003B433E
ConvertStringSecurityDescriptorToSecurityDescriptorW, xrefs: 003B42F0
advapi32.dll, xrefs: 003B42D4
OpenEventLogA, xrefs: 003B430A
CloseEventLog, xrefs: 003B4324
CreateProcessWithTokenW, xrefs: 003B4358

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: AddressProc$ErrorLastLibraryLoad_free
String ID: CloseEventLog$ConvertStringSecurityDescriptorToSecurityDescriptorW$CreateProcessWithTokenW$OpenEventLogA$ReportEventA$advapi32.dll
API String ID: 1327587910-3518705215
Opcode ID: e58f1d4905505c67e05d1916df1ea0f3ba9ad16c70691f5266dc93daf8311821
Instruction ID: 7a415533c58e0408bd2ecc10af4020dc04d093a22d6848c6500060fb18effc47
Opcode Fuzzy Hash: e58f1d4905505c67e05d1916df1ea0f3ba9ad16c70691f5266dc93daf8311821
Instruction Fuzzy Hash: A5116978B01313579B51DF7E9C00B967BE8AF50B897094436ED08D7A41F734EC6087A8

Uniqueness

Uniqueness Score: -1.00%

Function 0074B264 Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0074B270

Part of subcall function 0074BC4B: __getptd_noexit.LIBCMT ref: 0074BC4E
Part of subcall function 0074BC4B: __amsg_exit.LIBCMT ref: 0074BC5B

__amsg_exit.LIBCMT ref: 0074B290
__lock.LIBCMT ref: 0074B2A0
InterlockedDecrement.KERNEL32(?), ref: 0074B2BD
_free.LIBCMT ref: 0074B2D0
InterlockedIncrement.KERNEL32(03481608), ref: 0074B2E8

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: b397f007ccab5d685791822eb5e66d5dc6477bc50e1090d750b896fab92736a7
Instruction ID: 11edeed90f2ffe1f6dac7a1012d8684cd0f91aebf5b4351c7dc2087b9236b9fc
Opcode Fuzzy Hash: b397f007ccab5d685791822eb5e66d5dc6477bc50e1090d750b896fab92736a7
Instruction Fuzzy Hash: 4501B532E01721EBDB62BF64988A76D77A0BF05750F040519F814A7290DBBCEE41CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00743449 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00743457

Part of subcall function 00742E11: __FF_MSGBANNER.LIBCMT ref: 00742E2A
Part of subcall function 00742E11: __NMSG_WRITE.LIBCMT ref: 00742E31
Part of subcall function 00742E11: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00742E56

_free.LIBCMT ref: 0074346A

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 28d7d1b0aa8a9976734adeadc93ed5dba30b50be9768c0e472b1be8455fbe31e
Instruction ID: e4c27d00bceb4965c61a9c9afa7fb9701d15bc6699405af4aeb72257948aac77
Opcode Fuzzy Hash: 28d7d1b0aa8a9976734adeadc93ed5dba30b50be9768c0e472b1be8455fbe31e
Instruction Fuzzy Hash: 7111CA32905661EBCB273B78AC096F93B94DF44370F214965F84D9B152EB3DCE918690

Uniqueness

Uniqueness Score: -1.00%

Function 0075AEDF Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0075AF13
__isleadbyte_l.LIBCMT ref: 0075AF46
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?,?,?), ref: 0075AF77
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?,?,?), ref: 0075AFE5

Memory Dump Source

Source File: 00000001.00000002.885683324.0000000000176000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000001.00000002.885590206.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885608687.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.885660775.0000000000175000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.886559874.00000000007EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887282761.0000000000CF6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000D9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887533855.0000000000DA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887580262.0000000000DA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887596865.0000000000DA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887811688.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.887828312.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.890457993.00000000011EF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170000_livechat.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: eb96e314a272a342004757569207da460160de896e555d47369ea4178606ca0b
Instruction ID: 33b9ece746f39ea1f69c190992497c0c649b684e4945f6fc5b5f34c70e36d6e5
Opcode Fuzzy Hash: eb96e314a272a342004757569207da460160de896e555d47369ea4178606ca0b
Instruction Fuzzy Hash: A031A0B1A00246FFDB20DF64C8849E93BA5BF01312B1486B9F8628B1D1E774DD44DB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report livechat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\AnyDesk\ad.trace

C:\Users\user\AppData\Roaming\AnyDesk\service.conf

C:\Users\user\AppData\Roaming\AnyDesk\system.conf

C:\Users\user\AppData\Roaming\AnyDesk\user.conf

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XF7ZTS9N8O6QZ2F7EP2E.temp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
livechat.exe

Function 001719FE Relevance: 3.1, APIs: 2, Instructions: 71
memoryCOMMON

Function 00171000 Relevance: 1.6, APIs: 1, Instructions: 107
memoryCOMMON

Function 00171E47 Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMON

Function 00171E30 Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Function 00172DFD Relevance: .5, Instructions: 500
COMMON

Function 005E4B20 Relevance: 70.4, APIs: 24, Strings: 16, Instructions: 361
filesynchronizationtimeCOMMON

Function 005E4A00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78
fileCOMMON

Function 005E47F0 Relevance: 12.1, APIs: 8, Instructions: 81
COMMON

Function 007410F2 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208
COMMON

Function 0064E340 Relevance: 7.5, APIs: 5, Instructions: 44
comCOMMON

Function 001719FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71
memoryCOMMON

Function 00171000 Relevance: 1.6, APIs: 1, Instructions: 107
memoryCOMMON

Function 00750E3A Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Function 0074187A Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Function 00171E47 Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMON

Function 00171E30 Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Function 0074BA5E Relevance: 1.5, APIs: 1, Instructions: 3
COMMONLIBRARYCODE