Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AnyDesk.exe

Overview

General Information

Sample name:AnyDesk.exe
Analysis ID:1387604
MD5:a21768190f3b9feae33aaef660cb7a83
SHA1:24780657328783ef50ae0964b23288e68841a421
SHA256:55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: DNS Query To Remote Access Software Domain From Non-Browser App
Tries to disable installed Antivirus / HIPS / PFW
Tries to load missing DLLs
Uses 32bit PE files

Classification

Process Tree

  • System is w7x64
  • AnyDesk.exe (PID: 436 cmdline: C:\Users\user\Desktop\AnyDesk.exe MD5: A21768190F3B9FEAE33AAEF660CB7A83)
    • AnyDesk.exe (PID: 2504 cmdline: "C:\Users\user\Desktop\AnyDesk.exe" --local-service MD5: A21768190F3B9FEAE33AAEF660CB7A83)
    • AnyDesk.exe (PID: 2944 cmdline: "C:\Users\user\Desktop\AnyDesk.exe" --local-control MD5: A21768190F3B9FEAE33AAEF660CB7A83)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: DNS Query To Remote Access Software Domain From Non-Browser App
Source: DNS queryAuthor: frack113, Connor Martin: Data: Image: C:\Users\user\Desktop\AnyDesk.exe, QueryName: boot.net.anydesk.com

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: AnyDesk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: AnyDesk.exeStatic PE information: certificate valid
Source: unknownHTTPS traffic detected: 141.95.145.210:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: unknownHTTPS traffic detected: 37.19.203.82:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: AnyDesk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.00000000023CA000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755067051.00000000023CA000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003B04000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003B04000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.00000000023CA000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.755067051.00000000023CA000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755067051.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SAS.pdbR source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755067051.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003B04000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003B04000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.00000000023CA000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.755067051.00000000023CA000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: SAS.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755067051.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk.exe, 00000000.00000000.353631225.0000000002573000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000002.755199233.0000000002573000.00000002.00000001.01000000.00000003.sdmp
Source: Joe Sandbox ViewIP Address: 141.95.145.210 141.95.145.210
Source: Joe Sandbox ViewIP Address: 49.12.130.237 49.12.130.237
Source: Joe Sandbox ViewJA3 fingerprint: c91bde19008eefabce276152ccd51457
Source: unknownDNS traffic detected: queries for: boot.net.anydesk.com
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.gimp.org/xmp/
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.opengl.org/registry/
Source: AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.openssl.org/)
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalue
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com
Source: AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/
Source: AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/_
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/company#imprint
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/contact/sales
Source: AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/contact/sales)
Source: AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/de/datenschutz
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/en/assembly
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/en/assembly/terms
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/en/changelog/windows
Source: AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/en/privacy
Source: AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/es/privacidad
Source: AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/order
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/pricing/teams
Source: AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://anydesk.com/pricing/teams)
Source: AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/privacy
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/terms
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/update
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalid
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com
Source: AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/
Source: AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/$
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/HelpLinkInstallLocationAnyDesk
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://my.anydesk.com/auth/realms/myanydesk/login-actions/reset-credentials
Source: AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/auth/realms/myanydesk/login-actions/reset-credentials?client_id=myanydesk-fro
Source: AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://my.anydesk.com/auth/realms/myanydesk/protocol/openid-connect/registrations?client_id=myanyde
Source: AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/password-generator.
Source: AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://my.anydesk.com/v2
Source: AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/v2i.KH
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://order.anydesk.com/trial
Source: AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/privacy?hl=$
Source: AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/account-migration
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.358048600.0000000000BB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/account-migration;
Source: AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/account-migrationl
Source: AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-account
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755277186.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshooting
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755277186.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/anydesk-id-and-alias
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/my-anydesk-ii#user-management
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.358048600.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/quick-start-guide
Source: AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/quick-start-guideu
Source: AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-anynet_overload
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-desk_rt_auto_disconnect
Source: AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-desk_rt_auto_disconnects
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-desk_rt_ipc_error
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.358048600.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/status-desk_rt_ipc_errors.
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755277186.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/the-session-has-ended-unexpectedly
Source: AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/the-session-has-ended-unexpectedlyw
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/users
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/waiting-for-image-black-screen
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/knowledge/what-is-full-client-management
Source: AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755277186.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/$
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nayuki.io/page/qr-code-generator-library
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownHTTPS traffic detected: 141.95.145.210:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: unknownHTTPS traffic detected: 37.19.203.82:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectDrawCreateExmemstr_336a163e-0
Source: C:\Users\user\Desktop\AnyDesk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_2dc1beaf-c
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: AnyDesk.exeStatic PE information: No import functions for PE file found
Source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000002.00000002.755129965.000000000238E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000003.00000003.359192869.00000000006FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentshrui.dll.muij% vs AnyDesk.exe
Source: AnyDesk.exe, 00000003.00000002.755067051.000000000238E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesas.dllj% vs AnyDesk.exe
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dui70.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wbemcomn2.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: bcrypt.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: shcore.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeSection loaded: credssp.dllJump to behavior
Source: AnyDesk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal51.evad.winEXE@5/6@4/3
Source: C:\Users\user\Desktop\AnyDesk.exeFile created: C:\Users\user\AppData\Roaming\AnyDeskJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2504_3092_3
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2504_3092_17
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2944_3120_0
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2504_3092_4
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2504_3092_5
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2504_3092_6
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2504_3092_18
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2944_3112_0
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcstobjmtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2944_2751054374_0_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2504_3092_11
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_808_lsystem_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2504_3092_13
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_436_2734830346_0_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_2504_3092_12
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_436_2734830346_1_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2944_2751054374_1_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Session\1\ad_connect_queue_2504_2749494372_mtx
Source: C:\Users\user\Desktop\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_trace_mtx
Source: AnyDesk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile read: C:\Users\user\Desktop\AnyDesk.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\AnyDesk.exe C:\Users\user\Desktop\AnyDesk.exe
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-service
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-control
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-serviceJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-controlJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeWindow found: window name: SysTabControl32Jump to behavior
Source: AnyDesk.exeStatic PE information: certificate valid
Source: AnyDesk.exeStatic file information: File size 5216584 > 1048576
Source: AnyDesk.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x4ec800
Source: AnyDesk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: AnyDesk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.00000000023CA000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755067051.00000000023CA000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003B04000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003B04000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.00000000023CA000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.755067051.00000000023CA000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\win_dwm\win_dwm.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755067051.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SAS.pdbR source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755067051.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\privacy_feature\privacy_feature.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003B04000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003B04000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.00000000023CA000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000002.755067051.00000000023CA000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: SAS.pdb source: AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755129965.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755067051.000000000238E000.00000004.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk.exe, 00000000.00000000.353631225.0000000002573000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000002.00000002.755199233.0000000002573000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\AnyDesk.exeUnpacked PE file: 2.2.AnyDesk.exe.1330000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\AnyDesk.exeUnpacked PE file: 3.2.AnyDesk.exe.1330000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Hooking and other Techniques for Hiding and Protection

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\AnyDesk.exeFile opened: C:\Users\user\Desktop\AnyDesk.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MACAddress FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 2828Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3028Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3168Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 2828Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3168Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 976Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3160Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3124Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3128Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3124Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exe TID: 3132Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\AnyDesk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeMemory protected: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-serviceJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeProcess created: C:\Users\user\Desktop\AnyDesk.exe "C:\Users\user\Desktop\AnyDesk.exe" --local-controlJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeFile opened: Windows Firewall: C:\Windows\SysWOW64\FirewallAPI.dllJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeQueries volume information: C:\Users\user\Desktop\AnyDesk.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AnyDesk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts421
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		1
Masquerading		21
Input Capture		41
Security Software Discovery		Remote Services21
Input Capture		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Clipboard Data		1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)331
Virtualization/Sandbox Evasion		Security Account Manager331
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Hidden Files and Directories		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials133
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AnyDesk.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ns.useplus.org/ldf/xmp/1.0/0%URL Reputationsafe
http://iptc.org/std/Iptc4xmpExt/2008-02-29/0%URL Reputationsafe
https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalid0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
boot.net.anydesk.com
141.95.145.210
truefalse
    		high
    relay-96c9f029.net.anydesk.com
    		37.19.203.82
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://support.anydesk.com/knowledge/usersAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://order.anydesk.com/trialAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://anydesk.com/updateAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://www.google.com/intl/$AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755277186.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.gimp.org/xmp/AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                		high
                https://anydesk.com/de/datenschutzAnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://my.anydesk.comAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://anydesk.com/es/privacidadAnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://my.anydesk.com/auth/realms/myanydesk/protocol/openid-connect/registrations?client_id=myanydeAnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://support.anydesk.com/knowledge/my-anydesk-ii#user-managementAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://support.anydesk.com/knowledge/status-desk_rt_ipc_errors.AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.358048600.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.openssl.org/support/faq.htmlAnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://anydesk.com/AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                		high
                                https://support.anydesk.com/knowledge/status-desk_rt_auto_disconnectAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://anydesk.com/_AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://anydesk.com/privacyAnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://datatracker.ietf.org/ipr/1526/AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                        		high
                                        https://support.anydesk.com/knowledge/status-desk_rt_auto_disconnectsAnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.nayuki.io/page/qr-code-generator-libraryAnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://policies.google.com/privacy?hl=$AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://help.anydesk.comAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://anydesk.com/pricing/teamsAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://datatracker.ietf.org/ipr/1914/AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    https://anydesk.com/termsAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.anydesk.com/knowledge/what-is-full-client-managementAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://anydesk.com/en/changelog/windowsAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://support.anydesk.com/knowledge/account-migrationAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.anydesk.com/knowledge/account-migrationlAnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://anydesk.com/orderAnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://anydesk.com/contact/salesAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://anydesk.com/en/assembly/termsAnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                    		high
                                                                    https://my.anydesk.com/password-generator.AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://support.anydesk.comAnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://help.anydesk.com/AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://anydesk.comAnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://support.anydesk.com/knowledge/waiting-for-image-black-screenAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://support.anydesk.com/knowledge/account-migration;AnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.358048600.0000000000BB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://ns.useplus.org/ldf/xmp/1.0/AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://support.anydesk.com/knowledge/status-anynet_overloadAnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://support.anydesk.com/knowledge/anydesk-for-android-chromeos#troubleshootingAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755277186.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.opengl.org/registry/AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                      		high
                                                                                      https://anydesk.com/contact/sales)AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                        		high
                                                                                        http://iptc.org/std/Iptc4xmpExt/2008-02-29/AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://help.anydesk.com/$AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://support.anydesk.com/knowledge/quick-start-guideAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.358048600.0000000000BB1000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://my.anydesk.com/auth/realms/myanydesk/login-actions/reset-credentials?client_id=myanydesk-froAnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://support.anydesk.com/knowledge/status-desk_rt_ipc_errorAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://anydesk.com/en/assemblyAnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                  		high
                                                                                                  https://my.anydesk.com/auth/realms/myanydesk/login-actions/reset-credentialsAnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                    		high
                                                                                                    https://anydesk.com/en/privacyAnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                      		high
                                                                                                      https://help.anydesk.com/HelpLinkInstallLocationAnyDeskAnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://datatracker.ietf.org/ipr/1524/AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                          		high
                                                                                                          https://my.anydesk.com/v2AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                            		high
                                                                                                            https://anydesk.com/company#imprintAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.openssl.org/)AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                		high
                                                                                                                https://anydesk.com/pricing/teams)AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.anydesk.com/knowledge/quick-start-guideuAnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://my.anydesk.com/v2i.KHAnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalueAnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://boot.net.anydesk.comabcdefABCDEFtruefalsetfInvalidAnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.754954195.0000000001D79000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://support.anydesk.com/knowledge/anydesk-accountAnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://support.anydesk.com/knowledge/anydesk-id-and-aliasAnyDesk.exe, 00000000.00000003.356087941.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.355055060.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000000.00000003.357492272.0000000004088000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000003.358022947.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000002.00000002.755007751.0000000001D79000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 00000003.00000003.359371955.00000000005B3000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000002.755277186.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000003.00000003.358412543.0000000003470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            141.95.145.210
                                                                                                                            		boot.net.anydesk.comGermany
                                                                                                                            		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
                                                                                                                            49.12.130.237
                                                                                                                            		unknownGermany
                                                                                                                            		24940HETZNER-ASDEfalse
                                                                                                                            37.19.203.82
                                                                                                                            		relay-96c9f029.net.anydesk.comUkraine
                                                                                                                            		31343INTERTELECOMUAfalse

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1387604
                                                                                                                            Start date and time:2024-02-06 16:02:34 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 6m 51s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                            Run name:Run with higher sleep bypass
                                                                                                                            Number of analysed new started processes analysed:6
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:AnyDesk.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal51.evad.winEXE@5/6@4/3
                                                                                                                            EGA Information:Failed
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 0
                                                                                                                            • Number of non-executed functions: 0
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 23.40.205.75, 23.40.205.11, 23.40.205.73, 23.40.205.74, 23.40.205.72, 23.40.205.17, 23.40.205.9, 23.40.205.8, 23.40.205.59
                                                                                                                            • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                                                                                                                            • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • VT rate limit hit for: AnyDesk.exe

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            16:04:29API Interceptor3x Sleep call for process: AnyDesk.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            141.95.145.210https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                              https://bnz-portal.com/anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                LiveChat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  https://bnz-portal.com/Get hashmaliciousUnknownBrowse
                                                                                                                                    anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        livechat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            AnyDesk-CM.msiGet hashmaliciousUnknownBrowse
                                                                                                                                              49.12.130.237https://bnz-portal.com/anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                    anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        AnyDesk-CM.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                          AnyDesk (2).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              https://anydesk.com/en/downloads/windows?dv=win_exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                AnyDesk(1).msiGet hashmaliciousUnknownBrowse

                                                                                                                                                                  Domains

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  boot.net.anydesk.comhttp://sub.nabprotect-livechat.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • 185.229.191.39
                                                                                                                                                                  https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 57.128.101.74
                                                                                                                                                                  https://nab-support.com/LiveChat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 185.229.191.44
                                                                                                                                                                  https://bendigo-desk.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • 49.12.130.236
                                                                                                                                                                  https://bendigo-desk.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • 92.223.88.232
                                                                                                                                                                  Project.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 57.128.101.78
                                                                                                                                                                  https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 49.12.130.236
                                                                                                                                                                  https://bnz-portal.com/anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210

                                                                                                                                                                  ASNs

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  DFNVereinzurFoerderungeinesDeutschenForschungsnetzeseciMvp364xK.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                  • 149.203.215.223
                                                                                                                                                                  nhhqejOP5o.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                  • 194.95.45.228
                                                                                                                                                                  6Ts4MrwFq7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                  • 134.31.219.70
                                                                                                                                                                  zbnq9rGNLi.exeGet hashmaliciousLummaC, CryptOne, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                                                  • 131.188.40.189
                                                                                                                                                                  5Yzloz244r.exeGet hashmaliciousLummaC, CryptOne, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                                                  • 131.188.40.189
                                                                                                                                                                  SecuriteInfo.com.Linux.Mirai.4373.26297.22503.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 130.149.135.74
                                                                                                                                                                  SecuriteInfo.com.Linux.Mirai.4326.1697.13000.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 134.76.41.215
                                                                                                                                                                  Endermanch@NoMoreRansom.exeGet hashmaliciousTroldesh / Shade, CryptOneBrowse
                                                                                                                                                                  • 131.188.40.189
                                                                                                                                                                  O5CdPZXLoc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                  • 194.94.84.243
                                                                                                                                                                  http://www.artisteer.com/?p=affr&redirect_url=https%3A%2F%2Fjaherpe.es%2Fgo%2F9iX%2FaXJAa2dobS5jb20=&domain=kghm.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 141.95.126.89
                                                                                                                                                                  HETZNER-ASDESecuriteInfo.com.Win32.PWSX-gen.17762.9680.exeGet hashmaliciousLummaC, Amadey, Fabookie, Glupteba, PureLog Stealer, RedLine, StealcBrowse
                                                                                                                                                                  • 144.76.1.85
                                                                                                                                                                  EGP6SCPJgv.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                  • 5.75.234.255
                                                                                                                                                                  file.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                  • 46.4.32.184
                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                                                                                                                                                                  • 135.181.67.210
                                                                                                                                                                  Purchase_Order_PA056223.pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                  • 78.46.91.172
                                                                                                                                                                  https://share.formbold.com/3djRrGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 5.161.147.51
                                                                                                                                                                  S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                                                  • 88.99.248.158
                                                                                                                                                                  rNUBzMB8Cm.exeGet hashmaliciousClipboard Hijacker, Djvu, Fabookie, Glupteba, RedLine, SmokeLoader, StealcBrowse
                                                                                                                                                                  • 88.99.38.67
                                                                                                                                                                  QNHbH77.exeGet hashmaliciousAgentTesla, Discord Token StealerBrowse
                                                                                                                                                                  • 144.76.136.153
                                                                                                                                                                  zbnq9rGNLi.exeGet hashmaliciousLummaC, CryptOne, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                                                  • 95.216.33.58
                                                                                                                                                                  INTERTELECOMUASetup (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 37.19.206.5
                                                                                                                                                                  Setup (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 37.19.206.5
                                                                                                                                                                  SecuriteInfo.com.Win32.CoinminerX-gen.29269.21386.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 37.19.207.34
                                                                                                                                                                  3yPAKl30XU.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                  • 130.180.210.166
                                                                                                                                                                  https://www.nireos.com/hyperspectral-imaging/Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • 37.19.207.34
                                                                                                                                                                  https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.nireos.com%2Fhyperspectral-imaging%2F&psig=AOvVaw1JYEwI4H49LZPOWn9fTBOI&ust=1706902416150000&source=images&cd=vfe&opi=89978449&ved=0CBMQjRxqFwoTCKjlrZXxioQDFQAAAAAdAAAAABAEGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 37.19.207.34
                                                                                                                                                                  http://gestiley.a3hrgo.comGet hashmaliciousPorn ScamBrowse
                                                                                                                                                                  • 37.19.216.10
                                                                                                                                                                  https://fleek.ipfs.io/ipfs/QmcVapdtzZSMcx2xkQs2pdnichKZwVhvj5JJWR4Pgv5Dxg/Jah.html/#adam.kahl@centralian.com.auGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 37.19.207.34
                                                                                                                                                                  https://t.ly/vUxxBGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 37.19.216.11

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  c91bde19008eefabce276152ccd51457http://sub.nabprotect-livechat.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  • 37.19.203.82
                                                                                                                                                                  https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  • 37.19.203.82
                                                                                                                                                                  https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  • 37.19.203.82
                                                                                                                                                                  https://nab-support.com/LiveChat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  • 37.19.203.82
                                                                                                                                                                  https://bendigo-desk.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  • 37.19.203.82
                                                                                                                                                                  https://bendigo-desk.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  • 37.19.203.82
                                                                                                                                                                  Project.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  • 37.19.203.82
                                                                                                                                                                  https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  • 37.19.203.82
                                                                                                                                                                  https://bnz-portal.com/anydesk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 141.95.145.210
                                                                                                                                                                  • 37.19.203.82

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  No context

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  C:\Users\user\AppData\Roaming\AnyDesk\ad.trace

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:modified
                                                                                                                                                                  Size (bytes):28894
                                                                                                                                                                  Entropy (8bit):4.369801929044185
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:k6kZnL/O0sVbMRo8Ru4ydRB5LKBt6QtzAnVmn9KCE/6O4B:kfszh8Ru4ydRB5LKBt7zAVmn9K//eB
                                                                                                                                                                  MD5:D6D29C7422BA52C5CDEF6E03C256ECAD
                                                                                                                                                                  SHA1:C5B05745496E093124B5E5DABA0C4EB59B47A55E
                                                                                                                                                                  SHA-256:DB61D90360F1E696711B2D81122C5B7D76E9C88066868100264E1312179FEB13
                                                                                                                                                                  SHA-512:42D15D6A989037D2D2B19B411521A90FB7DD9350D8272DF989E1B515F1466BFD8C7C765C9B59D28D1E1A8E9C009DCB9BF0E6CDC536CBFFEB82B80587B841E492
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: * * * * * * * * * * * * * * * * * *.. info 2024-02-06 15:03:27.527 front 436 2300 main - * AnyDesk Windows Startup *.. info 2024-02-06 15:03:27.527 front 436 2300 main - * Version 8.0.8 ((detached head) 161cbc3269fd82431aba292c6ced1f1480f4964c).. info 2024-02-06 15:03:27.527 front 436 2300 main - * Checksum 48544a05569c2af380b61b4f5af5a087.. info 2024-02-06 15:03:27.527 front 436 2300 main - * Build 20240127190435.. info 2024-02-06 15:03:27.527 front 436 2300 main - * Copyright (C) 2024 AnyDesk Software GmbH *.. info 2024-02-06 15:03:27.527 front 436 2300 main - .. info 2024-02-06 15:03:27.527 front 436 2300 main - Command Line params: "C:\Users\user\Desktop\AnyDesk.exe"..

                                                                                                                                                                  C:\Users\user\AppData\Roaming\AnyDesk\service.conf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  File Type:ASCII text, with very long lines (1751)
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):2970
                                                                                                                                                                  Entropy (8bit):6.039500851513777
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:uISTT3iwF4f6nhhbPnfRIhfBHj6qdiOPaoHaXDZQahFnqxL9xQQET+ZMcp5PcMfI:uISTLiqh3P5ILenXyazqdsT+ZMcpJcyI
                                                                                                                                                                  MD5:55D58FFC261A878091B2B3D924F8DA42
                                                                                                                                                                  SHA1:F1F7A2EFE20B9AD96C52DB50FEDAFC2497D29400
                                                                                                                                                                  SHA-256:06C0C87EB6F12D547C256B8DE9A2C6478B37967CB95B8DA663C7583C5F26327D
                                                                                                                                                                  SHA-512:22561F806E4751466B4F803CC9E209AF195087A8D041511FBBDBC29574D72935084C31EB4616BD0FFC4AA288E51497DBCF05D36B4862670DE26A1FAC89841974
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:ad.anynet.cert=-----BEGIN CERTIFICATE-----\nMIICqDCCAZACAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOQW55RGVzayBD\nbGllbnQwIBcNMjQwMjA2MTUwMzMwWhgPMjA3NDAxMjQxNTAzMzBaMBkxFzAVBgNV\nBAMMDkFueURlc2sgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEApurQHxGBGq9zaBf8DAbPzjLTcbZM7k4vmm43YajLA+C1JWXBQlh9k0coVOaI\ni2EQgXGPtYLwHYIaKZa5+ZoH8TPgByMlwqsWMg9YDwvD22luJbI8Bjf9FdBbV7aR\nPNd1jvMNpuF3wRug/PPvIVPGJTQhSHPgmb/uaCSZvJGtWW5Cet3LcgMsUhIFGv8r\nP2jxh1DHmnCq/cOoFlxfX1ayj9v09UQ5HOdiVGcsmdrLFCQyS4lWaH8i6sXGQkGU\nabi8szgK7Bpp0MA1/A3scRJb7DVxSkDJHGko8LuB0FvNDnFnN5yGxXUo84VRk6jZ\nJ5YsCcgq7d61ojP6DU4B9fa0owIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAi4qGV\nenEEYpaJcwCYwiQk0XYtyXClsQ2t6j0vF7lK7rEu3siLFcIUSNe1CgRNe4GRgHDd\ndgdwQKkScgRhZ+JP5a4yatidJYc+1lihh5KLth0kV3KjUAVgiwSk/EhaEeX866MJ\n0CkGjmQo/L2Fq35IttEl40OaBWeN2tx3u8u6JwjvGwZ7HVdU1gfhUKokK6+tb/+w\ncgstyUNE8JZWM+x94i37ObxqfWzLfLgOK3pllDaYe9+0tdmqZC6Ion/xH8sPCKgM\npGjIr0Bqj43omwqeMTiAoxVhAhMxMjCCnWt/iInEvqzNg9471HGpdWT0L3dzWgzJ\n6gsNlN6obdG02eeg\n-----END CERTI

                                                                                                                                                                  C:\Users\user\AppData\Roaming\AnyDesk\system.conf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):802
                                                                                                                                                                  Entropy (8bit):4.809303886738688
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:oob5n2U3Z5sCxiBs7XxGa7lNqQHvWhQ44LroBGgFBG98LW:Jb5nzriBsp5sAw34LtB98i
                                                                                                                                                                  MD5:3C92FF3AEE21493A5BE9A263DEE7E100
                                                                                                                                                                  SHA1:EC9C1CB040385083E75A245DA22DB395694F4124
                                                                                                                                                                  SHA-256:0C6A232A149D470E870BF46118EC59AE2022EA8E3C748E0F0018D3D506E41720
                                                                                                                                                                  SHA-512:57B5078F7A98F04D35CC214AFBE35486C540280ECEAE8CDD47280DBF19F9EE037E6DCC016CDEEA406B654AC58B1D180DB37EE32AFBD1108F7EB50DCC3D8AF7B5
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:ad.anynet.alias=.ad.anynet.client_stats_hash=96cf857b1f376762dc52301edcfc0445993c0ca4.ad.anynet.cur_version=34359738374.ad.anynet.fpr=2ebb320e738da4357cefeda26acc5ea1a884e11e.ad.anynet.id=1837170015.ad.anynet.last_relay=relay-96c9f029.net.anydesk.com:80:443:6568.ad.anynet.network_hash=6e8eedb55653c73ad31e143ba115bdc9c0ecfa22.ad.anynet.network_id=main.ad.anynet.relay.fatal_result=1.0.ad.anynet.relay.state=2.ad.license.name=free-1.ad.security.frontend_clipboard=1.ad.security.frontend_clipboard_files=1.ad.security.frontend_clipboard_version=1.ad.security.permission_profiles._default.permissions.sas=1.ad.security.permission_profiles._unattended_access.permissions.sas=1.ad.security.permission_profiles.version=1.ad.security.update_version=1.ad.wol.mac_hash=eaf5b0e0236b7a519898aac120053112b035f2b1.

                                                                                                                                                                  C:\Users\user\AppData\Roaming\AnyDesk\user.conf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  File Type:ASCII text, with very long lines (3261)
                                                                                                                                                                  Category:modified
                                                                                                                                                                  Size (bytes):7122
                                                                                                                                                                  Entropy (8bit):4.416309069945472
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:PXXnD01GHW7KgL6nPOGknPmLAVSxzIr7QFoBUKILADkT/CUEKk9P9wFs10mYRpPg:/ZkNWAoaQoQxEKs6aKXFZ2Hq8
                                                                                                                                                                  MD5:C97402A410E871BB919615056B3E01DA
                                                                                                                                                                  SHA1:FEB32C1F170380C87F637B1846B213C62054009C
                                                                                                                                                                  SHA-256:113520918926EECEBB60D565BAF0D4F7EE7181E82C666D9B8D24B8B9CAB24943
                                                                                                                                                                  SHA-512:FF22398160348C1205A8C9CE49F40C21862A0011B925B2A34C5A09E3A3ACD5033D8485EB7833F0F18C9E2B66B9473AC25A3A04E0A31054A65C8E256B66925010
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:ad.account.auth_methods=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da4f6221c68bbfc1f4b65288f4d37b2f210ff648310f1fa2df0b53d2e90e4e008262013ecaea9299b4d82cd2fa3ce9da744399f98b95e155705e555d15ef8ed7e692bf8b88bc26c27374ab0862b47b212f41cf5778b89c6acf764511b0579147c2510d3d3fd46bb02ddc2b9c3f5a66198c467ab7f782195470f0d9ed613c0e4ab3f2699f3f438bf9079349806804e91f542e454d22a9806d5862fdf41f02f6be8bb8dcec0bbdf676b1a9840c6f9b721e4d56ff5b26261b6b0f13f574b2703fa63f19e0b1db48d24fe1c4871b8fa777.ad.account.info=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da4f6221c68bbfc1f4b65288f4d37b2f210ff648310f1fa2df0b53d2e90e4e008262013ecaea92fe587d202b678a4e8f4d7714d74452681daee8e7321bc36a7d447932b249661bc27374ab0862b47b212f41cf5778b89cb99eed9846dbe9e7a174ec6676f12b6a35758bddb9a6481773370223799ff80f6470f0d9c8fa1119aa4e408d43f5f80b9a729fd2b86b5fb0ddc4820b2347613e3edffdff11cc97f019b27e75f551b2f4ee3854c9badb89dc9516ec686cad6f32107ad6ec1847842f0a8a90f840b2ee1f53cc26c143ae0cabd2058d89a19b8c631938ad7954ccb2fc.ad.acc

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms (copy)

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3052
                                                                                                                                                                  Entropy (8bit):2.912672611128978
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:BAOM+ZXmxOpKWoCk78AOM+Zen1OpSjDCk7c:pZXsmnoCiCZE1miCic
                                                                                                                                                                  MD5:E55236101A68F6C3258D0349DFC04C16
                                                                                                                                                                  SHA1:E372B94F43F6CA74A4156439832DCF9A3F327C9C
                                                                                                                                                                  SHA-256:039F0C1F47FAD9638AFCCACFC8B28336351597BEC2ECFE13D8A5E55160F4ABC3
                                                                                                                                                                  SHA-512:848BB8B31E7FCE83A08E4002DAAD7D4593BD376B0C4B880F6A97348292AFF498CC1ADC6D73514D4B76C3032CA13A373BD47E2F5B29EDC7AA9E451E4DCB40A075
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:...................................FL..................F.@ . ...<t..r...<t..r........Y..H.O.....................`.^.2.H.O.FXmx .AnyDesk.exe.D.......WF..WF.*.........................A.n.y.D.e.s.k...e.x.e.......u...............-...8...[...........-..l.....C:\Users\..#...................\\530978\Users.user\Desktop\AnyDesk.exe...O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e.........%USERPROFILE%\Desktop\AnyDesk.exe...................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e........................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUPIOWMJYYQC2R17PCSE.temp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3052
                                                                                                                                                                  Entropy (8bit):2.912672611128978
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:BAOM+ZXmxOpKWoCk78AOM+Zen1OpSjDCk7c:pZXsmnoCiCZE1miCic
                                                                                                                                                                  MD5:E55236101A68F6C3258D0349DFC04C16
                                                                                                                                                                  SHA1:E372B94F43F6CA74A4156439832DCF9A3F327C9C
                                                                                                                                                                  SHA-256:039F0C1F47FAD9638AFCCACFC8B28336351597BEC2ECFE13D8A5E55160F4ABC3
                                                                                                                                                                  SHA-512:848BB8B31E7FCE83A08E4002DAAD7D4593BD376B0C4B880F6A97348292AFF498CC1ADC6D73514D4B76C3032CA13A373BD47E2F5B29EDC7AA9E451E4DCB40A075
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:...................................FL..................F.@ . ...<t..r...<t..r........Y..H.O.....................`.^.2.H.O.FXmx .AnyDesk.exe.D.......WF..WF.*.........................A.n.y.D.e.s.k...e.x.e.......u...............-...8...[...........-..l.....C:\Users\..#...................\\530978\Users.user\Desktop\AnyDesk.exe...O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e.........%USERPROFILE%\Desktop\AnyDesk.exe...................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.e.s.k.t.o.p.\.A.n.y.D.e.s.k...e.x.e........................................................................................................................................................................................................................

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Entropy (8bit):7.999460832435841
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                  File name:AnyDesk.exe
                                                                                                                                                                  File size:5'216'584 bytes
                                                                                                                                                                  MD5:a21768190f3b9feae33aaef660cb7a83
                                                                                                                                                                  SHA1:24780657328783ef50ae0964b23288e68841a421
                                                                                                                                                                  SHA256:55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
                                                                                                                                                                  SHA512:ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
                                                                                                                                                                  SSDEEP:98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
                                                                                                                                                                  TLSH:B23633B622D75CBDF9618B733CD29230A8A98F42E517131ACCD4C56ECBBB7496460CE1
                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q.hU0.;U0.;U0.;:F#;V0.;:F";]0.;:F.;T0.;:F.;T0.;RichU0.;................PE..L....E.e.........."......*....O...#.S6.......@....@

                                                                                                                                                                  File Icon

                                                                                                                                                                  Icon Hash:499669d8d82916a8

                                                                                                                                                                  Static PE Info

                                                                                                                                                                  General

                                                                                                                                                                  Entrypoint:0x403653
                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                  Time Stamp:0x65B545B5 [Sat Jan 27 18:04:37 2024 UTC]
                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                  OS Version Major:5
                                                                                                                                                                  OS Version Minor:1
                                                                                                                                                                  File Version Major:5
                                                                                                                                                                  File Version Minor:1
                                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                                  Subsystem Version Minor:1
                                                                                                                                                                  Import Hash:

                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                  Signature Valid:true
                                                                                                                                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                  Signature Validation Error:The operation completed successfully
                                                                                                                                                                  Error Number:0
                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                  • 1/23/2024 4:00:00 PM 1/24/2027 3:59:59 PM
                                                                                                                                                                  Subject Chain
                                                                                                                                                                  • CN=AnyDesk Software GmbH, O=AnyDesk Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
                                                                                                                                                                  Version:3
                                                                                                                                                                  Thumbprint MD5:D16CE2EEA2FDCA06FCC996480C136743
                                                                                                                                                                  Thumbprint SHA-1:646F52926E01221C981490C8107C2F771679743A
                                                                                                                                                                  Thumbprint SHA-256:1C58446174BE2A5BBA89595C8D4BBE65EE3146E194F6C98650E6E13F97E24965
                                                                                                                                                                  Serial:0A8177FCD8936A91B5E0EDDF995B0BA5

                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                  Instruction
                                                                                                                                                                  push ebp
                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                  sub esp, 64h
                                                                                                                                                                  push esi
                                                                                                                                                                  lea ecx, dword ptr [ebp-64h]
                                                                                                                                                                  call 00007FCC9900B56Ah
                                                                                                                                                                  lea eax, dword ptr [ebp-64h]
                                                                                                                                                                  mov ecx, eax
                                                                                                                                                                  mov dword ptr [01B306D8h], eax
                                                                                                                                                                  call 00007FCC9900B466h
                                                                                                                                                                  test al, al
                                                                                                                                                                  jne 00007FCC9900D4D4h
                                                                                                                                                                  mov esi, 000003E8h
                                                                                                                                                                  lea ecx, dword ptr [ebp-64h]
                                                                                                                                                                  call 00007FCC9900B454h
                                                                                                                                                                  mov eax, esi
                                                                                                                                                                  pop esi
                                                                                                                                                                  leave
                                                                                                                                                                  ret
                                                                                                                                                                  lea eax, dword ptr [ebp-64h]
                                                                                                                                                                  push eax
                                                                                                                                                                  lea ecx, dword ptr [ebp-30h]
                                                                                                                                                                  call 00007FCC9900B288h
                                                                                                                                                                  lea eax, dword ptr [ebp-30h]
                                                                                                                                                                  mov ecx, eax
                                                                                                                                                                  mov dword ptr [01B306DCh], eax
                                                                                                                                                                  call 00007FCC9900B220h
                                                                                                                                                                  test al, al
                                                                                                                                                                  jne 00007FCC9900D4D1h
                                                                                                                                                                  lea ecx, dword ptr [ebp-30h]
                                                                                                                                                                  call 00007FCC9900B205h
                                                                                                                                                                  mov esi, 000003E9h
                                                                                                                                                                  jmp 00007FCC9900D487h
                                                                                                                                                                  cmp dword ptr [ebp-10h], 00000000h
                                                                                                                                                                  je 00007FCC9900D4CAh
                                                                                                                                                                  push 00000800h
                                                                                                                                                                  call dword ptr [ebp-10h]
                                                                                                                                                                  cmp dword ptr [ebp-0Ch], 00000000h
                                                                                                                                                                  je 00007FCC9900D4CAh
                                                                                                                                                                  push 00008001h
                                                                                                                                                                  call dword ptr [ebp-0Ch]
                                                                                                                                                                  lea eax, dword ptr [ebp-64h]
                                                                                                                                                                  push eax
                                                                                                                                                                  lea esi, dword ptr [ebp-30h]
                                                                                                                                                                  call 00007FCC9900D415h
                                                                                                                                                                  pop ecx
                                                                                                                                                                  mov esi, eax
                                                                                                                                                                  push esi
                                                                                                                                                                  call dword ptr [ebp-20h]
                                                                                                                                                                  lea ecx, dword ptr [ebp-30h]
                                                                                                                                                                  call 00007FCC9900B1C7h
                                                                                                                                                                  jmp 00007FCC9900D44Eh
                                                                                                                                                                  mov edx, dword ptr [esp+04h]
                                                                                                                                                                  push ebx
                                                                                                                                                                  mov ebx, dword ptr [esp+10h]
                                                                                                                                                                  push esi
                                                                                                                                                                  xor esi, esi
                                                                                                                                                                  test ebx, ebx
                                                                                                                                                                  je 00007FCC9900D4F1h
                                                                                                                                                                  push edi
                                                                                                                                                                  mov edi, dword ptr [esp+14h]
                                                                                                                                                                  sub edi, 01B306E0h
                                                                                                                                                                  imul edx, edx, 0019660Dh
                                                                                                                                                                  add edx, 3C6EF35Fh
                                                                                                                                                                  mov eax, edx
                                                                                                                                                                  shr eax, 0Ch

                                                                                                                                                                  Rich Headers

                                                                                                                                                                  Programming Language:
                                                                                                                                                                  • [ C ] VS2010 build 30319
                                                                                                                                                                  • [C++] VS2010 build 30319
                                                                                                                                                                  • [RES] VS2010 build 30319
                                                                                                                                                                  • [LNK] VS2010 build 30319

                                                                                                                                                                  Data Directories

                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x17310000x4850.rsrc
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x4f48000x5148.itext
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x17360000x8c.reloc
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x12430000x1c.rdata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                  Sections

                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                  .text0x10000x28770x2a0038ddf74646d7c71507a2f445c4e13a1aFalse0.6016555059523809data6.561243003584178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .itext0x40000x123f0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .rdata0x12430000x2fe0x400c335b053dcc75d43ed0fa5946fa2cf08False0.7373046875Matlab v4 mat-file (little endian) \2342$\001\2340, numeric, rows 1706378677, columns 0, imaginary5.654356402637509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .data0x12440000x4ecae40x4ec800bd752b52182e641bfef3ef45181dfeecunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .rsrc0x17310000x48500x4a00466a54e4949eddb65dd9a6c760e7ca12False0.5120882601351351data6.01643927970737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .reloc0x17360000x3000x400df96faae07bd22a26d11da4a8c21cc48False0.15234375data1.1700563166805085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                  Resources

                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                  RT_ICON0x17312800x1b8ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9167848029486816
                                                                                                                                                                  RT_ICON0x1732e100x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.299390243902439
                                                                                                                                                                  RT_ICON0x17334780x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.478494623655914
                                                                                                                                                                  RT_ICON0x17337600x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.48155737704918034
                                                                                                                                                                  RT_ICON0x17339480x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.597972972972973
                                                                                                                                                                  RT_ICON0x1733ac00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.09404315196998124
                                                                                                                                                                  RT_ICON0x1734b680x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.2047872340425532
                                                                                                                                                                  RT_GROUP_ICON0x1733a700x4cdataEnglishUnited States0.8026315789473685
                                                                                                                                                                  RT_GROUP_ICON0x1734fd00x22dataEnglishUnited States1.0588235294117647
                                                                                                                                                                  RT_VERSION0x1734ff80x24cdataEnglishUnited States0.4812925170068027
                                                                                                                                                                  RT_MANIFEST0x17352480x605XML 1.0 document, ASCII textEnglishUnited States0.45295262816353016

                                                                                                                                                                  Possible Origin

                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                  TCP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Feb 6, 2024 16:03:31.622250080 CET49162443192.168.2.22141.95.145.210
                                                                                                                                                                  Feb 6, 2024 16:03:31.622291088 CET44349162141.95.145.210192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:31.622347116 CET49162443192.168.2.22141.95.145.210
                                                                                                                                                                  Feb 6, 2024 16:03:31.635210037 CET49162443192.168.2.22141.95.145.210
                                                                                                                                                                  Feb 6, 2024 16:03:31.635250092 CET44349162141.95.145.210192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.066868067 CET44349162141.95.145.210192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.066939116 CET49162443192.168.2.22141.95.145.210
                                                                                                                                                                  Feb 6, 2024 16:03:32.067863941 CET49162443192.168.2.22141.95.145.210
                                                                                                                                                                  Feb 6, 2024 16:03:32.067878008 CET44349162141.95.145.210192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.068192959 CET44349162141.95.145.210192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.068248034 CET49162443192.168.2.22141.95.145.210
                                                                                                                                                                  Feb 6, 2024 16:03:32.086740971 CET49162443192.168.2.22141.95.145.210
                                                                                                                                                                  Feb 6, 2024 16:03:32.197901011 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:32.408130884 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.408207893 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:32.414263964 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:32.624876022 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.627574921 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.627602100 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.627618074 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.627634048 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.627649069 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.627664089 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:32.627702951 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:32.637981892 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:32.849570036 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.849661112 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.849771976 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:32.856061935 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:33.066281080 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:33.100126982 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:33.211673975 CET49164443192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:33.211709976 CET4434916437.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:33.211766958 CET49164443192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:33.238413095 CET49164443192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:33.238430023 CET4434916437.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:33.310043097 CET804916349.12.130.237192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:33.310126066 CET4916380192.168.2.2249.12.130.237
                                                                                                                                                                  Feb 6, 2024 16:03:33.694092989 CET4434916437.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:33.694175959 CET49164443192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:33.695009947 CET49164443192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:33.695019007 CET4434916437.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:33.695136070 CET4434916437.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:33.695175886 CET49164443192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:33.732795954 CET49164443192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:33.843884945 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:34.068346977 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:34.068516016 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:34.075604916 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:34.299972057 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:34.302047968 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:34.302066088 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:34.302079916 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:34.302114964 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:34.312767982 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:34.538166046 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:34.538332939 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:34.538434982 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:34.549913883 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:34.821206093 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:34.865401030 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:34.939711094 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:34.939902067 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.071774006 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.080310106 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.164047956 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.164186001 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.194674969 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.215358973 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.215415955 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.257253885 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.257276058 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.257369995 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.270524025 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.272711992 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.276274920 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.304641008 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.434330940 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.434355974 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.434393883 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.434469938 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.434482098 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.434659958 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.439726114 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.505347013 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.505367041 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.505378008 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.505390882 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.505402088 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.505413055 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.505414009 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.505413055 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.505428076 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.505439997 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.505472898 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.505472898 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.579586983 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.658735991 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:35.659761906 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.672807932 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:35.945096970 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.024282932 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.024296045 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.024307013 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.024318933 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.024331093 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.024342060 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.024353981 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.024933100 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:36.024933100 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:36.028341055 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.028354883 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.028387070 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.028395891 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.028403044 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.028404951 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.028407097 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.028444052 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:36.028539896 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:36.028539896 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:36.239351988 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:46.034933090 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:46.259341955 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:56.268610954 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:56.481359959 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:56.481476068 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:03:56.492958069 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:06.486560106 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:06.710985899 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:16.720184088 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:16.945535898 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:26.945111036 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:26.945554972 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:26.953809023 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:27.178136110 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:37.187496901 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:37.189707994 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:37.189781904 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:37.411974907 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:47.421447039 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:47.428458929 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:47.428538084 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:47.645703077 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:57.654707909 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:57.665565968 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:04:57.665659904 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:04:57.879198074 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:07.888263941 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:07.909410954 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:07.909522057 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:08.112685919 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:18.106273890 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:18.145689964 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:18.145834923 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:18.330749035 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:28.339838982 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:28.389318943 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:28.389374971 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:28.564274073 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:38.557845116 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:38.625813007 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:38.625937939 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:38.782598972 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:48.791606903 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:48.865382910 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:48.865441084 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:49.017344952 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:59.025075912 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:59.105746031 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:05:59.105838060 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:05:59.249576092 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:06:09.258781910 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:06:09.349294901 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:06:09.349384069 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:06:09.484853983 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:06:19.492515087 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:06:19.585841894 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:06:19.585961103 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:06:19.718002081 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:06:29.726562977 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:06:29.825356960 CET804916537.19.203.82192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:06:29.826165915 CET4916580192.168.2.2237.19.203.82
                                                                                                                                                                  Feb 6, 2024 16:06:29.952048063 CET804916537.19.203.82192.168.2.22

                                                                                                                                                                  UDP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Feb 6, 2024 16:03:31.509710073 CET5482153192.168.2.228.8.8.8
                                                                                                                                                                  Feb 6, 2024 16:03:31.614305019 CET53548218.8.8.8192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:32.093379021 CET5471953192.168.2.228.8.8.8
                                                                                                                                                                  Feb 6, 2024 16:03:32.195455074 CET53547198.8.8.8192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:33.106740952 CET4988153192.168.2.228.8.8.8
                                                                                                                                                                  Feb 6, 2024 16:03:33.209331036 CET53498818.8.8.8192.168.2.22
                                                                                                                                                                  Feb 6, 2024 16:03:33.738964081 CET5499853192.168.2.228.8.8.8
                                                                                                                                                                  Feb 6, 2024 16:03:33.841303110 CET53549988.8.8.8192.168.2.22

                                                                                                                                                                  DNS Queries

                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                  Feb 6, 2024 16:03:31.509710073 CET192.168.2.228.8.8.80xd465Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                                  Feb 6, 2024 16:03:32.093379021 CET192.168.2.228.8.8.80x711cStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                                  Feb 6, 2024 16:03:33.106740952 CET192.168.2.228.8.8.80xf3e2Standard query (0)relay-96c9f029.net.anydesk.comA (IP address)IN (0x0001)false
                                                                                                                                                                  Feb 6, 2024 16:03:33.738964081 CET192.168.2.228.8.8.80x40cbStandard query (0)relay-96c9f029.net.anydesk.comA (IP address)IN (0x0001)false

                                                                                                                                                                  DNS Answers

                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                  Feb 6, 2024 16:03:31.614305019 CET8.8.8.8192.168.2.220xd465No error (0)boot.net.anydesk.com141.95.145.210A (IP address)IN (0x0001)false
                                                                                                                                                                  Feb 6, 2024 16:03:32.195455074 CET8.8.8.8192.168.2.220x711cNo error (0)boot.net.anydesk.com49.12.130.237A (IP address)IN (0x0001)false
                                                                                                                                                                  Feb 6, 2024 16:03:33.209331036 CET8.8.8.8192.168.2.220xf3e2No error (0)relay-96c9f029.net.anydesk.com37.19.203.82A (IP address)IN (0x0001)false
                                                                                                                                                                  Feb 6, 2024 16:03:33.841303110 CET8.8.8.8192.168.2.220x40cbNo error (0)relay-96c9f029.net.anydesk.com37.19.203.82A (IP address)IN (0x0001)false

                                                                                                                                                                  HTTP Packets

                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  0192.168.2.224916349.12.130.237802504C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  Feb 6, 2024 16:03:32.414263964 CET273OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 cc 9d ee 57 56 38 61 f7 6f 63 c9 8a d0 6e ab a0 e4 42 96 4a 57 4f 7f 92 f4 1b 3b 8e 2c 9b f6 2d 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                                  Data Ascii: WV8aocnBJWO;,-n0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                                  Feb 6, 2024 16:03:32.627574921 CET536INData Raw: 16 03 03 00 57 02 00 00 53 03 03 12 79 a7 96 fa 46 b0 9b 32 56 ba 9e ff 0e c5 6d 4c 1d c3 dd d4 8e 1e 40 44 4f 57 4e 47 52 44 01 20 d9 eb 13 76 75 b2 1d ac 8f 2b ab f5 83 67 cd ca 32 d6 d3 be 8b 71 5a 25 ad f9 34 87 70 ea 6f 93 c0 2c 00 00 0b ff
                                                                                                                                                                  Data Ascii: WSyF2VmL@DOWNGRD vu+g2qZ%4po,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                                  Feb 6, 2024 16:03:32.627602100 CET536INData Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0
                                                                                                                                                                  Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG|'SO^jl$|XM+")+{n\&9S|4xLp|aZ.qDL\vq$;OroCs4|z\8[TRxU>R
                                                                                                                                                                  Feb 6, 2024 16:03:32.627618074 CET536INData Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30
                                                                                                                                                                  Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]|Zx1\{ZQ/3'h;jlaV
                                                                                                                                                                  Feb 6, 2024 16:03:32.627634048 CET536INData Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc
                                                                                                                                                                  Data Ascii: <"%B;9*PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00*HG`4%(^0VGv T=#
                                                                                                                                                                  Feb 6, 2024 16:03:32.627649069 CET473INData Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f
                                                                                                                                                                  Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?*Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jAm*3cEz^`V>uBlL~$j
                                                                                                                                                                  Feb 6, 2024 16:03:32.637981892 CET1094OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 34 30 32 30 36 31 35 30 33
                                                                                                                                                                  Data Ascii: 000*H010UAnyDesk Client0 240206150330Z20740124150330Z010UAnyDesk Client0"0*H0sh2qLN/n7a%eBX}G(Taq)3#%2Xin
                                                                                                                                                                  Feb 6, 2024 16:03:32.849570036 CET51INData Raw: 14 03 03 00 01 01 16 03 03 00 28 a8 e7 9a 43 b1 35 ac 3c 5a 3b e1 35 26 7a 15 0c 16 f1 6c 5b 98 86 b6 67 94 fc b7 9f a9 01 39 03 7f c3 50 50 7a 93 7a 10
                                                                                                                                                                  Data Ascii: (C5<Z;5&zl[g9PPzz
                                                                                                                                                                  Feb 6, 2024 16:03:32.849661112 CET40INData Raw: 17 03 03 00 23 a8 e7 9a 43 b1 35 ac 3d 79 4c 18 39 49 e7 9b 81 20 9c 8e aa a6 6a d3 02 3d 5d 30 99 45 40 36 10 f7 40 4b
                                                                                                                                                                  Data Ascii: #C5=yL9I j=]0E@6@K
                                                                                                                                                                  Feb 6, 2024 16:03:32.856061935 CET87OUTData Raw: 17 03 03 00 52 53 4b f4 2d dc 37 da ea 12 cd 7e 62 47 d6 65 ec 4e a6 c9 60 75 cf ba 31 b1 9d d5 f7 e9 12 30 1a d5 8b 3c a2 7b 4b 3b ac 32 ca 80 b7 e6 b4 11 87 59 4f 9d fc 6f 4a cb 72 e0 d2 14 2d 76 c2 fa f6 9e 5c f7 98 72 77 76 b3 cd f5 71 29 9a
                                                                                                                                                                  Data Ascii: RSK-7~bGeN`u10<{K;2YOoJr-v\rwvq)j#tF


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  1192.168.2.224916537.19.203.82802504C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  Feb 6, 2024 16:03:34.075604916 CET273OUTData Raw: 16 03 01 01 0c 01 00 01 08 03 03 d5 ca ca 8d a4 1e f3 79 38 f9 01 56 f0 de c2 c7 58 09 01 e8 f8 18 bd 40 74 da 6f ac a8 19 f4 29 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36
                                                                                                                                                                  Data Ascii: y8VX@to)n0,($kjih98762.*&=5/+'#g@?>32101-)%</q#
                                                                                                                                                                  Feb 6, 2024 16:03:34.302047968 CET1286INData Raw: 16 03 03 00 57 02 00 00 53 03 03 48 66 28 e4 7e 48 e4 9c f1 08 e5 96 f9 28 97 99 17 10 a6 50 16 40 4f 31 44 4f 57 4e 47 52 44 01 20 4e 68 eb ae 8a 05 9c fc 8c fa a1 19 21 7d 6e da 23 f2 3a 1b 0e 88 17 42 67 cb 58 26 0b 22 21 7a c0 2c 00 00 0b ff
                                                                                                                                                                  Data Ascii: WSHf(~H(P@O1DOWNGRD Nh!}n#:BgX&"!z,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
                                                                                                                                                                  Feb 6, 2024 16:03:34.302066088 CET1286INData Raw: 5a eb 51 2f 97 bf f6 fb 33 27 90 b3 d8 e4 e0 cd 68 3b 6a 87 6c a6 0d e7 d8 bd 61 df 56 6b 2a e1 1c 2b f5 9f bf 85 dd 8c 5b 06 1e 71 7f ba 4a a6 40 b0 77 17 ea 2c 3f 5b 94 14 85 2e ad 11 61 ab 88 f6 01 bb b3 47 6b e2 81 18 f1 8e 39 e6 d8 7b 0c 63
                                                                                                                                                                  Data Ascii: ZQ/3'h;jlaVk*+[qJ@w,?[.aGk9{cpu'-5={{Hy8-&~K2vf/bj@kXScuxI#ph3/L^}a}4AkP+g_R4gs@lo67Jv"rR}uMU#[~.K_e
                                                                                                                                                                  Feb 6, 2024 16:03:34.302079916 CET45INData Raw: 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 09 06 03 55 04 06 13 02 44 45 16 03 03 00 04 0e 00 00 00
                                                                                                                                                                  Data Ascii: philandro Software GmbH10UDE
                                                                                                                                                                  Feb 6, 2024 16:03:34.312767982 CET1094OUTData Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 34 30 32 30 36 31 35 30 33
                                                                                                                                                                  Data Ascii: 000*H010UAnyDesk Client0 240206150330Z20740124150330Z010UAnyDesk Client0"0*H0sh2qLN/n7a%eBX}G(Taq)3#%2Xin
                                                                                                                                                                  Feb 6, 2024 16:03:34.538166046 CET51INData Raw: 14 03 03 00 01 01 16 03 03 00 28 0e 5f d6 46 1a 28 8c e5 a1 66 4b cc 56 5c 21 13 ef 84 fa 0c c0 9b aa b2 75 de 2b 50 d5 1a bf 7f c8 7c 3c 88 5e d4 b2 91
                                                                                                                                                                  Data Ascii: (_F(fKV\!u+P|<^
                                                                                                                                                                  Feb 6, 2024 16:03:34.538332939 CET40INData Raw: 17 03 03 00 23 0e 5f d6 46 1a 28 8c e6 d4 24 d4 78 fb 32 55 7b 0c a1 89 56 d7 4c 95 19 e1 02 03 ec 15 3c f0 d9 a8 07 91
                                                                                                                                                                  Data Ascii: #_F($x2U{VL<
                                                                                                                                                                  Feb 6, 2024 16:03:34.549913883 CET87OUTData Raw: 17 03 03 00 52 75 8f 09 f1 0e f7 8f f6 2f 04 78 96 b6 38 aa c2 13 ec 09 6b bd ce e6 69 e2 ed 0b 3a 28 b9 f4 c9 38 c5 3a 48 46 cb cd 31 bc d7 22 75 81 25 0a 5b 12 ce 2f f7 d9 f8 93 0c c3 0b c3 8c 45 21 e4 6e 16 09 15 6d df 4a a7 54 f1 e0 8c fe c9
                                                                                                                                                                  Data Ascii: Ru/x8ki:(8:HF1"u%[/E!nmJTV9;
                                                                                                                                                                  Feb 6, 2024 16:03:34.865401030 CET146INData Raw: 17 03 03 00 8d 0e 5f d6 46 1a 28 8c e7 b4 f7 5b 2f 5c 45 62 41 98 61 82 42 e3 d8 0c 14 77 21 a8 7c 7c ec 3a d7 58 35 81 b5 41 7a 7e f0 8f 4c 1d 7b e9 5b 02 d9 a9 05 82 b1 d6 13 9c 39 24 54 53 bf 6d 82 e2 7f 3d 9a aa 4d 7c da 44 14 a6 31 0c 01 ca
                                                                                                                                                                  Data Ascii: _F([/\EbAaBw!||:X5Az~L{[9$TSm=M|D1PU-YnZxvHRf>v^V*Izz-?!
                                                                                                                                                                  Feb 6, 2024 16:03:34.939711094 CET504OUTData Raw: 17 03 03 01 f3 75 8f 09 f1 0e f7 8f f7 fb 2b af 01 bd 33 ae 61 42 51 69 28 12 9f 20 60 ae b5 2d eb cc a7 22 50 70 63 52 7c f6 af 3b 75 0e 29 f9 0e 71 0c 03 7c 58 4e af 6e 89 b6 0a b8 9d 83 07 d2 46 0f 92 c6 d2 80 0a 3b e6 4f a1 8e 92 2b 9c 94 c6
                                                                                                                                                                  Data Ascii: u+3aBQi( `-"PpcR|;u)q|XNnF;O+aic57b *pDH`W3A{tvsM7>_nRxG|rOH.OVmJmc]~\:-~L+-ROkB<~@MqW)Hj<


                                                                                                                                                                  Statistics

                                                                                                                                                                  CPU Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  Memory Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:0
                                                                                                                                                                  Start time:16:03:26
                                                                                                                                                                  Start date:06/02/2024
                                                                                                                                                                  Path:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  Imagebase:0x1330000
                                                                                                                                                                  File size:5'216'584 bytes
                                                                                                                                                                  MD5 hash:A21768190F3B9FEAE33AAEF660CB7A83
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:2
                                                                                                                                                                  Start time:16:03:28
                                                                                                                                                                  Start date:06/02/2024
                                                                                                                                                                  Path:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\AnyDesk.exe" --local-service
                                                                                                                                                                  Imagebase:0x1330000
                                                                                                                                                                  File size:5'216'584 bytes
                                                                                                                                                                  MD5 hash:A21768190F3B9FEAE33AAEF660CB7A83
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:3
                                                                                                                                                                  Start time:16:03:28
                                                                                                                                                                  Start date:06/02/2024
                                                                                                                                                                  Path:C:\Users\user\Desktop\AnyDesk.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\AnyDesk.exe" --local-control
                                                                                                                                                                  Imagebase:0x1330000
                                                                                                                                                                  File size:5'216'584 bytes
                                                                                                                                                                  MD5 hash:A21768190F3B9FEAE33AAEF660CB7A83
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  Disassembly

                                                                                                                                                                  No disassembly