Play interactive tourEdit tour

Analysis Report AnyDesk (2).exe

Overview

General Information

Sample Name:AnyDesk (2).exe
Analysis ID:381569
MD5:0b4ebd7fc0fc37a5f64d5c1ad3247ef8
SHA1:f5e3587a93a0dd4ddff0d2ca75577f5719763a51
SHA256:9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Hides threads from debuggers
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • AnyDesk (2).exe (PID: 5056 cmdline: 'C:\Users\user\Desktop\AnyDesk (2).exe' MD5: 0B4EBD7FC0FC37A5F64D5C1AD3247EF8)
    • conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: AnyDesk (2).exeVirustotal: Detection: 17%Perma Link
Source: AnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: AnyDesk (2).exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: AnyDesk (2).exe, 00000000.00000002.475463345.00007FF7494BA000.00000040.00020000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: AnyDesk (2).exe, 00000000.00000002.475463345.00007FF7494BA000.00000040.00020000.sdmp
Source: Binary string: D:\WACATACC\Projects\Programs\dream-crack\x64\Release\dream-crack.pdb source: AnyDesk (2).exe
Source: AnyDesk (2).exeString found in binary or memory: http://cert.int-x3.letsencrypt.org/0D
Source: AnyDesk (2).exeString found in binary or memory: http://cps.letsencrypt.org
Source: AnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.orgdnsapi.dll#http://cert.int-x3.letsencrypt.org/0Dhttp://cps.root-x1.letsenc
Source: AnyDesk (2).exeString found in binary or memory: http://cps.root-x1.letsencrypt.org
Source: AnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: AnyDesk (2).exeString found in binary or memory: https://dreamclient.rip/
Source: AnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpString found in binary or memory: https://dreamclient.rip/HWID
Source: AnyDesk (2).exeString found in binary or memory: https://dreamclient.rip/api/user/auth/
Source: AnyDesk (2).exeString found in binary or memory: https://dreamclient.rip/api/user/config/
Source: AnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpString found in binary or memory: https://dreamclient.rip/api/user/config/enabledblockbreakkeybindwhitelistblockhitaimassistrangejitte
Source: AnyDesk (2).exeString found in binary or memory: https://lithiumclient.wtf/api/download
Source: AnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpString found in binary or memory: https://lithiumclient.wtf/api/downloadexplorer.exesmartscreen.exectfmon.exeSearchIndexer.exePcaSvcls

System Summary:

barindex
PE file contains section with special chars
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: Number of sections : 12 > 10
Source: AnyDesk (2).exe, 00000000.00000003.205568337.0000017A1CB80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs AnyDesk (2).exe
Source: AnyDesk (2).exeBinary or memory string: OriginalFilenamesvchost.exej% vs AnyDesk (2).exe
Source: AnyDesk (2).exeStatic PE information: Section: ZLIB complexity 1.00033261396
Source: AnyDesk (2).exeStatic PE information: Section: ZLIB complexity 0.999787471441
Source: AnyDesk (2).exeStatic PE information: Section: ZLIB complexity 1.01634472511
Source: AnyDesk (2).exeStatic PE information: Section: ZLIB complexity 1.01676829268
Source: AnyDesk (2).exeStatic PE information: Section: ZLIB complexity 1.01048617731
Source: AnyDesk (2).exeStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engineClassification label: mal72.evad.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_01
Source: C:\Users\user\Desktop\AnyDesk (2).exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: AnyDesk (2).exeVirustotal: Detection: 17%
Source: unknownProcess created: C:\Users\user\Desktop\AnyDesk (2).exe 'C:\Users\user\Desktop\AnyDesk (2).exe'
Source: C:\Users\user\Desktop\AnyDesk (2).exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: AnyDesk (2).exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: AnyDesk (2).exeStatic file information: File size 5944848 > 1048576
Source: AnyDesk (2).exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x559400
Source: AnyDesk (2).exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: AnyDesk (2).exe, 00000000.00000002.475463345.00007FF7494BA000.00000040.00020000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: AnyDesk (2).exe, 00000000.00000002.475463345.00007FF7494BA000.00000040.00020000.sdmp
Source: Binary string: D:\WACATACC\Projects\Programs\dream-crack\x64\Release\dream-crack.pdb source: AnyDesk (2).exe
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name:
Source: AnyDesk (2).exeStatic PE information: section name: .imports
Source: AnyDesk (2).exeStatic PE information: section name: .themida
Source: AnyDesk (2).exeStatic PE information: section name: .boot
Source: initial sampleStatic PE information: section name: entropy: 7.98367439627

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\AnyDesk (2).exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\AnyDesk (2).exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: HOOKEXPLORER.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: AUTORUNSC.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: IDAG.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: PEID.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: HOOKEXPLORER.EXE1
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: IMPORTREC.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: DUMPCAP.EXEA
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: PETOOLS.EXEA
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: HOOKEXPLORER.EXENVD SLOT #7NVD S)
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: HOOKEXPLORER.EXERAM SLO
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: SYSANALYZER.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: IDAQ.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: FILEMON.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: PROCMON.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: PROC_ANALYZER.EXERAM SLOT #39
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: OLLYDBG.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: REGMON.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: AUTORUNS.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: SLOT #40 /IDAQ.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: PETOOLS.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: PROC_ANALYZER.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: SNIFF_HIT.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: IDAG.EXEQ
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: PROC_ANALYZER.EXENVD SLOT #14
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: DUMPCAP.EXE
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: WIRESHARK.EXE
Source: C:\Users\user\Desktop\AnyDesk (2).exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\AnyDesk (2).exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\AnyDesk (2).exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\AnyDesk (2).exe TID: 2792Thread sleep time: -87500s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\AnyDesk (2).exeSystem information queried: ModuleInformationJump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\AnyDesk (2).exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\AnyDesk (2).exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\AnyDesk (2).exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\AnyDesk (2).exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\AnyDesk (2).exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\AnyDesk (2).exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\AnyDesk (2).exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\AnyDesk (2).exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\AnyDesk (2).exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\AnyDesk (2).exeProcess queried: DebugObjectHandleJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: AnyDesk (2).exe, 00000000.00000002.470994221.0000017A1D150000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: AnyDesk (2).exe, 00000000.00000002.470994221.0000017A1D150000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: AnyDesk (2).exe, 00000000.00000002.470994221.0000017A1D150000.00000002.00000001.sdmpBinary or memory string: Progman
Source: AnyDesk (2).exe, 00000000.00000002.470994221.0000017A1D150000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: procmon.exe
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: tcpview.exe
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: Wireshark.exe
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: lordpe.exe
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: LordPE.exe
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: autoruns.exe
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: ollydbg.exe
Source: AnyDesk (2).exe, 00000000.00000002.470773166.0000017A1CBFB000.00000004.00000020.sdmpBinary or memory string: regmon.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection2Virtualization/Sandbox Evasion33OS Credential DumpingSecurity Software Discovery53Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing2LSASS MemoryVirtualization/Sandbox Evasion33Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381569 Sample: AnyDesk (2).exe Startdate: 03/04/2021 Architecture: WINDOWS Score: 72 11 Multi AV Scanner detection for submitted file 2->11 13 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->13 15 PE file contains section with special chars 2->15 17 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->17 6 AnyDesk (2).exe 1 2->6         started        process3 signatures4 19 Query firmware table information (likely to detect VMs) 6->19 21 Hides threads from debuggers 6->21 23 Tries to detect sandboxes / dynamic malware analysis system (registry check) 6->23 9 conhost.exe 6->9         started        process5

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand
SourceDetectionScannerLabelLink
AnyDesk (2).exe17%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://dreamclient.rip/api/user/auth/0%Avira URL Cloudsafe
https://dreamclient.rip/api/user/config/0%Avira URL Cloudsafe
https://dreamclient.rip/0%Avira URL Cloudsafe
https://dreamclient.rip/HWID0%Avira URL Cloudsafe
https://dreamclient.rip/api/user/config/enabledblockbreakkeybindwhitelistblockhitaimassistrangejitte0%Avira URL Cloudsafe
http://cps.letsencrypt.orgdnsapi.dll#http://cert.int-x3.letsencrypt.org/0Dhttp://cps.root-x1.letsenc0%Avira URL Cloudsafe
https://lithiumclient.wtf/api/download0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://dreamclient.rip/api/user/auth/AnyDesk (2).exefalse
  • Avira URL Cloud: safe
unknown
https://dreamclient.rip/api/user/config/AnyDesk (2).exefalse
  • Avira URL Cloud: safe
unknown
https://dreamclient.rip/AnyDesk (2).exefalse
  • Avira URL Cloud: safe
unknown
http://cps.root-x1.letsencrypt.orgAnyDesk (2).exefalse
    high
    http://cert.int-x3.letsencrypt.org/0DAnyDesk (2).exefalse
      high
      https://dreamclient.rip/HWIDAnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://cps.letsencrypt.orgAnyDesk (2).exefalse
        high
        https://curl.haxx.se/docs/http-cookies.htmlAnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpfalse
          high
          https://dreamclient.rip/api/user/config/enabledblockbreakkeybindwhitelistblockhitaimassistrangejitteAnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://cps.letsencrypt.orgdnsapi.dll#http://cert.int-x3.letsencrypt.org/0Dhttp://cps.root-x1.letsencAnyDesk (2).exe, 00000000.00000003.205546568.0000017A1CB80000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://lithiumclient.wtf/api/downloadAnyDesk (2).exefalse
          • Avira URL Cloud: safe
          unknown
          No contacted IP infos

          General Information

          Joe Sandbox Version:31.0.0 Emerald
          Analysis ID:381569
          Start date:03.04.2021
          Start time:22:40:19
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 4m 49s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:AnyDesk (2).exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:24
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal72.evad.winEXE@2/1@0/0
          EGA Information:Failed
          HDC Information:Failed
          HCA Information:Failed
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
          No simulations
          No context
          No context
          No context
          No context
          No context
          \Device\ConDrv
          Process:C:\Users\user\Desktop\AnyDesk (2).exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):34
          Entropy (8bit):3.9176264438733592
          Encrypted:false
          SSDEEP:3:c+F1U8F4vn:dF1U+in
          MD5:BE2E0502C0A6B48E474C3C69D7734C19
          SHA1:867608F823A31436D00AD78FECC7DF5108A14B24
          SHA-256:DFA8FF25EFC35AFA0E8D7B988868C999CB6CA639DB56DC32415808F5446B0E99
          SHA-512:4C8F3F100DB25A7A90E30B4057A5A8A6A84368BBA6BF14B5C483FF388881C928410CD3C94E5EE807708368321A513BBE20DCCCA87A309AFB1BBF60A13C6CE7AF
          Malicious:false
          Reputation:low
          Preview: Waiting for minecraft to open.....

          Static File Info

          General

          File type:PE32+ executable (console) x86-64, for MS Windows
          Entropy (8bit):7.966378356211286
          TrID:
          • Win64 Executable Console (202006/5) 92.65%
          • Win64 Executable (generic) (12005/4) 5.51%
          • Generic Win/DOS Executable (2004/3) 0.92%
          • DOS Executable Generic (2002/1) 0.92%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:AnyDesk (2).exe
          File size:5944848
          MD5:0b4ebd7fc0fc37a5f64d5c1ad3247ef8
          SHA1:f5e3587a93a0dd4ddff0d2ca75577f5719763a51
          SHA256:9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb
          SHA512:33abcac9edc9f672a1eaffbe9f9ccb3dab2cdc829548edbf389cde122d49e7c9d407c778c81d26b00ab9ac62a72c3f6700fed14f48812954b4a345e722f74740
          SSDEEP:98304:jw2asSqTc42CcE53Fj5v0JLpzF0cMpc3OUQUchbOAwuMZBBhjEYN4uZCv:EAfl5VtvOpzm6pvchaAFEFfS
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..............y.............................................j...................!...p.......#.......#.........}.....#......

          File Icon

          Icon Hash:00828e8e8686b000

          General

          Entrypoint:0x140a7a1b8
          Entrypoint Section:.boot
          Digitally signed:false
          Imagebase:0x140000000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Time Stamp:0x6068C9A6 [Sat Apr 3 20:01:42 2021 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:a9d14bb684d1f510d1683e48b1f609d3
          Instruction
          call 00007F3FACC50127h
          inc ecx
          push edx
          dec ecx
          mov edx, esp
          inc ecx
          push edx
          dec ecx
          mov esi, dword ptr [edx+10h]
          dec ecx
          mov edi, dword ptr [edx+20h]
          cld
          mov dl, 80h
          mov al, byte ptr [esi]
          dec eax
          inc esi
          mov byte ptr [edi], al
          dec eax
          inc edi
          mov ebx, 00000002h
          add dl, dl
          jne 00007F3FACC4FFA9h
          mov dl, byte ptr [esi]
          dec eax
          inc esi
          adc dl, dl
          jnc 00007F3FACC4FF86h
          add dl, dl
          jne 00007F3FACC4FFA9h
          mov dl, byte ptr [esi]
          dec eax
          inc esi
          adc dl, dl
          jnc 00007F3FACC50000h
          xor eax, eax
          add dl, dl
          jne 00007F3FACC4FFA9h
          mov dl, byte ptr [esi]
          dec eax
          inc esi
          adc dl, dl
          jnc 00007F3FACC500A8h
          add dl, dl
          jne 00007F3FACC4FFA9h
          mov dl, byte ptr [esi]
          dec eax
          inc esi
          adc dl, dl
          adc eax, eax
          add dl, dl
          jne 00007F3FACC4FFA9h
          mov dl, byte ptr [esi]
          dec eax
          inc esi
          adc dl, dl
          adc eax, eax
          add dl, dl
          jne 00007F3FACC4FFA9h
          mov dl, byte ptr [esi]
          dec eax
          inc esi
          adc dl, dl
          adc eax, eax
          add dl, dl
          jne 00007F3FACC4FFA9h
          mov dl, byte ptr [esi]
          dec eax
          inc esi
          adc dl, dl
          adc eax, eax
          je 00007F3FACC4FFABh
          push edi
          mov eax, eax
          dec eax
          sub edi, eax
          mov al, byte ptr [edi]
          pop edi
          mov byte ptr [edi], al
          dec eax
          inc edi
          mov ebx, 00000002h
          jmp 00007F3FACC4FF2Ah
          mov eax, 00000001h
          add dl, dl
          jne 00007F3FACC4FFA9h
          mov dl, byte ptr [esi]
          dec eax
          inc esi
          adc dl, dl
          adc eax, eax
          add dl, dl
          jne 00007F3FACC4FFA9h
          mov dl, byte ptr [esi]
          dec eax
          inc esi
          adc dl, dl
          jc 00007F3FACC4FF88h
          sub eax, ebx
          mov ebx, 00000001h
          jne 00007F3FACC4FFD0h
          mov ecx, 00000001h
          Programming Language:
          • [IMP] VS2008 SP1 build 30729
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xb334c0x358.imports
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb50000x524.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa6ca200x5688.themida
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0xfd40000x10.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0xb40180x28.tls
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          0x10000x843770x3f1feFalse1.00033261396data7.98367439627IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          0x860000x216ba0xdc8fFalse0.999787471441data7.96733701388IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          0xa80000x2b280x2a1False1.01634472511data7.5505744833IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          0xab0000x52bc0x2fa3False0.952603526035data7.63645540104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          0xb10000x5280x290False1.01676829268data7.61941636789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          0xb20000x63c0x419False1.01048617731data7.58669440589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          .imports0xb30000x10000x800False0.29736328125data3.50135557121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .tls0xb40000x10000x200False0.0625data0.272849765702IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .rsrc0xb50000x10000x600False0.419270833333data3.838668413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .themida0xb60000x9c40000x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .boot0xa7a0000x5594000x559400unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .reloc0xfd40000x10000x10False1.5GLS_BINARY_LSB_FIRST2.47460175271IMAGE_SCN_MEM_READ
          NameRVASizeTypeLanguageCountry
          RT_VERSION0xb50900x2fcdataEnglishUnited States
          RT_MANIFEST0xb539c0x188XML 1.0 document textEnglishUnited States
          DLLImport
          kernel32.dllGetModuleHandleA
          WS2_32.dllgetsockopt
          Normaliz.dllIdnToAscii
          WLDAP32.dll
          CRYPT32.dllCertAddCertificateContextToStore
          ntdll.dllRtlCaptureContext
          USER32.dllMessageBoxA
          ADVAPI32.dllCryptReleaseContext
          SHELL32.dllShellExecuteA
          MSVCP140.dll_Xtime_get_ticks
          VCRUNTIME140_1.dll__CxxFrameHandler4
          VCRUNTIME140.dll__std_exception_destroy
          api-ms-win-crt-runtime-l1-1-0.dllsystem
          api-ms-win-crt-stdio-l1-1-0.dllfsetpos
          api-ms-win-crt-filesystem-l1-1-0.dll_fstat64
          api-ms-win-crt-convert-l1-1-0.dllstrtoull
          api-ms-win-crt-environment-l1-1-0.dllgetenv
          api-ms-win-crt-math-l1-1-0.dllceil
          api-ms-win-crt-string-l1-1-0.dll_strdup
          api-ms-win-crt-utility-l1-1-0.dllrand
          api-ms-win-crt-heap-l1-1-0.dllmalloc
          api-ms-win-crt-time-l1-1-0.dll_time64
          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
          DescriptionData
          LegalCopyrightCopyright (C) 2019
          InternalNamesvchost.exe
          FileVersion10.0.17134.556
          ProductNameMicrosoft Windows Operating System
          ProductVersion10.0.17134.556
          FileDescriptionHost Process for Windows Services
          OriginalFilenamesvchost.exe
          Translation0x0409 0x04b0
          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          No network behavior found

          Code Manipulations

          Statistics

          CPU Usage

          050100s020406080100

          Click to jump to process

          Memory Usage

          050100s0.001020MB

          Click to jump to process

          High Level Behavior Distribution

          • File
          • Registry

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          Start time:22:41:05
          Start date:03/04/2021
          Path:C:\Users\user\Desktop\AnyDesk (2).exe
          Wow64 process (32bit):false
          Commandline:'C:\Users\user\Desktop\AnyDesk (2).exe'
          Imagebase:0x7ff748d00000
          File size:5944848 bytes
          MD5 hash:0B4EBD7FC0FC37A5F64D5C1AD3247EF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Start time:22:41:06
          Start date:03/04/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6b2800000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Disassembly

          Code Analysis