Edit tour

Windows Analysis Report
https://download.anydesk.com/AnyDesk.exe

Overview

General Information

Sample URL:	https://download.anydesk.com/AnyDesk.exe
Analysis ID:	1423042
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Contains long sleeps (>= 3 min)

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: File Download From Browser Process Via Inline URL

Stores files to the Windows start menu directory

Tries to load missing DLLs

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 7024 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://download.anydesk.com/AnyDesk.exe MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6184 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1976,i,3613977312255908557,4567770368818224266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 --field-trial-handle=1976,i,3613977312255908557,4567770368818224266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7888 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5164 --field-trial-handle=1976,i,3613977312255908557,4567770368818224266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

rundll32.exe (PID: 7572 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

AnyDesk.exe (PID: 8160 cmdline: "C:\Users\user\Downloads\AnyDesk.exe" MD5: 863FA58AA1FE8A88626625B191D4722E)

AnyDesk.exe (PID: 3608 cmdline: "C:\Users\user\Downloads\AnyDesk.exe" --local-service MD5: 863FA58AA1FE8A88626625B191D4722E)

AnyDesk.exe (PID: 5380 cmdline: "C:\Users\user\Downloads\AnyDesk.exe" --local-control MD5: 863FA58AA1FE8A88626625B191D4722E)

cleanup

Sigma Signatures

Sigma detected: File Download From Browser Process Via Inline URL

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://download.anydesk.com/AnyDesk.exe, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://download.anydesk.com/AnyDesk.exe, CommandLine|base64offset|contains: -j~b,, Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 612, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://download.anydesk.com/AnyDesk.exe, ProcessId: 7024, ProcessName: chrome.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.188.124.20:443 -> 192.168.2.16:49719 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10

Source: unknown

DNS traffic detected: queries for: download.anydesk.com

Source: unknown

HTTP traffic detected: POST /httpapi HTTP/1.1Host: api.playanext.comUser-Agent: AnyDesk/8.0.9Accept: */*Content-Length: 352Content-Type: application/x-www-form-urlencodedapi_key=c1426bd258099fa69f62933b466d4b77&event=[{"event_type":"check_offer","user_id":"f34f4f8204d2ac6618e142bb2b5bdf27","session_id":1712671744093462,"ip":"$remote","event_properties":{"method_used":"Google Chrome Criteria Checker","offer_product":"Google Chrome","distributor":"AnyDesk","distributor_product":"AnyDesk","user_country":"Switzerland"}}Data Raw: Data Ascii:

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.188.124.20:443 -> 192.168.2.16:49719 version: TLS 1.2

Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: secur32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: usp10.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: policymanager.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: cscapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dcomp.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: secur32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: usp10.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wkscli.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: netprofm.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: npmproxy.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: secur32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: usp10.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\AnyDesk.exe	Section loaded: userenv.dll

Source: classification engine

Classification label: mal60.evad.win@26/16@7/118

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\a9edcd6a-2310-4b9a-b372-9baf6e76d5a7.tmp

Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3608_2300_3
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_5380_6464_0
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcstobjmtx
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_5380_1896024759_0_mtx
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Session\1\ad_connect_queue_3608_1894837557_mtx
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_5380_1896024759_1_mtx
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3608_2300_18
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_8160_1872028700_0_mtx
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3608_2300_4
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3608_2300_5
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3608_2300_6
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3608_2300_19
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_5380_1776_0
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3608_2300_13
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3608_2300_11
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_809_lsystem_mtx
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_qipcmtx_3608_2300_12
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_trace_mtx
Source: C:\Users\user\Downloads\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_8160_1872028700_1_mtx

Source: C:\Users\user\Downloads\AnyDesk.exe

File created: C:\Users\user\AppData\Local\Temp\gcapi.dll

Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Downloads\AnyDesk.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://download.anydesk.com/AnyDesk.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1976,i,3613977312255908557,4567770368818224266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 --field-trial-handle=1976,i,3613977312255908557,4567770368818224266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1976,i,3613977312255908557,4567770368818224266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 --field-trial-handle=1976,i,3613977312255908557,4567770368818224266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5164 --field-trial-handle=1976,i,3613977312255908557,4567770368818224266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5164 --field-trial-handle=1976,i,3613977312255908557,4567770368818224266,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Users\user\Downloads\AnyDesk.exe "C:\Users\user\Downloads\AnyDesk.exe"
Source: C:\Users\user\Downloads\AnyDesk.exe	Process created: C:\Users\user\Downloads\AnyDesk.exe "C:\Users\user\Downloads\AnyDesk.exe" --local-service
Source: C:\Users\user\Downloads\AnyDesk.exe	Process created: C:\Users\user\Downloads\AnyDesk.exe "C:\Users\user\Downloads\AnyDesk.exe" --local-control
Source: C:\Users\user\Downloads\AnyDesk.exe	Process created: C:\Users\user\Downloads\AnyDesk.exe "C:\Users\user\Downloads\AnyDesk.exe" --local-service
Source: C:\Users\user\Downloads\AnyDesk.exe	Process created: C:\Users\user\Downloads\AnyDesk.exe "C:\Users\user\Downloads\AnyDesk.exe" --local-control
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Downloads\AnyDesk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2155fee3-2419-4373-b102-6843707eb41f}\InProcServer32

Source: C:\Users\user\Downloads\AnyDesk.exe

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Downloads\AnyDesk.exe	File created: C:\Users\user\Downloads\gcapi.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\a9edcd6a-2310-4b9a-b372-9baf6e76d5a7.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 720117.crdownload	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Downloads\AnyDesk.exe

File opened: C:\Users\user\Downloads\AnyDesk.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\AnyDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\AnyDesk.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MACAddress FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MACAddress FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MACAddress FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory

Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Downloads\AnyDesk.exe

Dropped PE file which has not been started: C:\Users\user\Downloads\gcapi.dll

Jump to dropped file

Source: C:\Users\user\Downloads\AnyDesk.exe TID: 5700	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 3688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 4800	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 1788	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 1476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 640	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 1788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 1540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 5700	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Downloads\AnyDesk.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard

Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Downloads\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\AnyDesk.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Downloads\AnyDesk.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Downloads\AnyDesk.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Downloads\AnyDesk.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\AnyDesk.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Downloads\AnyDesk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	421 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	41 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	331 Virtualization/Sandbox Evasion	Security Account Manager	331 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	123 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner	Label	Link
https://download.anydesk.com/AnyDesk.exe	0%	Virustotal		Browse
https://download.anydesk.com/AnyDesk.exe	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Downloads\Unconfirmed 720117.crdownload	0%	ReversingLabs
C:\Users\user\Downloads\gcapi.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
d1atxff5avezsq.cloudfront.net	18.173.219.116	true	false	high
boot.net.anydesk.com	185.229.191.39	true	false	high
download.anydesk.com	159.69.19.197	true	false	high
www.google.com	142.250.72.100	true	false	high
relay-c6eb91af.net.anydesk.com	5.188.124.20	true	false	high
api.playanext.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.playanext.comUser-Agent: AnyDesk/8.0.9Accept: /Content-Length: 352Content-Type: application/x-www-form-urlencodedapi_key=c1426bd258099fa69f62933b466d4b77&event=[{"event_type":"check_offer","user_id":"f34f4f8204d2ac6618e142bb2b5bdf27","session_id":1712671744093462,"ip":"$remote","event_properties":{"method_used":"Google Chrome Criteria Checker","offer_product":"Google Chrome","distributor":"AnyDesk","distributor_product":"AnyDesk","user_country":"Switzerland"}}/httpapi	false		low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.80.46	unknown	United States	15169	GOOGLEUS	false
18.173.219.118	unknown	United States	3	MIT-GATEWAYSUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.251.111.84	unknown	United States	15169	GOOGLEUS	false
185.229.191.39	boot.net.anydesk.com	Czech Republic	60068	CDN77GB	false
142.250.80.67	unknown	United States	15169	GOOGLEUS	false
5.188.124.20	relay-c6eb91af.net.anydesk.com	United States	202422	GHOSTRU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.72.100	www.google.com	United States	15169	GOOGLEUS	false
159.69.19.197	download.anydesk.com	Germany	24940	HETZNER-ASDE	false
172.217.165.142	unknown	United States	15169	GOOGLEUS	false
142.251.41.3	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17
192.168.2.16
192.168.2.6
192.168.2.14

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1423042
Start date and time:	2024-04-09 16:06:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://download.anydesk.com/AnyDesk.exe
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.evad.win@26/16@7/118

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.41.3, 142.250.80.46, 142.251.111.84, 34.104.35.123
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, clientservices.googleapis.com, clients.l.google.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: C:\Users\user\Downloads\Unconfirmed 720117.crdownload

Created / dropped Files

C:\Users\user\AppData\Roaming\AnyDesk\service.conf

Download File

Process:	C:\Users\user\Downloads\AnyDesk.exe
File Type:	ASCII text, with very long lines (1751)
Category:	dropped
Size (bytes):	2970
Entropy (8bit):	6.035649075804322
Encrypted:	false
SSDEEP:
MD5:	BC783E983151253DB22736743C306868
SHA1:	073C3F316BF68407B72FA659254514FF9B73822D
SHA-256:	CD29EAC47D3B0EA8F0E7ABC2556C68F0395784FFA4A7A8DADC6B7C4EB9A51D44
SHA-512:	282D9A13158EE216ED4A465DFB54CA43518B697D160C3E4E1B39A9E67D3513FD1C9F55AA2C660402B0C7F34CAB0395CBB92B52F06FF7532DA14BE0F1B158C8F9
Malicious:	false
Reputation:	unknown
Preview:	ad.anynet.cert=-----BEGIN CERTIFICATE-----\nMIICqDCCAZACAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOQW55RGVzayBD\nbGllbnQwIBcNMjQwNDA5MTQwODQ5WhgPMjA3NDAzMjgxNDA4NDlaMBkxFzAVBgNV\nBAMMDkFueURlc2sgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEArZtlTEZbNngRNWSJ3gP92ce+Kua/djtJc0+16RvcdbKwc0iqPMf5P8Tut6ZC\nuUN8YpfAYW3gNSa12O6TaFLsIajRGXgMVBjkf13B32X0YqfrP/Bv7q5pGxTpIzJN\nNd5k7ESrEw99AqAI34AXQMfd1Cxu9qmBIzLfyvMxNF7Ek9wViK+i4zZShuqKjZ8T\ntq0U/qg29Kk0aSyduYGjBjRj/sj1D2kz1Hd8WY+t0QXgmjJZ6Ps4bKSIUADDaWUp\nTclO145H+BFufvjPeodclVSGwAYhuC9ovhZLsl7sHjw5V/tfV6KCSlNsWi2EVCl8\nbnlXjZcEa84pPHO8pYs0cTZ4+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAYGT1t\nDWgtsGyJBcQjSKvzxyagT9dJgt5NTiIMxQBhSboFi/pPlKFrK5wDGiYwdCCrD8E4\n61J0S5jX7KXiyGM6b2vO8FoVoNPKrJGKKEB9+UV6yr2HamgPyrBxi1kqzYBhQZUi\nMpimzoWh4KoaBF6BJG+jwMTZJscve1S0tuv+OzHZxKAm/3unqq3oy6n9JLdUwFZg\n+S/EXVeLnIZAdZSfabRiBHQVuFhO+OhoD92RaFYNyL3MTBdRUBpqi8cbJc3hVSou\nhS3BPh7cY9CI2w0kxDXivQKQaZC+XGpKxRJLKQs/JIdKmhnb4gxS4kZxWC7knaht\n/vH4p5wNpjnpi9gv\n-----END CERTI

C:\Users\user\AppData\Roaming\AnyDesk\system.conf

Download File

Process:	C:\Users\user\Downloads\AnyDesk.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	745
Entropy (8bit):	4.798877962604944
Encrypted:	false
SSDEEP:
MD5:	B429FB028D232FDB89B1380F7E1C0D04
SHA1:	F0C848941FE12F796EC01C80C3F9EC129AA95631
SHA-256:	01CE3C1245926DD7DA705B47A6542F3F5A0659D18AB441EE3F106B62AC21A2B4
SHA-512:	48F38C83D6AFAA4B4BA07B00E7E85DDBE07AEB0CE805CB45D143F5F4C0E62A3885DE5AC9EABF2F542E4AC1DA4312C1A4717165F60441062E42E191D7DC3C9385
Malicious:	false
Reputation:	unknown
Preview:	ad.anynet.alias=.ad.anynet.client_stats_hash=b76d85854e61d4ca815874c06c57e6dcf8821f60.ad.anynet.cur_version=34359738376.ad.anynet.fpr=cf712766f1bea10083669eb719f47501ff93c925.ad.anynet.id=1253982693.ad.anynet.last_relay=relay-c6eb91af.net.anydesk.com:80:443:6568.ad.anynet.network_hash=2d4ee4eee3fe9b334ca05e02377b671b7816379f.ad.anynet.network_id=main.ad.anynet.relay.fatal_result=1.0.ad.anynet.relay.state=2.ad.license.name=free-1.ad.security.frontend_clipboard=1.ad.security.frontend_clipboard_files=1.ad.security.frontend_clipboard_version=1.ad.security.permission_profiles._default.permissions.sas=1.ad.security.permission_profiles._unattended_access.permissions.sas=1.ad.security.permission_profiles.version=1.ad.security.update_version=1.

C:\Users\user\AppData\Roaming\AnyDesk\user.conf

Download File

Process:	C:\Users\user\Downloads\AnyDesk.exe
File Type:	ASCII text, with very long lines (3197)
Category:	dropped
Size (bytes):	7057
Entropy (8bit):	4.4186908472824316
Encrypted:	false
SSDEEP:
MD5:	CBD2E481BBB1473E286EA74BEE7F5F18
SHA1:	5E301279D8A9645C0AB3652A326086E6EBFA2C38
SHA-256:	946EB34E107987BBEE4EE64FB77B09D7D4C998AE1C4F234B05895AB4E2F69453
SHA-512:	D4FC818DCF9DE478514F1E5938FDA787422FFFE79D9A5ADF0A8D25C9F9CBA60686EDAEC6704C019F345EE3DD82C760E1E6E752C1B788D4E7DC147B5F9366A694
Malicious:	false
Reputation:	unknown
Preview:	ad.account.auth_methods=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da4cc864bfd17037f9a15c681ea25072f70ff648310f1fa2df0b53d2e90e4e008262013ecaea92b0335e4e720f452520726b4e71bfa52645f03f95dee621424067c8c7a5fea268c27374ab0862b47b212f41cf5778b89c56dd0bfc20201a97c0204f6462df9f247050e2ffd7e12d52f0ecefa8842ab1865470f0d9cf746e5137a675aff7a9371b3ab0f53e806804e994b61513b91c2bc952a9ec7ac89e940ba78fd7f8638cc736c4f3f4fe9a0a43d874bf7f1c2b821ff81703a993eaf1197199377eedfa9b9d07a21dcaf4450641b9.ad.account.info=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da4cc864bfd17037f9a15c681ea25072f70ff648310f1fa2df0b53d2e90e4e008262013ecaea929fbe31d5f66402a00fef92deb9b982f16fd5b1a4879f99adb590b0451a214652c27374ab0862b47b212f41cf5778b89cd93adecacb3a0b3c8f72c13b2e43971852f3bef5d667c5d73d992df40bf57d6f6470f0d92dccd0d8aaebbad1ad426ce68b40b71e4d018d1acd037f53d05e7f6e0eeba93811cc97f0b7e41a9479b40bdcfa336bc6acc804a1e0f17793409b56d3daa41952f94383a49bce987052705a7ffd77e734895d1e1be283d8b37263ce5683becec2998d101b.ad.acc

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms (copy)

Download File

Process:	C:\Users\user\Downloads\AnyDesk.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	404D489692518534431A67096BFF051A
SHA1:	0A7366BE1399B746CB7D34EE31E8D7BDCC08E73C
SHA-256:	48C779FBB2BEB9DF249E57278FC62CEDC201A187C8CEF9DCEDE63FF277A6095E
SHA-512:	A17E8147ADC309D9A4576BDA3CD8DF8749E5511CF93809BB8938AAA05C9C94A8EE1EC3A716F76273F2EF215BDB3AAF1374A7F3B03EB815D16C27F99D803EB07A
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.@.. ......4....H'.o....qY.e....H;Q..........................P.O. .:i.....+00.:....9..#..K.&].B.._&...&.........{4....^.d..../..p......b.2.H;Q..X.q .AnyDesk.exe.H......X.p.X.q....^Y.....................)o.A.n.y.D.e.s.k...e.x.e.......R...............-.......Q...........iq.......C:\Users\user\Downloads\AnyDesk.exe....O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...#.C.:.\.U.s.e.r.s.\.c.a.l.i.\.D.o.w.n.l.o.a.d.s.\.A.n.y.D.e.s.k...e.x.e.........%USERPROFILE%\Downloads\AnyDesk.exe.................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.o.w.n.l.o.a.d.s.\.A.n.y.D.e.s.k...e.x.e...................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6QG2JX1HCBUBFX2FJNY.temp

Download File

Process:	C:\Users\user\Downloads\AnyDesk.exe
File Type:	data
Category:	dropped
Size (bytes):	3208
Entropy (8bit):	3.2671655489810765
Encrypted:	false
SSDEEP:
MD5:	404D489692518534431A67096BFF051A
SHA1:	0A7366BE1399B746CB7D34EE31E8D7BDCC08E73C
SHA-256:	48C779FBB2BEB9DF249E57278FC62CEDC201A187C8CEF9DCEDE63FF277A6095E
SHA-512:	A17E8147ADC309D9A4576BDA3CD8DF8749E5511CF93809BB8938AAA05C9C94A8EE1EC3A716F76273F2EF215BDB3AAF1374A7F3B03EB815D16C27F99D803EB07A
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.@.. ......4....H'.o....qY.e....H;Q..........................P.O. .:i.....+00.:....9..#..K.&].B.._&...&.........{4....^.d..../..p......b.2.H;Q..X.q .AnyDesk.exe.H......X.p.X.q....^Y.....................)o.A.n.y.D.e.s.k...e.x.e.......R...............-.......Q...........iq.......C:\Users\user\Downloads\AnyDesk.exe....O.p.e.n. .a. .n.e.w. .A.n.y.D.e.s.k. .w.i.n.d.o.w...#.C.:.\.U.s.e.r.s.\.c.a.l.i.\.D.o.w.n.l.o.a.d.s.\.A.n.y.D.e.s.k...e.x.e.........%USERPROFILE%\Downloads\AnyDesk.exe.................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.D.o.w.n.l.o.a.d.s.\.A.n.y.D.e.s.k...e.x.e...................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 9 13:07:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9855541227429025
Encrypted:	false
SSDEEP:
MD5:	44FCA0A9BB275B5EC431168E657652EB
SHA1:	A29854317576191E1757322EE08D6466B33AB70F
SHA-256:	F4EA39ACC645FD43BEB2DC29FFFE3746A7A46D2CF341B57D40332070EBB6D836
SHA-512:	EFD59D314DB482D9153887A88E986B7FD96D80B56DA2AB0B9B13F30D130FF3610CB49A020331389452246C0B92D70411FFE4092A6DDCB7762DE038260AC79B50
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......5....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.p....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.p....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.p..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.p...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........iq.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 9 13:07:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.001139589728857
Encrypted:	false
SSDEEP:
MD5:	7EC4F4648F521F3D63C6F805174FA55B
SHA1:	994D41512FB735638386BA879B9C8D7378F8E595
SHA-256:	65C7199C5730C51CFD2B6F3DBB86082B97F6D9ADF9D250CE385237AFA9151579
SHA-512:	28F1D538EF4CF3FCAB5C32B79DB333202E3AC6635B5F7CEB8FA81CFD924870266CC9F1A7C36FF234615CB4B9C67564AE0886E94049A565C89F40A9CB74D2957E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....N..5....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.p....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.p....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.p..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.p...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........iq.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.008829360551742
Encrypted:	false
SSDEEP:
MD5:	6F33CC11AF5398EC43B4C3B3E1D4E714
SHA1:	A8ED9179E6BAD71A04FA1604233A0A2423C44D07
SHA-256:	FB17B0D829A5DE92D142598CE32C95415F14883DCF11501D5FDEB3C57C498EA0
SHA-512:	99BC33AC0D33ACC9CB87447EB70248A170C91535F49D63238C3CCBAFADA4641396C941B933302C60DA2ED476B3245AB66E17912B7020FBF294550ACE695E1C6A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.p....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.p....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.p..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........iq.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 9 13:07:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9986772970608317
Encrypted:	false
SSDEEP:
MD5:	8DAF82A260B926DEF996A7D8377C923A
SHA1:	4F47B2FF242DB45F505814CABCC7B526BC6FA156
SHA-256:	E1D3E504874DA17A0A020B38F2C897004CF4079791C7FA3D1F1EEF14725E80C5
SHA-512:	D481742F9BDEE6BBFBD45860DEFA1B052C200A3D80ADFA4499F00694B9863C03675C554ED8B3BAE5C383E9B7C139C6AF1B0EE33ABB3F48DCCAA8B10CBF5B7261
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....G.5....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.p....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.p....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.p..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.p...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........iq.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 9 13:07:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.988165652451057
Encrypted:	false
SSDEEP:
MD5:	3601A95BA5ED737CBB54189B916283DC
SHA1:	FFCD404BFC1924BB64C3B347A54654B17FD116DF
SHA-256:	6ADE7329B4DFB3A143CC9C14C4A07EC03A1A63767BDE68B13573CFC7557FC166
SHA-512:	33C6EB6A8F85118F980C835496A38D72D8FBA5F7926337495D0D49DE77C8CD0FB6EDBD0EF023825B3EBC58885EC4DC79D8814BE21859C4980D815D3A46DFDC9B
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....9..5....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.p....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.p....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.p..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.p...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........iq.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 9 13:07:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.995035014164086
Encrypted:	false
SSDEEP:
MD5:	DD998D3BAB84F9353225D78ED81905BA
SHA1:	1D66B6EC351DB8F7D188A363BE8D3D1957B84720
SHA-256:	3F6F6CD0D9B77FBAF9348199DA5F441238FBA5B9B5CE1D4968BE5775AEECFC61
SHA-512:	9AC99FD063C6690D393BD98D16A4D01945D6FD04AC166E9F72EE1E81E2899F14C7B91294328A503165BB3C63BD017F6EF231252DE753A9B040248DC9376E34EE
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....R..5....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.p....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.p....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.p....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.p..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.p...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........iq.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\AnyDesk.exe (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	863FA58AA1FE8A88626625B191D4722E
SHA1:	E7FB4BF69BE5AC4583C0C02E26A17BD3CDEF4C02
SHA-256:	45126297C07C6EF56B51440CD0DC30ACF7B3B938E2E9E656334886FE2F81F220
SHA-512:	FFD3BF831E8F0DC605706075A9763C68552F6560AA8660D7993E5156F64032FBC4FF6134FD333822E3090FB863CECFF9E463316A8D9C3150152B73F8377AA2BD
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L....F.f.........."..........P..(#..........@....@..........................Pt.....a.Q...@...........................................s.PH............P.HQ...@t......p#..............................................................................text...w(......................... ..`.itext...(#..@...........................rdata.......p#.....................@..@.data....mP...#..jP..2..............@....rsrc...PH....s..J....P.............@..@.reloc.......@t.......P.............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\Unconfirmed 720117.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5323592
Entropy (8bit):	7.999511688273169
Encrypted:	true
SSDEEP:
MD5:	863FA58AA1FE8A88626625B191D4722E
SHA1:	E7FB4BF69BE5AC4583C0C02E26A17BD3CDEF4C02
SHA-256:	45126297C07C6EF56B51440CD0DC30ACF7B3B938E2E9E656334886FE2F81F220
SHA-512:	FFD3BF831E8F0DC605706075A9763C68552F6560AA8660D7993E5156F64032FBC4FF6134FD333822E3090FB863CECFF9E463316A8D9C3150152B73F8377AA2BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L....F.f.........."..........P..(#..........@....@..........................Pt.....a.Q...@...........................................s.PH............P.HQ...@t......p#..............................................................................text...w(......................... ..`.itext...(#..@...........................rdata.......p#.....................@..@.data....mP...#..jP..2..............@....rsrc...PH....s..J....P.............@..@.reloc.......@t.......P.............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\a9edcd6a-2310-4b9a-b372-9baf6e76d5a7.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32455
Entropy (8bit):	7.644105422785931
Encrypted:	false
SSDEEP:
MD5:	70844CE3F087F55F8C960D612F9A20DF
SHA1:	CB85BEBDC581CC4E19C654E30BB5E9930E5B34D8
SHA-256:	F0CF09C15539351E6967A0F95177E2AA0A6837985A9FDF14FD84A92277CC08B1
SHA-512:	FA301372B1024C3A7B7A8C366CE73A9BF9B677C6CAD80F55E6729BBE10DC8745723F230525F399E14EEABFBBE19E2D3B1FAA3B5460241B07AD52B1909318126F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L....F.f.........."..........P..(#..........@....@..........................Pt.....a.Q...@...........................................s.PH............P.HQ...@t......p#..............................................................................text...w(......................... ..`.itext...(#..@...........................rdata.......p#.....................@..@.data....mP...#..jP..2..............@....rsrc...PH....s..J....P.............@..@.reloc.......@t.......P.............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\gcapi.dll

Download File

Process:	C:\Users\user\Downloads\AnyDesk.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	394240
Entropy (8bit):	6.700175464943679
Encrypted:	false
SSDEEP:
MD5:	1CE7D5A1566C8C449D0F6772A8C27900
SHA1:	60854185F6338E1BFC7497FD41AA44C5C00D8F85
SHA-256:	73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
SHA-512:	7E3411BE8614170AE91DB1626C452997DC6DB663D79130872A124AF982EE1D457CEFBA00ABD7F5269ADCE3052403BE31238AECC3934C7379D224CB792D519753
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........q.hB..;B..;B..;.I.:@..;...;W..;...;...;...;b..;.#;@..;!M.:U..;!M.:c..;!M.:u..;...;@..;,M.:...;...;Y..;B..;~..;,M.:e..;,M.:C..;,M.;C..;B.s;C..;,M.:C..;RichB..;........................PE..L......W.........."!................:.....................................................@.........................p................0.......................@..h2......8...........................p...@.......................@....................text...y........................... ..`.rdata...-..........................@..@.data...H5..........................@....gfids..(...........................@..@.tls......... ......................@....rsrc........0......................@..@.reloc..h2...@...4..................@..B................................................................................................................................................................

Static File Info

⊘No static file info

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://download.anydesk.com/AnyDesk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Roaming\AnyDesk\service.conf

C:\Users\user\AppData\Roaming\AnyDesk\system.conf

C:\Users\user\AppData\Roaming\AnyDesk\user.conf

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6QG2JX1HCBUBFX2FJNY.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\AnyDesk.exe (copy)

C:\Users\user\Downloads\Unconfirmed 720117.crdownload

C:\Users\user\Downloads\a9edcd6a-2310-4b9a-b372-9baf6e76d5a7.tmp

C:\Users\user\Downloads\gcapi.dll

Static File Info

Windows Analysis Report
https://download.anydesk.com/AnyDesk.exe