Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
AnyDesk.exe

Overview

General Information

Sample name:AnyDesk.exe
Analysis ID:1387604
MD5:a21768190f3b9feae33aaef660cb7a83
SHA1:24780657328783ef50ae0964b23288e68841a421
SHA256:55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: DNS Query To Remote Access Software Domain From Non-Browser App
Tries to disable installed Antivirus / HIPS / PFW
Tries to load missing DLLs
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w7x64
  • AnyDesk.exe (PID: 2560 cmdline: C:\Users\user\Desktop\AnyDesk.exe MD5: A21768190F3B9FEAE33AAEF660CB7A83)
    • AnyDesk.exe (PID: 2872 cmdline: "C:\Users\user\Desktop\AnyDesk.exe" --local-service MD5: A21768190F3B9FEAE33AAEF660CB7A83)
    • AnyDesk.exe (PID: 3012 cmdline: "C:\Users\user\Desktop\AnyDesk.exe" --local-control MD5: A21768190F3B9FEAE33AAEF660CB7A83)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: DNS queryAuthor: frack113, Connor Martin: Data: Image: C:\Users\user\Desktop\AnyDesk.exe, QueryName: boot.net.anydesk.com

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • Key, Mouse, Clipboard, Microphone and Screen Capturing
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results
Source: AnyDesk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: AnyDesk.exeStatic PE information: certificate valid
Source: unknownHTTPS traffic detected: 185.156.44.131:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: unknownHTTPS traffic detected: 37.19.203.82:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: AnyDesk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000003432000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000003432000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608072756.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000003394000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000003394000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608072756.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C1E000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: SAS.pdbR source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C1E000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000003394000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000003394000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608072756.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: SAS.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C1E000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk.exe, 00000000.00000000.337759397.0000000001E03000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000002.608160088.0000000001E03000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608132345.0000000001E03000.00000002.00000001.01000000.00000003.sdmp
Source: Joe Sandbox ViewIP Address: 92.223.88.7 92.223.88.7
Source: Joe Sandbox ViewJA3 fingerprint: c91bde19008eefabce276152ccd51457
Source: unknownDNS traffic detected: queries for: boot.net.anydesk.com
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gimp.org/xmp/
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.opengl.org/registry/
Source: AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/)
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalue
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com
Source: AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/
Source: AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/b
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/company#imprint
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/contact/sales
Source: AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/contact/sales)
Source: AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/de/datenschutz
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/en/assembly
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/en/assembly/terms
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/en/changelog/windows
Source: AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/en/privacy
Source: AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/es/privacidad
Source: AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/order
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/pricing/teams
Source: AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/pricing/teams)
Source: AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/privacy
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/terms
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/update
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalid
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com
Source: AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/
Source: AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/$
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://help.anydesk.com/HelpLinkInstallLocationAnyDesk
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://my.anydesk.com
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/auth/realms/myanydesk/login-actions/reset-credentials
Source: AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://my.anydesk.com/auth/realms/myanydesk/login-actions/reset-credentials?client_id=myanydesk-fro
Source: AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/auth/realms/myanydesk/protocol/openid-connect/registrations?client_id=myanyde
Source: AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://my.anydesk.com/password-generator.
Source: AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/v2
Source: AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/v2x
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://order.anydesk.com/trial
Source: AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://policies.google.com/privacy?hl=$
Source: AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com
Source: AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/account-migration
Source: AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342896881.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-account
Source: AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-account_k
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshooting
Source: AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshootingQD.
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-id-and-alias
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/my-anydesk-ii#user-management
Source: AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/quick-start-guide
Source: AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342896881.0000000000A71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/quick-start-guide1
Source: AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342896881.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-anynet_overload
Source: AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-anynet_overload&k
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-desk_rt_auto_disconnect
Source: AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-desk_rt_auto_disconnectbe
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-desk_rt_ipc_error
Source: AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342896881.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-desk_rt_ipc_errors.
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/the-session-has-ended-unexpectedly
Source: AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/the-session-has-ended-unexpectedlyf
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/users
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/waiting-for-image-black-screen
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/what-is-full-client-management
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/$
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.nayuki.io/page/qr-code-generator-library
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: unknownHTTPS traffic detected: 185.156.44.131:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: unknownHTTPS traffic detected: 37.19.203.82:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectDrawCreateExmemstr_0bc29d2c-0
Source: C:\Users\user\Desktop\AnyDesk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_9a5b86b8-1
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: AnyDesk.exeStatic PE information: No import functions for PE file found
Source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000002.00000002.608094480.0000000001C1E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000003.00000003.346088817.0000000000707000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentshrui.dll.muij% vs AnyDesk.exe
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dui70.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wbemcomn2.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: bcrypt.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: shcore.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: credssp.dllJump to behavior
Source: AnyDesk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal51.evad.winEXE@5/6@8/4
Source: C:\Users\user\Desktop\AnyDesk.exeFile created: C:\Users\user\AppData\Roaming\AnyDeskJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2872_1804_4
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2872_1804_5
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3012_2884_0
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2872_1804_6
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2872_1804_18
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2872_1804_17
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_3012_3410660983_0_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2872_1804_12
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcstobjmtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2872_1804_11
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2872_1804_3
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2872_1804_13
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3012_2836_0
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2560_3391160949_0_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Session\1\ad_connect_queue_2872_3409100981_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_808_lsystem_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_3012_3410660983_1_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2560_3391160949_1_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_trace_mtx
Source: AnyDesk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Users\user\Desktop\AnyDesk.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\AnyDesk.exe C:\Users\user\Desktop\AnyDesk.exe
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-service
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-control
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-serviceJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-controlJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeWindow found: window name: SysTabControl32Jump to behavior
Source: AnyDesk.exeStatic PE information: certificate valid
Source: AnyDesk.exeStatic file information: File size 5216584 > 1048576
Source: AnyDesk.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x4ec800
Source: AnyDesk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: AnyDesk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000003432000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000003432000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608072756.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000003394000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000003394000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608072756.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C1E000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: SAS.pdbR source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C1E000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000003394000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000003394000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608072756.0000000001C5A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: SAS.pdb source: AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.608094480.0000000001C1E000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk.exe, 00000000.00000000.337759397.0000000001E03000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000002.608160088.0000000001E03000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608132345.0000000001E03000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\AnyDesk.exeUnpacked PE file: 2.2.AnyDesk.exe.bc0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\AnyDesk.exeUnpacked PE file: 3.2.AnyDesk.exe.bc0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\AnyDesk.exeFile opened: C:\Users\user\Desktop\AnyDesk.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MACAddress FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 848Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 2924Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 1072Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 152Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 848Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 1648Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 2888Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 2864Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 2716Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 2888Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory protected: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-serviceJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-controlJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile opened: Windows Firewall: C:\Windows\SysWOW64\FirewallAPI.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeQueries volume information: C:\Users\user\Desktop\AnyDesk.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts421
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		1
Masquerading		21
Input Capture		41
Security Software Discovery		Remote Services21
Input Capture		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Clipboard Data		1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)331
Virtualization/Sandbox Evasion		Security Account Manager331
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Hidden Files and Directories		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials133
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1387604 Sample: AnyDesk.exe Startdate: 06/02/2024 Architecture: WINDOWS Score: 51 5 AnyDesk.exe 9 2->5         started        signatures3 19 Detected unpacking (changes PE section rights) 5->19 21 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 5->21 23 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 5->23 25 3 other signatures 5->25 8 AnyDesk.exe 2 5->8         started        11 AnyDesk.exe 2 5->11         started        process4 dnsIp5 13 relay-82295404.net.anydesk.com 185.156.44.131, 443, 49164, 49165 JN-ASIR Iran (ISLAMIC Republic Of) 8->13 15 relay-96c9f029.net.anydesk.com 37.19.203.82, 443, 49166, 49167 INTERTELECOMUA Ukraine 8->15 17 3 other IPs or domains 8->17

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AnyDesk.exe0%ReversingLabs
AnyDesk.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ns.useplus.org/ldf/xmp/1.0/0%URL Reputationsafe
http://ns.useplus.org/ldf/xmp/1.0/0%URL Reputationsafe
http://iptc.org/std/Iptc4xmpExt/2008-02-29/0%URL Reputationsafe
https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalid0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
boot.net.anydesk.com
92.223.88.232
truefalse
    		high
    relay-82295404.net.anydesk.com
    		185.156.44.131
    		truefalse
      		high
      relay-96c9f029.net.anydesk.com
      		37.19.203.82
      		truefalse
        		high
        NameSourceMaliciousAntivirus DetectionReputation
        https://support.anydesk.com/knowledge/usersAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
          		high
          https://order.anydesk.com/trialAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
            		high
            https://anydesk.com/updateAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
              		high
              https://www.google.com/intl/$AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://www.gimp.org/xmp/AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://anydesk.com/de/datenschutzAnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://my.anydesk.comAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://anydesk.com/es/privacidadAnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://my.anydesk.com/auth/realms/myanydesk/protocol/openid-connect/registrations?client_id=myanydeAnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://anydesk.com/bAnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://support.anydesk.com/knowledge/my-anydesk-ii#user-managementAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                              		high
                              https://support.anydesk.com/knowledge/status-desk_rt_ipc_errors.AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342896881.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.openssl.org/support/faq.htmlAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  https://anydesk.com/AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://support.anydesk.com/knowledge/anydesk-account_kAnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://support.anydesk.com/knowledge/status-desk_rt_auto_disconnectAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                        		high
                                        https://anydesk.com/privacyAnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                          		high
                                          https://datatracker.ietf.org/ipr/1526/AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.nayuki.io/page/qr-code-generator-libraryAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              https://policies.google.com/privacy?hl=$AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                		high
                                                https://help.anydesk.comAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  https://anydesk.com/pricing/teamsAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    https://datatracker.ietf.org/ipr/1914/AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://my.anydesk.com/v2xAnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://anydesk.com/termsAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                          		high
                                                          https://support.anydesk.com/knowledge/what-is-full-client-managementAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                            		high
                                                            https://anydesk.com/en/changelog/windowsAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                              		high
                                                              https://support.anydesk.com/knowledge/account-migrationAnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                		high
                                                                https://support.anydesk.com/knowledge/quick-start-guide1AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342896881.0000000000A71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshootingQD.AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://anydesk.com/orderAnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                      		high
                                                                      https://anydesk.com/contact/salesAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                        		high
                                                                        https://anydesk.com/en/assembly/termsAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://my.anydesk.com/password-generator.AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                            		high
                                                                            https://support.anydesk.comAnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                              		high
                                                                              https://help.anydesk.com/AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                		high
                                                                                https://anydesk.comAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                  		high
                                                                                  https://support.anydesk.com/knowledge/waiting-for-image-black-screenAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                    		high
                                                                                    http://ns.useplus.org/ldf/xmp/1.0/AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://support.anydesk.com/knowledge/status-anynet_overloadAnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342896881.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                      		high
                                                                                      https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshootingAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.opengl.org/registry/AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://anydesk.com/contact/sales)AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://iptc.org/std/Iptc4xmpExt/2008-02-29/AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://help.anydesk.com/$AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://support.anydesk.com/knowledge/quick-start-guideAnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                		high
                                                                                                https://my.anydesk.com/auth/realms/myanydesk/login-actions/reset-credentials?client_id=myanydesk-froAnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                  		high
                                                                                                  https://support.anydesk.com/knowledge/status-anynet_overload&kAnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://support.anydesk.com/knowledge/status-desk_rt_ipc_errorAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                      		high
                                                                                                      https://anydesk.com/en/assemblyAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://my.anydesk.com/auth/realms/myanydesk/login-actions/reset-credentialsAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://anydesk.com/en/privacyAnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://help.anydesk.com/HelpLinkInstallLocationAnyDeskAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                              		high
                                                                                                              https://datatracker.ietf.org/ipr/1524/AnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://my.anydesk.com/v2AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://anydesk.com/company#imprintAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.openssl.org/)AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://anydesk.com/pricing/teams)AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://support.anydesk.com/knowledge/status-desk_rt_auto_disconnectbeAnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalueAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalidAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.343494838.0000000002D00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://support.anydesk.com/knowledge/anydesk-accountAnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342896881.0000000000A71000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://support.anydesk.com/knowledge/anydesk-id-and-aliasAnyDesk.exe, 00000000.00000003.339282144.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.342813020.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.340634596.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.342884704.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.607877850.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.346268611.0000000000593000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.607846927.0000000001609000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.608272748.0000000004230000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high

                                                                                                                                World Map of Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public IPs

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                92.223.88.7
                                                                                                                                		unknownAustria
                                                                                                                                		199524GCOREATfalse
                                                                                                                                57.128.101.78
                                                                                                                                		unknownBelgium
                                                                                                                                		2686ATGS-MMD-ASUSfalse
                                                                                                                                37.19.203.82
                                                                                                                                		relay-96c9f029.net.anydesk.comUkraine
                                                                                                                                		31343INTERTELECOMUAfalse
                                                                                                                                185.156.44.131
                                                                                                                                		relay-82295404.net.anydesk.comIran (ISLAMIC Republic Of)
                                                                                                                                		9147JN-ASIRfalse

                                                                                                                                General Information

                                                                                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                Analysis ID:1387604
                                                                                                                                Start date and time:2024-02-06 15:49:28 +01:00
                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                Overall analysis duration:0h 5m 55s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                Number of analysed new started processes analysed:6
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:0
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Sample name:AnyDesk.exe
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal51.evad.winEXE@5/6@8/4
                                                                                                                                EGA Information:Failed
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 100%
                                                                                                                                • Number of executed functions: 0
                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                Cookbook Comments:
                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
                                                                                                                                • Excluded IPs from analysis (whitelisted): 104.76.220.98, 104.76.220.35, 104.76.220.89, 104.76.220.113, 104.76.220.25, 104.76.220.48, 104.76.220.105, 104.76.220.107, 23.40.205.35, 23.40.205.19, 23.40.205.34, 23.40.205.43, 23.40.205.48, 23.40.205.26, 23.40.205.18, 23.40.205.11, 23.40.205.41
                                                                                                                                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                                                                                                                                • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                15:50:14API Interceptor1327x Sleep call for process: AnyDesk.exe modified

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                92.223.88.7https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    AnyDesk-CM.msiGet hashmaliciousUnknownBrowse
                                                                                                                                      Microsoft.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          AnyDesk (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                            AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                              57.128.101.78Project.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                livechat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    AnyDesk-CM.msiGet hashmaliciousUnknownBrowse

                                                                                                                                                      Domains

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      boot.net.anydesk.comhttp://sub.nabprotect-livechat.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 185.229.191.39
                                                                                                                                                      https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 141.95.145.210
                                                                                                                                                      https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 57.128.101.74
                                                                                                                                                      https://nab-support.com/LiveChat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 185.229.191.44
                                                                                                                                                      https://bendigo-desk.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 49.12.130.236
                                                                                                                                                      https://bendigo-desk.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.223.88.232
                                                                                                                                                      Project.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 57.128.101.78
                                                                                                                                                      https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 49.12.130.236
                                                                                                                                                      https://bnz-portal.com/anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 141.95.145.210
                                                                                                                                                      LiveChat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 141.95.145.210

                                                                                                                                                      ASNs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      GCOREATUZNjIqICP4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 92.223.55.196
                                                                                                                                                      https://www.joesandbox.com/login&c=E,1,3sdrHGA3So5qfROqsp7g0scjBfmFFex1Wo5EThPQVwleKlocgzccwXOVLCQ6EaAxQlwPgdPnkNIRDPH8qFB4qmUXhHI28ukpC0iPU7B3qR63KsrXXjlBcvtw&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.38.159.14
                                                                                                                                                      https://www.joesandbox.com/loginGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.38.159.14
                                                                                                                                                      skyljne.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 5.188.4.152
                                                                                                                                                      94MmmtV9liGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.38.163.65
                                                                                                                                                      4Q6B4KkiEX.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 92.38.145.112
                                                                                                                                                      https://www.joesandbox.com/analysis/1366229Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.38.145.145
                                                                                                                                                      http://leftaaa.comGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.38.145.145
                                                                                                                                                      https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.223.88.232
                                                                                                                                                      http://thegatewaypundit.comGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 92.38.145.145
                                                                                                                                                      ATGS-MMD-ASUSshell3.exeGet hashmaliciousMetasploitBrowse
                                                                                                                                                      • 34.149.100.209
                                                                                                                                                      0WKUUSVPVf.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 57.41.34.168
                                                                                                                                                      ftHDGVT1ml.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 34.144.225.163
                                                                                                                                                      v6B9kxKva1.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 57.148.107.35
                                                                                                                                                      ZPxpPStblJ.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 152.159.71.244
                                                                                                                                                      5FEizg5Api.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 48.170.71.29
                                                                                                                                                      sRf3YxvL0c.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 48.150.19.153
                                                                                                                                                      FOr8baSOyH.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 51.203.87.164
                                                                                                                                                      Zy2VcEreRS.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 32.155.78.129
                                                                                                                                                      R49jLE923E.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 32.41.170.102
                                                                                                                                                      INTERTELECOMUASetup (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.206.5
                                                                                                                                                      Setup (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.206.5
                                                                                                                                                      SecuriteInfo.com.Win32.CoinminerX-gen.29269.21386.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.207.34
                                                                                                                                                      3yPAKl30XU.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 130.180.210.166
                                                                                                                                                      https://www.nireos.com/hyperspectral-imaging/Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.207.34
                                                                                                                                                      https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.nireos.com%2Fhyperspectral-imaging%2F&psig=AOvVaw1JYEwI4H49LZPOWn9fTBOI&ust=1706902416150000&source=images&cd=vfe&opi=89978449&ved=0CBMQjRxqFwoTCKjlrZXxioQDFQAAAAAdAAAAABAEGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.207.34
                                                                                                                                                      http://gestiley.a3hrgo.comGet hashmaliciousPorn ScamBrowse
                                                                                                                                                      • 37.19.216.10
                                                                                                                                                      https://fleek.ipfs.io/ipfs/QmcVapdtzZSMcx2xkQs2pdnichKZwVhvj5JJWR4Pgv5Dxg/Jah.html/#adam.kahl@centralian.com.auGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 37.19.207.34
                                                                                                                                                      https://t.ly/vUxxBGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.216.11
                                                                                                                                                      huhu.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 130.180.210.144

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      c91bde19008eefabce276152ccd51457http://sub.nabprotect-livechat.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131
                                                                                                                                                      https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131
                                                                                                                                                      https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131
                                                                                                                                                      https://nab-support.com/LiveChat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131
                                                                                                                                                      https://bendigo-desk.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131
                                                                                                                                                      https://bendigo-desk.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131
                                                                                                                                                      Project.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131
                                                                                                                                                      https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131
                                                                                                                                                      https://bnz-portal.com/anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131
                                                                                                                                                      LiveChat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 37.19.203.82
                                                                                                                                                      • 185.156.44.131

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Roaming\AnyDesk\ad.trace

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):32440
                                                                                                                                                      Entropy (8bit):4.4042700669908985
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:384:2TeRkjkKbbxNoIpZb1wzpPnSW3194JgeoQSwTh7VoQBuBZQz6bQH8:0pV1wzpPnnlevLTmqsl
                                                                                                                                                      MD5:0FB64038CC29692B61FD5D0DF476399D
                                                                                                                                                      SHA1:445D5A823BA2077B64D38F27E7641C73FC8058F9
                                                                                                                                                      SHA-256:062E0A108D0C5DDE6B039FEA481F4692B21DAA7D08833207F03FC72A9E6D3C54
                                                                                                                                                      SHA-512:6658FCCD58693571BAC46C50731479807DFB461FA6ED83262404E3BD6EF9CA6BB4DC9178AC934761E15E14D678EDA4BF48FEAFA8BDDDF774DD0BE07645EEBD8A
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: * * * * * * * * * * * * * * * * * *.. info 2024-02-06 14:50:14.180 front 2560 2752 main - * AnyDesk Windows Startup *.. info 2024-02-06 14:50:14.180 front 2560 2752 main - * Version 8.0.8 ((detached head) 161cbc3269fd82431aba292c6ced1f1480f4964c).. info 2024-02-06 14:50:14.180 front 2560 2752 main - * Checksum 48544a05569c2af380b61b4f5af5a087.. info 2024-02-06 14:50:14.180 front 2560 2752 main - * Build 20240127190435.. info 2024-02-06 14:50:14.180 front 2560 2752 main - * Copyright (C) 2024 AnyDesk Software GmbH *.. info 2024-02-06 14:50:14.180 front 2560 2752 main - .. info 2024-02-06 14:50:14.180 front 2560 2752 main - Command Line params: "C:\Users\user\Desktop\AnyDesk.exe"..

                                                                                                                                                      C:\Users\user\AppData\Roaming\AnyDesk\service.conf

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      File Type:ASCII text, with very long lines (1747)
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2966
                                                                                                                                                      Entropy (8bit):6.03459760152239
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:uISTPyiQBXsoddBZALPulzszjVZPlKDFlVWOVGQXKOQDTIUeAIy3jTWVZXqAqnIM:uISTqiQBckB6PulozRZPlAoM39JXAx3r
                                                                                                                                                      MD5:5B384CB1F5E217E5DE5C90CBFB36FEBB
                                                                                                                                                      SHA1:A26E3AAEFAE1EBD61843404ECCA49E1E3082FB7B
                                                                                                                                                      SHA-256:D8A1BB37B08B28EC697FFD54C78E05F40212CE86C96EC17829FFB7D45C8F740F
                                                                                                                                                      SHA-512:7BF83DD38B68352F89FA97C3539DDE83445B000A230628686BA12FC22A132C705A3D80017108607490E848F6B348FF213B3BC37D40E7C49F16FFBA7045086B42
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:ad.anynet.cert=-----BEGIN CERTIFICATE-----\nMIICqDCCAZACAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOQW55RGVzayBD\nbGllbnQwIBcNMjQwMjA2MTQ1MDE3WhgPMjA3NDAxMjQxNDUwMTdaMBkxFzAVBgNV\nBAMMDkFueURlc2sgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAy7R2TYPaHTRFIsTlyQ1lVo6FprFhwdnO6446DXptHF9eud96OphIN3Th7D/+\nrWUu5u3QHGDd1Aj9uWzNT6M0uyD8iY9SLryCrhgyzobPvPLvwqXHWeOOtkSUrpwm\neIqRucJ/LJWpomIF0MR6QFFdl+QEAviJrALrZUaAStpLX19paM39irv0plh6k4IC\nutml0hZYtESoOkJewQ6DQhg4PALIehXgHt5G/JIdORNmNmVQGc8959nB2HQoHuR2\nL6jvMCTPp7CDigniBVtZMXGJDM0k4RFp01lb3Iytig+qhn/QLofpnnFZhR969lSm\noeSkPrQ1dGV7WOkAz7oLJymQrwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAxyt5F\n8Otx/gpwh6rt++hCeJ56cnrx4BidEJEEvttOHBD0gWtdd2TUrjV31nwDt5gU6JdJ\nKnzQFjAIcu4ThGGBAJ6z8yIypHDADi+sabzcuoCJJ/7cuH42BA6csjr2WXwDIbH1\nUNAQXTsbeFrclpvtfhT61npSFb9dglT3hS9dCoWp93zDSp/s4tyMDsHMGHxK+5bM\ncaTIAR4G0bgnU4WBK7RrXydYcsMzT6y6XGWyfUxExajD2jSNs1Swl41LGLcw/EOB\n6WHDdXdGVDBjGtKSbfn32xpZl/OEzfCdApqD/CFzCpGjU2S9Jnnn6VIMTjwzDfoT\nJXF3eR+Js7aPsOzR\n-----END CERTI

                                                                                                                                                      C:\Users\user\AppData\Roaming\AnyDesk\system.conf

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      File Type:ASCII text
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):745
                                                                                                                                                      Entropy (8bit):4.8012007112196695
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:o745VTl7AfR5sCxiBs7XxGa7lNqQHvWhQ44LroBGgFBGt:PVJ6iBsp5sAw34LtBt
                                                                                                                                                      MD5:E8430ABE5E02BDE06905DB0120C0D7D9
                                                                                                                                                      SHA1:3C68D36576A4E56DCB3F24BAD366CADA099328FD
                                                                                                                                                      SHA-256:F414705E21E5ACBBFCE1CAC8D4285A5B2036491B1E438FC86F68B12C663A1366
                                                                                                                                                      SHA-512:8AA23D0EE40D3FCDF3743A6269B8B7AE0C14D1C4A64C6AEC96BB0E49E4080F07642C93D3D3BE65D59744DF24EEEE9C4F42F5247226DA0BC6FE24232C4F67773D
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:ad.anynet.alias=.ad.anynet.client_stats_hash=4ae7660447f7d9981a62fb96f9fb82624b24762f.ad.anynet.cur_version=34359738374.ad.anynet.fpr=a405f178599c997b51e54ee15fe6680e57b7bc6e.ad.anynet.id=1832026083.ad.anynet.last_relay=relay-96c9f029.net.anydesk.com:80:443:6568.ad.anynet.network_hash=6e8eedb55653c73ad31e143ba115bdc9c0ecfa22.ad.anynet.network_id=main.ad.anynet.relay.fatal_result=1.0.ad.anynet.relay.state=2.ad.license.name=free-1.ad.security.frontend_clipboard=1.ad.security.frontend_clipboard_files=1.ad.security.frontend_clipboard_version=1.ad.security.permission_profiles._default.permissions.sas=1.ad.security.permission_profiles._unattended_access.permissions.sas=1.ad.security.permission_profiles.version=1.ad.security.update_version=1.

                                                                                                                                                      C:\Users\user\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      File Type:ASCII text, with very long lines (3261)
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):6149
                                                                                                                                                      Entropy (8bit):4.430600812370588
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:2J828mnsu9Ou2Ens5lhh2xeKuBXKWR6DKB4M9UEjp/d/5V1GIfvXQi:8D8/QO37hh2SaWwYUktdRSIfPH
                                                                                                                                                      MD5:69537BD4B0104B3C0DDF2D911126CF1B
                                                                                                                                                      SHA1:FE0097AA2A29C8AD2F4E2CCABAD4CC5B54EA88A8
                                                                                                                                                      SHA-256:CDB374FAB20099C77848B304B350C58A493BA79717069B9BC80D72A8F1D3ED16
                                                                                                                                                      SHA-512:394CF34F2C1667BCB88CB94A62E30CDBA6D821D3E626D58B2B20D37E6BF7AC462468EC7E585BCA19DC513E908749D99CB240FB0AAFDDB27FFDCF141318BA533D
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:ad.account.info=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da5a8a5b098ccf36f7a173db579df8efe80ff648310f1fa2df0b53d2e90e4e008262013ecaea92dbc267100db3e50e42846aca58ef7afd07b6957af50dc423f1f2675fbfa53754c27374ab0862b47b212f41cf5778b89cf21a656524a2d59c3bf0fbc04811bf70776d496fb61cb756e926572676a573db6470f0d9ac45eb2f1ddaa63eeee50df2ee265b7c83b90220f6b406c4a435dd65a211776011cc97f07e8430bbc70952b850be7bae93c18931d45edb72ab3c505c48029f0687fbd02fc108ed99bd7472017b7ec063a9f8b587bc1e19f6c82d0a389298d334c40b88b7.ad.general.online_status.remote_client=1.ad.invite.created_list_encrypted=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da3b7c08bbff6d10ffb52a8ae8ca4dae6a0bf648310f1fa2df0b53d2e90e4e008262013ecaea92dba2770f5bb027676ed71fabf0ea597a84bc449ae44fdedbfbd7d3ddc840adfdc27374ab0862b47b212f41cf5778b89c823f4458130dc5768fc6f18be54cba28874e96240d46f9df60892302142ad6345470f0d953455842653b0205acdb9739a249ccec806804e96acbf761de83761ed6c458d9ac47ac48517618ec4346b664cacf3f76b8f8db342921cbcbb960abcdc91c8

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms (copy)

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):3052
                                                                                                                                                      Entropy (8bit):2.9186176545527984
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:aLKiv+sKXmxOpKWo74k7XLKiv+sKen1OpSjD74k7c:OmnXsmno74iPmnE1mi74ic
                                                                                                                                                      MD5:C9CA9AC20BBBDAA4BDE1D163F578EC67
                                                                                                                                                      SHA1:91B5D067F8BE5A73B6051959843E67C9394B01C0
                                                                                                                                                      SHA-256:4B2D00D8A6B66A34974B6E0028614B39056CED4CE847BF5EE14034F46E5CFDD6
                                                                                                                                                      SHA-512:C523BF47B89A54BC40987204C3D7F62C1D85106455DEC836DBDBF06806212B30AF783434F87EA71A53D656A9ACC3ABCAA975AAA55E1BAE112E2257394B2222B6
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:...................................FL..................F.@ . .......r.......r.......Y..H.O.....................`.^.2.H.O.FXGv .AnyDesk.exe.D.......WB..WB.*.........................A.n.y.D.e.s.k...e.x.e.......u...............-...8...[...........-..l.....C:\Users\..#...................\\210979\Users.user\Desktop\AnyDesk.exe...O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e.........%USERPROFILE%\Desktop\AnyDesk.exe...................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e........................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U6XPP5CMJMCYE2PAZSPQ.temp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):3052
                                                                                                                                                      Entropy (8bit):2.9186176545527984
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:aLKiv+sKXmxOpKWo74k7XLKiv+sKen1OpSjD74k7c:OmnXsmno74iPmnE1mi74ic
                                                                                                                                                      MD5:C9CA9AC20BBBDAA4BDE1D163F578EC67
                                                                                                                                                      SHA1:91B5D067F8BE5A73B6051959843E67C9394B01C0
                                                                                                                                                      SHA-256:4B2D00D8A6B66A34974B6E0028614B39056CED4CE847BF5EE14034F46E5CFDD6
                                                                                                                                                      SHA-512:C523BF47B89A54BC40987204C3D7F62C1D85106455DEC836DBDBF06806212B30AF783434F87EA71A53D656A9ACC3ABCAA975AAA55E1BAE112E2257394B2222B6
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:...................................FL..................F.@ . .......r.......r.......Y..H.O.....................`.^.2.H.O.FXGv .AnyDesk.exe.D.......WB..WB.*.........................A.n.y.D.e.s.k...e.x.e.......u...............-...8...[...........-..l.....C:\Users\..#...................\\210979\Users.user\Desktop\AnyDesk.exe...O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e.........%USERPROFILE%\Desktop\AnyDesk.exe...................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e........................................................................................................................................................................................................................

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                      Entropy (8bit):7.999460832435841
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                      File name:AnyDesk.exe
                                                                                                                                                      File size:5'216'584 bytes
                                                                                                                                                      MD5:a21768190f3b9feae33aaef660cb7a83
                                                                                                                                                      SHA1:24780657328783ef50ae0964b23288e68841a421
                                                                                                                                                      SHA256:55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
                                                                                                                                                      SHA512:ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
                                                                                                                                                      SSDEEP:98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
                                                                                                                                                      TLSH:B23633B622D75CBDF9618B733CD29230A8A98F42E517131ACCD4C56ECBBB7496460CE1
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q.hU0.;U0.;U0.;:F#;V0.;:F";]0.;:F.;T0.;:F.;T0.;RichU0.;................PE..L....E.e.........."......*....O...#.S6.......@....@

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:499669d8d82916a8

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x403653
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:true
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                      Time Stamp:0x65B545B5 [Sat Jan 27 18:04:37 2024 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                      OS Version Major:5
                                                                                                                                                      OS Version Minor:1
                                                                                                                                                      File Version Major:5
                                                                                                                                                      File Version Minor:1
                                                                                                                                                      Subsystem Version Major:5
                                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                                      Import Hash:

                                                                                                                                                      Authenticode Signature

                                                                                                                                                      Signature Valid:true
                                                                                                                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                                                      Error Number:0
                                                                                                                                                      Not Before, Not After
                                                                                                                                                      • 1/23/2024 4:00:00 PM 1/24/2027 3:59:59 PM
                                                                                                                                                      Subject Chain
                                                                                                                                                      • CN=AnyDesk Software GmbH, O=AnyDesk Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
                                                                                                                                                      Version:3
                                                                                                                                                      Thumbprint MD5:D16CE2EEA2FDCA06FCC996480C136743
                                                                                                                                                      Thumbprint SHA-1:646F52926E01221C981490C8107C2F771679743A
                                                                                                                                                      Thumbprint SHA-256:1C58446174BE2A5BBA89595C8D4BBE65EE3146E194F6C98650E6E13F97E24965
                                                                                                                                                      Serial:0A8177FCD8936A91B5E0EDDF995B0BA5
                                                                                                                                                      Instruction
                                                                                                                                                      push ebp
                                                                                                                                                      mov ebp, esp
                                                                                                                                                      sub esp, 64h
                                                                                                                                                      push esi
                                                                                                                                                      lea ecx, dword ptr [ebp-64h]
                                                                                                                                                      call 00007FE7911FA70Ah
                                                                                                                                                      lea eax, dword ptr [ebp-64h]
                                                                                                                                                      mov ecx, eax
                                                                                                                                                      mov dword ptr [01B306D8h], eax
                                                                                                                                                      call 00007FE7911FA606h
                                                                                                                                                      test al, al
                                                                                                                                                      jne 00007FE7911FC674h
                                                                                                                                                      mov esi, 000003E8h
                                                                                                                                                      lea ecx, dword ptr [ebp-64h]
                                                                                                                                                      call 00007FE7911FA5F4h
                                                                                                                                                      mov eax, esi
                                                                                                                                                      pop esi
                                                                                                                                                      leave
                                                                                                                                                      ret
                                                                                                                                                      lea eax, dword ptr [ebp-64h]
                                                                                                                                                      push eax
                                                                                                                                                      lea ecx, dword ptr [ebp-30h]
                                                                                                                                                      call 00007FE7911FA428h
                                                                                                                                                      lea eax, dword ptr [ebp-30h]
                                                                                                                                                      mov ecx, eax
                                                                                                                                                      mov dword ptr [01B306DCh], eax
                                                                                                                                                      call 00007FE7911FA3C0h
                                                                                                                                                      test al, al
                                                                                                                                                      jne 00007FE7911FC671h
                                                                                                                                                      lea ecx, dword ptr [ebp-30h]
                                                                                                                                                      call 00007FE7911FA3A5h
                                                                                                                                                      mov esi, 000003E9h
                                                                                                                                                      jmp 00007FE7911FC627h
                                                                                                                                                      cmp dword ptr [ebp-10h], 00000000h
                                                                                                                                                      je 00007FE7911FC66Ah
                                                                                                                                                      push 00000800h
                                                                                                                                                      call dword ptr [ebp-10h]
                                                                                                                                                      cmp dword ptr [ebp-0Ch], 00000000h
                                                                                                                                                      je 00007FE7911FC66Ah
                                                                                                                                                      push 00008001h
                                                                                                                                                      call dword ptr [ebp-0Ch]
                                                                                                                                                      lea eax, dword ptr [ebp-64h]
                                                                                                                                                      push eax
                                                                                                                                                      lea esi, dword ptr [ebp-30h]
                                                                                                                                                      call 00007FE7911FC5B5h
                                                                                                                                                      pop ecx
                                                                                                                                                      mov esi, eax
                                                                                                                                                      push esi
                                                                                                                                                      call dword ptr [ebp-20h]
                                                                                                                                                      lea ecx, dword ptr [ebp-30h]
                                                                                                                                                      call 00007FE7911FA367h
                                                                                                                                                      jmp 00007FE7911FC5EEh
                                                                                                                                                      mov edx, dword ptr [esp+04h]
                                                                                                                                                      push ebx
                                                                                                                                                      mov ebx, dword ptr [esp+10h]
                                                                                                                                                      push esi
                                                                                                                                                      xor esi, esi
                                                                                                                                                      test ebx, ebx
                                                                                                                                                      je 00007FE7911FC691h
                                                                                                                                                      push edi
                                                                                                                                                      mov edi, dword ptr [esp+14h]
                                                                                                                                                      sub edi, 01B306E0h
                                                                                                                                                      imul edx, edx, 0019660Dh
                                                                                                                                                      add edx, 3C6EF35Fh
                                                                                                                                                      mov eax, edx
                                                                                                                                                      shr eax, 0Ch
                                                                                                                                                      Programming Language:
                                                                                                                                                      • [ C ] VS2010 build 30319
                                                                                                                                                      • [C++] VS2010 build 30319
                                                                                                                                                      • [RES] VS2010 build 30319
                                                                                                                                                      • [LNK] VS2010 build 30319
                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x17310000x4850.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x4f48000x5148.itext
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x17360000x8c.reloc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x12430000x1c.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      .text0x10000x28770x2a0038ddf74646d7c71507a2f445c4e13a1aFalse0.6016555059523809data6.561243003584178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .itext0x40000x123f0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                      .rdata0x12430000x2fe0x400c335b053dcc75d43ed0fa5946fa2cf08False0.7373046875Matlab v4 mat-file (little endian) \2342$\001\2340, numeric, rows 1706378677, columns 0, imaginary5.654356402637509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .data0x12440000x4ecae40x4ec800bd752b52182e641bfef3ef45181dfeecunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                      .rsrc0x17310000x48500x4a00466a54e4949eddb65dd9a6c760e7ca12False0.5120882601351351data6.01643927970737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .reloc0x17360000x3000x400df96faae07bd22a26d11da4a8c21cc48False0.15234375data1.1700563166805085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                      RT_ICON0x17312800x1b8ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9167848029486816
                                                                                                                                                      RT_ICON0x1732e100x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.299390243902439
                                                                                                                                                      RT_ICON0x17334780x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.478494623655914
                                                                                                                                                      RT_ICON0x17337600x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.48155737704918034
                                                                                                                                                      RT_ICON0x17339480x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.597972972972973
                                                                                                                                                      RT_ICON0x1733ac00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.09404315196998124
                                                                                                                                                      RT_ICON0x1734b680x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.2047872340425532
                                                                                                                                                      RT_GROUP_ICON0x1733a700x4cdataEnglishUnited States0.8026315789473685
                                                                                                                                                      RT_GROUP_ICON0x1734fd00x22dataEnglishUnited States1.0588235294117647
                                                                                                                                                      RT_VERSION0x1734ff80x24cdataEnglishUnited States0.4812925170068027
                                                                                                                                                      RT_MANIFEST0x17352480x605XML 1.0 document, ASCII textEnglishUnited States0.45295262816353016

                                                                                                                                                      Possible Origin

                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                      EnglishUnited States

                                                                                                                                                      Network Behavior

                                                                                                                                                      Download Network PCAP: filteredfull

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      • Total Packets: 104
                                                                                                                                                      • 443 (HTTPS)
                                                                                                                                                      • 80 (HTTP)
                                                                                                                                                      • 53 (DNS)
                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Feb 6, 2024 15:50:18.882705927 CET49162443192.168.2.2292.223.88.7
                                                                                                                                                      Feb 6, 2024 15:50:18.882736921 CET4434916292.223.88.7192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:18.883089066 CET49162443192.168.2.2292.223.88.7
                                                                                                                                                      Feb 6, 2024 15:50:18.890160084 CET49162443192.168.2.2292.223.88.7
                                                                                                                                                      Feb 6, 2024 15:50:18.890223026 CET4434916292.223.88.7192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:18.890459061 CET49162443192.168.2.2292.223.88.7
                                                                                                                                                      Feb 6, 2024 15:50:19.014269114 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:19.218595982 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.218692064 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:19.226453066 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:19.430593014 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.432537079 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.432550907 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.432564974 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.432578087 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.432590961 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.432600021 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:19.432626963 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:19.448030949 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:19.653121948 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.653930902 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.654036999 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:19.661685944 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:19.866255045 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.887759924 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:19.999526978 CET49164443192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:19.999557972 CET44349164185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.999602079 CET49164443192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:20.014703989 CET49164443192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:20.014727116 CET44349164185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:20.092181921 CET804916357.128.101.78192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:20.092250109 CET4916380192.168.2.2257.128.101.78
                                                                                                                                                      Feb 6, 2024 15:50:20.490947008 CET44349164185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:20.491031885 CET49164443192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:20.491794109 CET49164443192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:20.491801023 CET44349164185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:20.492197037 CET44349164185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:20.492290020 CET49164443192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:20.532181978 CET49164443192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:20.647022963 CET4916580192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:20.874731064 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:20.874803066 CET4916580192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:20.882414103 CET4916580192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:21.110200882 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.113214970 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.113229036 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.113239050 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.113303900 CET4916580192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:21.123234034 CET4916580192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:21.352412939 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.352519035 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.352653980 CET4916580192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:21.360748053 CET4916580192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:21.629400969 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.636600971 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.656618118 CET4916580192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:21.768239021 CET49166443192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:21.768291950 CET4434916637.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.768342972 CET49166443192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:21.783905983 CET49166443192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:21.783936024 CET4434916637.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.884273052 CET8049165185.156.44.131192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.884459019 CET4916580192.168.2.22185.156.44.131
                                                                                                                                                      Feb 6, 2024 15:50:22.248486996 CET4434916637.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:22.248559952 CET49166443192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:22.249356031 CET49166443192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:22.249366999 CET4434916637.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:22.249572039 CET4434916637.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:22.249624014 CET49166443192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:22.264897108 CET49166443192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:22.375804901 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:22.599144936 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:22.599236012 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:22.606414080 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:22.829021931 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:22.831578970 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:22.831607103 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:22.831624031 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:22.831660032 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:22.842283964 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.066503048 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.066634893 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.066693068 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.074810982 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.338200092 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.401101112 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.482536077 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.482567072 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.482727051 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.483618021 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.487049103 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.487493992 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.490045071 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.490374088 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.494841099 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.705353975 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.705379963 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.705395937 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.706191063 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.709851980 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.710151911 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.712644100 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.712924004 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.717469931 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.779071093 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.789490938 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.789516926 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.789552927 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.791683912 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.796252012 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.833360910 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.833384037 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.833399057 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.833412886 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.833414078 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.833430052 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.833435059 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:23.833445072 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:23.833477974 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.012868881 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.012967110 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.014256001 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.080274105 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.080301046 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.080353975 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.110807896 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.111182928 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.111433983 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.111794949 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.111913919 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.112061977 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.112171888 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.112483025 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.112581015 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.112834930 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.113137960 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.333533049 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.333791018 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.334013939 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.334383965 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.334475040 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.334638119 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.334755898 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.335053921 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.335139990 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.335387945 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.335680962 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460330963 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460351944 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460367918 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460376024 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460391045 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460421085 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.460447073 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460505009 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460520029 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460524082 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.460535049 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460565090 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460572004 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.460581064 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.460635900 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.468266010 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.468313932 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.468328953 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.468367100 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:24.468373060 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:24.468895912 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:34.478779078 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:34.701381922 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:44.696928978 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:44.919620037 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:54.930382967 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:50:55.153028965 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:05.154135942 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:05.154203892 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:05.163952112 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:05.386924982 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:15.394448042 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:15.394762039 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:15.397531986 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:15.620107889 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:25.631129980 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:25.634241104 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:25.634289980 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:25.853724957 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:35.849137068 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:35.874407053 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:35.874478102 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:36.071801901 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:46.082710981 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:46.114140034 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:46.114176989 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:46.306437969 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:56.316379070 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:56.354577065 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:51:56.354669094 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:51:56.539335012 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:52:06.549964905 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:52:06.594185114 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:52:06.594285965 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:52:06.772809029 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:52:16.768124104 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:52:16.834513903 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:52:16.834585905 CET4916780192.168.2.2237.19.203.82
                                                                                                                                                      Feb 6, 2024 15:52:16.991853952 CET804916737.19.203.82192.168.2.22
                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Feb 6, 2024 15:50:18.571383953 CET5482153192.168.2.228.8.8.8
                                                                                                                                                      Feb 6, 2024 15:50:18.673341036 CET53548218.8.8.8192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:18.673672915 CET5482153192.168.2.228.8.8.8
                                                                                                                                                      Feb 6, 2024 15:50:18.775607109 CET53548218.8.8.8192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:18.775902033 CET5482153192.168.2.228.8.8.8
                                                                                                                                                      Feb 6, 2024 15:50:18.877945900 CET53548218.8.8.8192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:18.909274101 CET5471953192.168.2.228.8.8.8
                                                                                                                                                      Feb 6, 2024 15:50:19.011466980 CET53547198.8.8.8192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:19.894256115 CET4988153192.168.2.228.8.8.8
                                                                                                                                                      Feb 6, 2024 15:50:19.997128963 CET53498818.8.8.8192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:20.541485071 CET5499853192.168.2.228.8.8.8
                                                                                                                                                      Feb 6, 2024 15:50:20.644480944 CET53549988.8.8.8192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:21.662360907 CET5278153192.168.2.228.8.8.8
                                                                                                                                                      Feb 6, 2024 15:50:21.764668941 CET53527818.8.8.8192.168.2.22
                                                                                                                                                      Feb 6, 2024 15:50:22.270677090 CET6392653192.168.2.228.8.8.8
                                                                                                                                                      Feb 6, 2024 15:50:22.373332977 CET53639268.8.8.8192.168.2.22

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                      Feb 6, 2024 15:50:18.571383953 CET192.168.2.228.8.8.80x818fStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:18.673672915 CET192.168.2.228.8.8.80x818fStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:18.775902033 CET192.168.2.228.8.8.80x818fStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:18.909274101 CET192.168.2.228.8.8.80x3e21Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:19.894256115 CET192.168.2.228.8.8.80x4d87Standard query (0)relay-82295404.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:20.541485071 CET192.168.2.228.8.8.80xa3abStandard query (0)relay-82295404.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:21.662360907 CET192.168.2.228.8.8.80xce4dStandard query (0)relay-96c9f029.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:22.270677090 CET192.168.2.228.8.8.80x414fStandard query (0)relay-96c9f029.net.anydesk.comA (IP address)IN (0x0001)false

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                      Feb 6, 2024 15:50:18.673341036 CET8.8.8.8192.168.2.220x818fNo error (0)boot.net.anydesk.com92.223.88.232A (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:18.775607109 CET8.8.8.8192.168.2.220x818fNo error (0)boot.net.anydesk.com57.128.101.74A (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:18.877945900 CET8.8.8.8192.168.2.220x818fNo error (0)boot.net.anydesk.com92.223.88.7A (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:19.011466980 CET8.8.8.8192.168.2.220x3e21No error (0)boot.net.anydesk.com57.128.101.78A (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:19.997128963 CET8.8.8.8192.168.2.220x4d87No error (0)relay-82295404.net.anydesk.com185.156.44.131A (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:20.644480944 CET8.8.8.8192.168.2.220xa3abNo error (0)relay-82295404.net.anydesk.com185.156.44.131A (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:21.764668941 CET8.8.8.8192.168.2.220xce4dNo error (0)relay-96c9f029.net.anydesk.com37.19.203.82A (IP address)IN (0x0001)false
                                                                                                                                                      Feb 6, 2024 15:50:22.373332977 CET8.8.8.8192.168.2.220x414fNo error (0)relay-96c9f029.net.anydesk.com37.19.203.82A (IP address)IN (0x0001)false

                                                                                                                                                      HTTP Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      0192.168.2.224916357.128.101.78802872C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Feb 6, 2024 15:50:19.226453066 CET273OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 52 04 b7 67 ec a1 1e e2 8e 3d 0d cd 0e 24 61 ca d3 43 1f 9c 96 fe 43 06 f8 bf 1d 93 7c ad 0b 4f 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                      Data Ascii: Rg=$aCC|On0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                      Feb 6, 2024 15:50:19.432537079 CET536INData Raw: 16 03 03 00 57 02 00 00 53 03 03 97 93 83 31 cb 52 3a 0a 14 8f e0 b3 b0 2d 48 01 53 b4 b1 85 10 50 cf b7 44 4f 57 4e 47 52 44 01 20 e3 70 26 0f 35 3f 25 4e ed 5a 01 1a dc 09 c5 21 e1 78 20 d2 2f 89 1d df 11 84 34 e2 0e 41 e8 f1 c0 2c 00 00 0b ff
                                                                                                                                                      Data Ascii: WS1R:-HSPDOWNGRD p&5?%NZ!x /4A,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                      Feb 6, 2024 15:50:19.432550907 CET536INData Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0
                                                                                                                                                      Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG|'SO^jl$|XM+")+{n\&9S|4xLp|aZ.qDL\vq$;OroCs4|z\8[TRxU>R
                                                                                                                                                      Feb 6, 2024 15:50:19.432564974 CET536INData Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30
                                                                                                                                                      Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]|Zx1\{ZQ/3'h;jlaV
                                                                                                                                                      Feb 6, 2024 15:50:19.432578087 CET536INData Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc
                                                                                                                                                      Data Ascii: <"%B;9*PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00*HG`4%(^0VGv T=#
                                                                                                                                                      Feb 6, 2024 15:50:19.432590961 CET473INData Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f
                                                                                                                                                      Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jAx,;VLAZD4tPmej{x
                                                                                                                                                      Feb 6, 2024 15:50:19.448030949 CET1094OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 34 30 32 30 36 31 34 35 30
                                                                                                                                                      Data Ascii: 000*H010UAnyDesk Client0 240206145017Z20740124145017Z010UAnyDesk Client0"0*H0vM4E"eVa:zm_^z:H7t?e.`lO4 R.2
                                                                                                                                                      Feb 6, 2024 15:50:19.653121948 CET51INData Raw: 14 03 03 00 01 01 16 03 03 00 28 2b fb 2b bc 6c e6 f9 ec c5 34 d5 ed 3d b2 96 da dd f5 27 29 26 47 fc 3f 5a 8a 55 d6 64 1e 4f 8b 90 94 7e 0c 6b 24 44 a5
                                                                                                                                                      Data Ascii: (++l4=')&G?ZUdO~k$D
                                                                                                                                                      Feb 6, 2024 15:50:19.653930902 CET40INData Raw: 17 03 03 00 23 2b fb 2b bc 6c e6 f9 ed ce 87 bb 5e 5c f6 f5 a4 f3 34 d4 b2 63 5f ad a5 4e 29 18 61 6e bc fd 04 a5 3e 4a
                                                                                                                                                      Data Ascii: #++l^\4c_N)an>J
                                                                                                                                                      Feb 6, 2024 15:50:19.661685944 CET87OUTData Raw: 17 03 03 00 52 a3 30 fb 5c 3a a5 ea fe 66 b4 90 2d 72 a7 39 35 d1 37 9e d0 b9 80 b4 25 db 1d 1f 1e ae 78 6c d5 27 f1 2c 33 48 08 4d f7 59 55 52 f2 b3 e5 34 af 92 df 3d 60 4c 2f f0 5b 15 37 c0 1f 5b c7 2b 21 62 32 d1 45 72 ca 29 5e 19 cd 67 6d 0e
                                                                                                                                                      Data Ascii: R0\:f-r957%xl',3HMYUR4=`L/[7[+!b2Er)^gmp/


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      1192.168.2.2249165185.156.44.131802872C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Feb 6, 2024 15:50:20.882414103 CET273OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 9d ea 86 b2 e3 06 95 44 e7 1e 73 cc f8 e2 9a 54 7f 92 cf 0f bc 03 b7 6c 46 1a 92 60 0e 89 b6 b1 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                      Data Ascii: DsTlF`n0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                      Feb 6, 2024 15:50:21.113214970 CET1286INData Raw: 16 03 03 00 57 02 00 00 53 03 03 0c fc 34 26 db a6 9f 49 10 76 d8 73 b0 fb be 43 75 31 6c 18 53 92 a9 fe 44 4f 57 4e 47 52 44 01 20 31 47 0d 62 ed 71 e7 96 0d be 36 06 e5 45 7b 91 21 66 4d 34 d7 7e 32 db 2b 37 b6 27 88 3c 9b fe c0 2c 00 00 0b ff
                                                                                                                                                      Data Ascii: WS4&IvsCu1lSDOWNGRD 1Gbq6E{!fM4~2+7'<,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                      Feb 6, 2024 15:50:21.113229036 CET1286INData Raw: 5a eb 51 2f 97 bf f6 fb 33 27 90 b3 d8 e4 e0 cd 68 3b 6a 87 6c a6 0d e7 d8 bd 61 df 56 6b 2a e1 1c 2b f5 9f bf 85 dd 8c 5b 06 1e 71 7f ba 4a a6 40 b0 77 17 ea 2c 3f 5b 94 14 85 2e ad 11 61 ab 88 f6 01 bb b3 47 6b e2 81 18 f1 8e 39 e6 d8 7b 0c 63
                                                                                                                                                      Data Ascii: ZQ/3'h;jlaVk*+[qJ@w,?[.aGk9{cpu'-5={{Hy8-&~K2vf/bj@kXScuxI#ph3/L^}a}4AkP+g_R4gs@lo67Jv"rR}uMU#[~.K_e
                                                                                                                                                      Feb 6, 2024 15:50:21.113239050 CET45INData Raw: 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 09 06 03 55 04 06 13 02 44 45 16 03 03 00 04 0e 00 00 00
                                                                                                                                                      Data Ascii: philandro Software GmbH10UDE
                                                                                                                                                      Feb 6, 2024 15:50:21.123234034 CET1094OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 34 30 32 30 36 31 34 35 30
                                                                                                                                                      Data Ascii: 000*H010UAnyDesk Client0 240206145017Z20740124145017Z010UAnyDesk Client0"0*H0vM4E"eVa:zm_^z:H7t?e.`lO4 R.2
                                                                                                                                                      Feb 6, 2024 15:50:21.352412939 CET51INData Raw: 14 03 03 00 01 01 16 03 03 00 28 94 5f 21 ae d4 92 02 70 b6 ab 72 09 2b d0 e4 17 bf e5 85 2b 78 87 1f 01 dc d9 51 53 a1 64 f8 27 cd fc 64 ac a9 23 7c 5c
                                                                                                                                                      Data Ascii: (_!pr++xQSd'd#|\
                                                                                                                                                      Feb 6, 2024 15:50:21.352519035 CET40INData Raw: 17 03 03 00 23 94 5f 21 ae d4 92 02 71 cd 96 b8 98 f1 7f f6 6c d7 7d e9 21 3b f1 56 c3 ce 4c 20 4d cf 3a d1 d9 2f 70 e7
                                                                                                                                                      Data Ascii: #_!ql}!;VL M:/p
                                                                                                                                                      Feb 6, 2024 15:50:21.360748053 CET87OUTData Raw: 17 03 03 00 52 e0 3f 6c 74 20 ec 4a b6 ac eb 2c 4c e3 54 1b 8d c7 4c d2 9f eb b7 b6 f9 61 f2 dc 03 13 2a 96 ab 89 5b ea 5b 7e 46 52 05 76 4d 6c 80 65 2b 67 a4 1d c3 42 27 78 6b 6a b3 cb c4 f3 ec 85 ef 73 50 ad cf 79 17 ef aa d6 1e 0f 50 39 b7 4f
                                                                                                                                                      Data Ascii: R?lt J,LTLa*[[~FRvMle+gB'xkjsPyP9OW(1
                                                                                                                                                      Feb 6, 2024 15:50:21.636600971 CET271INData Raw: 17 03 03 01 0a 94 5f 21 ae d4 92 02 72 23 8c 8a d7 f9 ac 0b 19 37 4f 10 d6 97 9a c6 a2 ff 76 e2 06 b5 f3 86 84 c0 8b 7e 10 aa d2 53 ae f2 1b dc d1 b1 c8 0c c3 b7 b0 e2 46 5b 47 ee af ff 53 f4 af 50 4f d7 d9 53 4c 6e 3c b3 2f 5f ab c7 f5 16 c0 90
                                                                                                                                                      Data Ascii: _!r#7Ov~SF[GSPOSLn</_Vc{\#}.P/V(38GTq*{oE'acRC&LPi~*82SsprC.l=(t^PbV;o{5B\UtB.7#@EU0,)


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      2192.168.2.224916737.19.203.82802872C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Feb 6, 2024 15:50:22.606414080 CET273OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 e2 33 d5 81 34 71 fe 9b 6b 3b b1 cb f2 e9 5b 5a 79 2b 24 a7 89 a9 88 9e ee f4 74 a3 1f a6 99 0a 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                      Data Ascii: 34qk;[Zy+$tn0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                      Feb 6, 2024 15:50:22.831578970 CET1286INData Raw: 16 03 03 00 57 02 00 00 53 03 03 90 64 cb dd 26 5b 19 79 e2 e1 0d 4c af af 85 74 49 b1 78 58 d6 76 1d 8c 44 4f 57 4e 47 52 44 01 20 bb d1 8d 72 2c 7e f8 1e 3c 00 4f c7 d3 48 0e a7 83 1a 05 88 7e 97 a7 01 bc 2c 27 1a b9 cb c6 2f c0 2c 00 00 0b ff
                                                                                                                                                      Data Ascii: WSd&[yLtIxXvDOWNGRD r,~<OH~,'/,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                      Feb 6, 2024 15:50:22.831607103 CET1286INData Raw: 5a eb 51 2f 97 bf f6 fb 33 27 90 b3 d8 e4 e0 cd 68 3b 6a 87 6c a6 0d e7 d8 bd 61 df 56 6b 2a e1 1c 2b f5 9f bf 85 dd 8c 5b 06 1e 71 7f ba 4a a6 40 b0 77 17 ea 2c 3f 5b 94 14 85 2e ad 11 61 ab 88 f6 01 bb b3 47 6b e2 81 18 f1 8e 39 e6 d8 7b 0c 63
                                                                                                                                                      Data Ascii: ZQ/3'h;jlaVk*+[qJ@w,?[.aGk9{cpu'-5={{Hy8-&~K2vf/bj@kXScuxI#ph3/L^}a}4AkP+g_R4gs@lo67Jv"rR}uMU#[~.K_e
                                                                                                                                                      Feb 6, 2024 15:50:22.831624031 CET45INData Raw: 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 09 06 03 55 04 06 13 02 44 45 16 03 03 00 04 0e 00 00 00
                                                                                                                                                      Data Ascii: philandro Software GmbH10UDE
                                                                                                                                                      Feb 6, 2024 15:50:22.842283964 CET1094OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 34 30 32 30 36 31 34 35 30
                                                                                                                                                      Data Ascii: 000*H010UAnyDesk Client0 240206145017Z20740124145017Z010UAnyDesk Client0"0*H0vM4E"eVa:zm_^z:H7t?e.`lO4 R.2
                                                                                                                                                      Feb 6, 2024 15:50:23.066503048 CET51INData Raw: 14 03 03 00 01 01 16 03 03 00 28 eb 23 5b 21 2e 2b a7 6b 31 7d a0 be 8c 39 23 bf 32 bb 96 d7 d3 d8 f0 e8 99 30 4d 83 e2 b9 1a eb 6d 7a 90 c0 d7 fa af 7c
                                                                                                                                                      Data Ascii: (#[!.+k1}9#20Mmz|
                                                                                                                                                      Feb 6, 2024 15:50:23.066634893 CET40INData Raw: 17 03 03 00 23 eb 23 5b 21 2e 2b a7 6c 95 51 95 0a 41 49 a7 2d 10 7a a6 03 f3 76 47 aa 9e dc d1 35 6c 0f 9f a0 5e 64 54
                                                                                                                                                      Data Ascii: ##[!.+lQAI-zvG5l^dT
                                                                                                                                                      Feb 6, 2024 15:50:23.074810982 CET87OUTData Raw: 17 03 03 00 52 f8 55 81 94 54 00 a5 2f 29 e5 30 e5 bc 2a a2 23 ab 67 fb e2 be 6c c5 7e 47 38 36 84 2d 93 c5 8d d4 a6 97 f4 8d 5f 19 7b 71 6c ff 57 85 30 a5 2b 4f 59 8f 20 56 10 e5 1c c1 d9 f2 05 ac 5f 77 5b 74 62 e7 cd 54 0b 12 67 d5 c2 1f 53 6e
                                                                                                                                                      Data Ascii: RUT/)0*#gl~G86-_{qlW0+OY V_w[tbTgSnP{P
                                                                                                                                                      Feb 6, 2024 15:50:23.401101112 CET146INData Raw: 17 03 03 00 8d eb 23 5b 21 2e 2b a7 6d bc 3b d4 cd dd e7 27 8f 31 ba 0b ae 43 b2 84 7e 84 ee 21 62 f7 8b 66 4e 77 de c9 de dd bd e9 8c 16 ce 75 aa 4f 01 2e 17 cf 4a 5f 22 b9 30 af c4 51 9b e6 67 d5 f9 16 a6 56 33 24 e3 37 6b 8a 30 26 63 3a a2 2e
                                                                                                                                                      Data Ascii: #[!.+m;'1C~!bfNwuO.J_"0QgV3$7k0&c:.yg:n|?F\'Z{`nn<A`7=:U.s
                                                                                                                                                      Feb 6, 2024 15:50:23.482536077 CET456OUTData Raw: 17 03 03 01 c3 f8 55 81 94 54 00 a5 30 3a 62 d9 95 f7 a7 0d 53 88 d0 b9 99 5d 23 cb f1 ca cc df 70 57 73 67 f2 82 9a 4a 71 29 cc b8 08 32 5a 58 2e bb a4 2a bc c7 a3 a8 b9 67 ea 22 38 f9 7e 92 f2 61 60 3c 3f a3 6c 8a ef 4a 9f 27 88 c4 7e c6 26 2e
                                                                                                                                                      Data Ascii: UT0:bS]#pWsgJq)2ZX.*g"8~a`<?lJ'~&.*gHm3kC7_D4I)0C7`@xosxGN$J4q9qok3S.>guBoBXOw5


                                                                                                                                                      Statistics

                                                                                                                                                      CPU Usage

                                                                                                                                                      050100s020406080100

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Memory Usage

                                                                                                                                                      050100s0.0010203040MB

                                                                                                                                                      Click to jump to process

                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                      • File
                                                                                                                                                      • Registry
                                                                                                                                                      • Network

                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Target ID:0
                                                                                                                                                      Start time:15:50:13
                                                                                                                                                      Start date:06/02/2024
                                                                                                                                                      Path:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      Imagebase:0xbc0000
                                                                                                                                                      File size:5'216'584 bytes
                                                                                                                                                      MD5 hash:A21768190F3B9FEAE33AAEF660CB7A83
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:false
                                                                                                                                                      Show Windows behavior

                                                                                                                                                      File Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Section Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Registry Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      COM Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Mutex Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Process Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Thread Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Memory Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      System Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Timing Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Windows UI Activities

                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                      General

                                                                                                                                                      Target ID:2
                                                                                                                                                      Start time:15:50:14
                                                                                                                                                      Start date:06/02/2024
                                                                                                                                                      Path:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\Desktop\AnyDesk.exe" --local-service
                                                                                                                                                      Imagebase:0xbc0000
                                                                                                                                                      File size:5'216'584 bytes
                                                                                                                                                      MD5 hash:A21768190F3B9FEAE33AAEF660CB7A83
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:false
                                                                                                                                                      Show Windows behavior

                                                                                                                                                      File Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Section Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Registry Activities

                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Mutex Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Process Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Thread Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Memory Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      System Activities

                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Windows UI Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Network Activities

                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                      General

                                                                                                                                                      Target ID:3
                                                                                                                                                      Start time:15:50:15
                                                                                                                                                      Start date:06/02/2024
                                                                                                                                                      Path:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\Desktop\AnyDesk.exe" --local-control
                                                                                                                                                      Imagebase:0xbc0000
                                                                                                                                                      File size:5'216'584 bytes
                                                                                                                                                      MD5 hash:A21768190F3B9FEAE33AAEF660CB7A83
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:false
                                                                                                                                                      Show Windows behavior

                                                                                                                                                      File Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Section Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Registry Activities

                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Mutex Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Process Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Thread Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Memory Activities

                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Timing Activities

                                                                                                                                                      Show Windows behavior

                                                                                                                                                      Windows UI Activities

                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                      Disassembly

                                                                                                                                                      No disassembly