Edit tour
Windows
Analysis Report
AnyDesk.exe
Overview
General Information
| Sample Name: | AnyDesk.exe |
| Analysis ID: | 681579 |
| MD5: | 36d6be2d72171c741e2989a578011cd8 |
| SHA1: | a1d46b3c7418d8d29208f352e27f5c9af62006e9 |
| SHA256: | 7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494 |
| Infos: | |
 | |
Detection
| Score: | 72 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
PE file does not import any functions
Sample file is different than original file name gathered from version info
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Classification
- System is w10x64
AnyDesk.exe (PID: 5716 cmdline: "C:\Users\ user\Deskt op\AnyDesk .exe" MD5: 36D6BE2D72171C741E2989A578011CD8) - AnyDesk.exe (PID: 2612 cmdline:
"C:\Users\ user\Deskt op\AnyDesk .exe" --lo cal-servic e MD5: 36D6BE2D72171C741E2989A578011CD8) - AnyDesk.exe (PID: 1272 cmdline:
"C:\Users\ user\Deskt op\AnyDesk .exe" --lo cal-contro l MD5: 36D6BE2D72171C741E2989A578011CD8)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | JA3 fingerprint: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_044E5409 | |
| Source: | Code function: | 4_2_01282DFD | |
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Binary or memory string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation |   |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Unpacked PE file: | ||
| Source: | Code function: | 4_2_017F49C8 | |
| Source: | Code function: | 4_2_01803007 | |
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File opened: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | WMI Queries: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 4_2_017F343D | |
| Source: | Code function: | 4_2_01803007 | |
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Code function: | 4_2_017F343D | |
| Source: | Code function: | 4_2_017FC239 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Registry key value queried: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Code function: | 4_2_016E5400 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 511 Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Masquerading | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 12 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | 2 Command and Scripting Interpreter | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Disable or Modify Tools | LSASS Memory | 421 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | Exfiltration Over Bluetooth | 1 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | 1 Native API | Logon Script (Windows) | Logon Script (Windows) | 331 Virtualization/Sandbox Evasion | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Process Injection | NTDS | 331 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | 2 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Hidden Files and Directories | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Obfuscated Files or Information | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 Software Packing | DCSync | 224 System Information Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 0% | Metadefender | Browse | ||
| 2% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| boot.net.anydesk.com | 92.223.88.7 | true | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| low | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 88.198.34.103 | unknown | Germany | 24940 | HETZNER-ASDE | false | |
| 92.223.88.7 | boot.net.anydesk.com | Austria | 199524 | GCOREAT | false | |
| 92.223.88.41 | unknown | Austria | 199524 | GCOREAT | false | |
| 195.181.174.174 | unknown | United Kingdom | 60068 | CDN77GB | false | |
| 49.12.130.237 | unknown | Germany | 24940 | HETZNER-ASDE | false | |
| 185.229.191.39 | unknown | Czech Republic | 60068 | CDN77GB | false | |
| 195.181.174.167 | unknown | United Kingdom | 60068 | CDN77GB | false |
| IP |
|---|
| 192.168.2.1 |
| Joe Sandbox Version: | 35.0.0 Citrine |
| Analysis ID: | 681579 |
| Start date and time: | 2022-08-10 11:01:59 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 9m 23s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | AnyDesk.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 28 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal72.evad.winEXE@5/6@12/8 |
| EGA Information: | Failed |
| HDC Information: | Failed |
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
- Excluded IPs from analysis (whitelisted): 23.211.6.115
- Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
- Execution Graph export aborted for target AnyDesk.exe, PID 5716 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
- Report creation exceeded maximum time and may have missing disassembly code information.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 11:03:18 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 88.198.34.103 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 92.223.88.7 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 92.223.88.41 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 195.181.174.174 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 49.12.130.237 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| boot.net.anydesk.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| HETZNER-ASDE | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| GCOREAT | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| c91bde19008eefabce276152ccd51457 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
⊘No context
| Process: | C:\Users\user\Desktop\AnyDesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2766 |
| Entropy (8bit): | 6.014084362695362 |
| Encrypted: | false |
| SSDEEP: | 48:uISTi9UwiKGggL1tsPx0k9N8rTvj6yOgUTr6zg9PP0vY2emZ22bUT7H4L6ZCI4/L:uISTiZiKGggZ6PSeNUTveTHTr6z+PsQy |
| MD5: | 506E0CF72F3227C1096093A518EB28A5 |
| SHA1: | 29ACB18A1D598ACC827B290B743573CA681A227F |
| SHA-256: | 94678680465A25A7C345CD6B72DED29ECD79159AE0E704E52098FB96E7FFA74B |
| SHA-512: | 73CCF63AE4BA2BEEFAB3CFBDF374573EC923494F0AE82257C63321A48548C16D5BAEF7C08519BA0AB17D50579B6B8C424577103CEB86AF425623C6D59FE13DEA |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\AnyDesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 395 |
| Entropy (8bit): | 4.534770156613101 |
| Encrypted: | false |
| SSDEEP: | 6:owvUZEAfQnBXaqQAmvbahOmQgRQUQgRQPYQgRQOYQgfxPZxi3B6QgfxPg3qg3B6g:oRZpPqQHvWhOLroBGgFBGA |
| MD5: | FE1021BDE85DB853D43688FA543C6311 |
| SHA1: | 62CBB936CF93D95C81F6B83EA2B54BFE4AE9DA00 |
| SHA-256: | 29DFE9C68EA6C5E7EF8F0F337BA41E6821C53865F0F1F0F626486C349F57E8D0 |
| SHA-512: | 7A2F1668E9BF8560F37DE5D2406403B34F769F583BD769CB26E1C290A882CE497898401B4928D306B9B5F90A176B3D833E351C9DE5C13E4944740424382F1D8E |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\AnyDesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1304 |
| Entropy (8bit): | 4.715271799370542 |
| Encrypted: | false |
| SSDEEP: | 24:snKn2XZ6KdG0WQ6LiMRyvenKn2Xrn3acWy7RDJ5lQ1LReS/k6:snEK+DLitven33ajsLlOLc0 |
| MD5: | 136A9B33E7FC051174C80155FD7377B2 |
| SHA1: | BE65E833B2CAF26870055CB99DEFB2C45986D4ED |
| SHA-256: | 681D0F76796123302B838807EA132857E39D1126D835B1B67082D1665A098409 |
| SHA-512: | DFE90643DF802CDE6859B81869D881A296FD9C761F10EE8BF05A16203C46DDA4FFA772078B1C933FF27147268AF637A5007CE1DB6890118481ED43CAE2807A55 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms (copy)
Download File
| Process: | C:\Users\user\Desktop\AnyDesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3202 |
| Entropy (8bit): | 3.234233068951343 |
| Encrypted: | false |
| SSDEEP: | 24:AwnpbrEAd9mEsOpMcWoymPwnpbrEAdEnIsOpM+BjDymU:dpnTd9rsmMZoyRpnTdyIsmM+NyH |
| MD5: | 675595A8A3D533ECFFF229F29DCE2135 |
| SHA1: | F184BB5852658A3638CF1058F050ABEF29B56A5F |
| SHA-256: | 40CDD48F1471F03C895B96285C51224AE96A4CBF1F658D016426BCC92506E8F2 |
| SHA-512: | ED35297E85462AD3EF6820F6B40FBFD1DD57B63D46212BF5147376F2E4E3E39BDC41A0FCB61A8A7D5837A2FD4F8A46BD7F397C2CCB7F3AAFA39C379F68C4DA82 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHJWA8656ZX7SMIVXTPF.temp
Download File
| Process: | C:\Users\user\Desktop\AnyDesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3202 |
| Entropy (8bit): | 3.234233068951343 |
| Encrypted: | false |
| SSDEEP: | 24:AwnpbrEAd9mEsOpMcWoymPwnpbrEAdEnIsOpM+BjDymU:dpnTd9rsmMZoyRpnTdyIsmM+NyH |
| MD5: | 675595A8A3D533ECFFF229F29DCE2135 |
| SHA1: | F184BB5852658A3638CF1058F050ABEF29B56A5F |
| SHA-256: | 40CDD48F1471F03C895B96285C51224AE96A4CBF1F658D016426BCC92506E8F2 |
| SHA-512: | ED35297E85462AD3EF6820F6B40FBFD1DD57B63D46212BF5147376F2E4E3E39BDC41A0FCB61A8A7D5837A2FD4F8A46BD7F397C2CCB7F3AAFA39C379F68C4DA82 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S8FAV3SVMYENR819RW5P.temp
Download File
| Process: | C:\Users\user\Desktop\AnyDesk.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3202 |
| Entropy (8bit): | 3.229809334711375 |
| Encrypted: | false |
| SSDEEP: | 24:LnpbrEAd9mEsOpMcWoym2npbrEAdEnIsOpM+BjDymU:jpnTd9rsmMZoyXpnTdyIsmM+NyH |
| MD5: | 4E79C142254BF474FFA427E972BBEFB6 |
| SHA1: | 51A1E7C3F5608A8301C9066EB904B2A24A2E9E98 |
| SHA-256: | A35BD8AD93DFA8E116909BF9F98B1C601D39E4C068F09CCCD8E402E36F2640D4 |
| SHA-512: | AA87E875F4DEAC7B753B03B3875B406F7F4B7B759A11422B09EE30438A028A3790CF39A3F320167319976C88121B233664E03A0D9ED9A38C8D62B6F92D88B991 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.999018806477609 |
| TrID: |
|
| File name: | AnyDesk.exe |
| File size: | 3852912 |
| MD5: | 36d6be2d72171c741e2989a578011cd8 |
| SHA1: | a1d46b3c7418d8d29208f352e27f5c9af62006e9 |
| SHA256: | 7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494 |
| SHA512: | b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659 |
| SSDEEP: | 98304:Agps0DrlKJ+vUYhWlO8M2xT6pX2fvnY8nIoVgUrWLHJi:VwJ6b58M5pWnY6Io3WM |
| TLSH: | 72063332F7C89272E87702785352FB2111E1ADDD9D302A521DB1FA81D2B77312E2BD66 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L......b.........."......*...Z:..d......... |
 | |
| Icon Hash: | 499669d8d82916a8 |
| Entrypoint: | 0x401ce9 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x62CDC685 [Tue Jul 12 19:07:49 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: |
| Signature Valid: | false |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The certificate is not valid for the requested usage |
| Error Number: | -2146762480 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | EAE713DFC05244CF4301BF1C9F68B1BE |
| Thumbprint SHA-1: | 9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE |
| Thumbprint SHA-256: | 9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF |
| Serial: | 0DBF152DEAF0B981A8A938D53F769DB8 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| sub esp, 64h |
| push esi |
| lea ecx, dword ptr [ebp-64h] |
| call 00007EFE789A4403h |
| lea eax, dword ptr [ebp-64h] |
| mov ecx, eax |
| mov dword ptr [0138C260h], eax |
| call 00007EFE789A42C1h |
| test al, al |
| jne 00007EFE789A4A24h |
| mov esi, 000003E8h |
| lea ecx, dword ptr [ebp-64h] |
| call 00007EFE789A42AFh |
| mov eax, esi |
| pop esi |
| leave |
| ret |
| lea eax, dword ptr [ebp-64h] |
| push eax |
| lea ecx, dword ptr [ebp-30h] |
| call 00007EFE789A40E3h |
| lea eax, dword ptr [ebp-30h] |
| mov ecx, eax |
| mov dword ptr [0138C264h], eax |
| call 00007EFE789A407Bh |
| test al, al |
| jne 00007EFE789A4A21h |
| lea ecx, dword ptr [ebp-30h] |
| call 00007EFE789A4060h |
| mov esi, 000003E9h |
| jmp 00007EFE789A49D7h |
| cmp dword ptr [ebp-10h], 00000000h |
| je 00007EFE789A4A1Ah |
| push 00000800h |
| call dword ptr [ebp-10h] |
| cmp dword ptr [ebp-0Ch], 00000000h |
| je 00007EFE789A4A1Ah |
| push 00008001h |
| call dword ptr [ebp-0Ch] |
| lea eax, dword ptr [ebp-64h] |
| push eax |
| lea esi, dword ptr [ebp-30h] |
| call 00007EFE789A4965h |
| pop ecx |
| mov esi, eax |
| push esi |
| call dword ptr [ebp-20h] |
| lea ecx, dword ptr [ebp-30h] |
| call 00007EFE789A4022h |
| jmp 00007EFE789A499Eh |
| mov edx, dword ptr [esp+04h] |
| push ebx |
| mov ebx, dword ptr [esp+10h] |
| push esi |
| xor esi, esi |
| test ebx, ebx |
| je 00007EFE789A4A41h |
| push edi |
| mov edi, dword ptr [esp+14h] |
| sub edi, 0138C268h |
| imul edx, edx, 0019660Dh |
| add edx, 3C6EF35Fh |
| mov eax, edx |
| shr eax, 0Ch |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf8d000 | 0x4850 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x3a8400 | 0x4670 | .itext |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf92000 | 0x84 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0xbeb000 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2835 | 0x2a00 | False | 0.5950520833333334 | data | 6.507732863684148 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0x4000 | 0xbe6400 | 0x0 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0xbeb000 | 0x2fa | 0x400 | False | 0.7255859375 | data | 5.64420370541003 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xbec000 | 0x3a066c | 0x3a0400 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xf8d000 | 0x4850 | 0x4a00 | False | 0.5122994087837838 | data | 6.015480647653813 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xf92000 | 0x300 | 0x400 | False | 0.1455078125 | data | 1.181265380704217 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0xf8d280 | 0x1b8e | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
| RT_ICON | 0xf8ee10 | 0x668 | dBase III DBT, version number 0, next free block index 40 | English | United States |
| RT_ICON | 0xf8f478 | 0x2e8 | data | English | United States |
| RT_ICON | 0xf8f760 | 0x1e8 | data | English | United States |
| RT_ICON | 0xf8f948 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_ICON | 0xf8fac0 | 0x10a8 | data | English | United States |
| RT_ICON | 0xf90b68 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
| RT_GROUP_ICON | 0xf8fa70 | 0x4c | data | English | United States |
| RT_GROUP_ICON | 0xf90fd0 | 0x22 | data | English | United States |
| RT_VERSION | 0xf90ff8 | 0x250 | data | English | United States |
| RT_MANIFEST | 0xf91248 | 0x606 | XML 1.0 document, ASCII text | English | United States |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 10, 2022 11:03:18.663152933 CEST | 49748 | 443 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:18.663203001 CEST | 443 | 49748 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:18.663361073 CEST | 49748 | 443 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:18.664983034 CEST | 49748 | 443 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:18.664994001 CEST | 443 | 49748 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:18.733283043 CEST | 443 | 49748 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:18.733417988 CEST | 49748 | 443 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:18.739469051 CEST | 49748 | 443 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:18.739490986 CEST | 443 | 49748 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:18.739732027 CEST | 443 | 49748 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:18.739820957 CEST | 49748 | 443 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:19.010195017 CEST | 49748 | 443 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:19.071468115 CEST | 49749 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:19.102004051 CEST | 80 | 49749 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.102226019 CEST | 49749 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:19.103179932 CEST | 49749 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:19.131860018 CEST | 80 | 49749 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.134135962 CEST | 80 | 49749 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.134179115 CEST | 80 | 49749 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.136061907 CEST | 49749 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:19.147520065 CEST | 49749 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:19.176630974 CEST | 80 | 49749 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.176675081 CEST | 80 | 49749 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.176789045 CEST | 49749 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:19.441553116 CEST | 49749 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:19.469671011 CEST | 49750 | 6568 | 192.168.2.3 | 92.223.88.41 |
| Aug 10, 2022 11:03:19.470415115 CEST | 80 | 49749 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.498716116 CEST | 6568 | 49750 | 92.223.88.41 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.498868942 CEST | 49750 | 6568 | 192.168.2.3 | 92.223.88.41 |
| Aug 10, 2022 11:03:19.505413055 CEST | 49750 | 6568 | 192.168.2.3 | 92.223.88.41 |
| Aug 10, 2022 11:03:19.534142971 CEST | 6568 | 49750 | 92.223.88.41 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.536046028 CEST | 6568 | 49750 | 92.223.88.41 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.536088943 CEST | 6568 | 49750 | 92.223.88.41 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.536164999 CEST | 49750 | 6568 | 192.168.2.3 | 92.223.88.41 |
| Aug 10, 2022 11:03:19.551502943 CEST | 49750 | 6568 | 192.168.2.3 | 92.223.88.41 |
| Aug 10, 2022 11:03:19.580459118 CEST | 6568 | 49750 | 92.223.88.41 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.580495119 CEST | 6568 | 49750 | 92.223.88.41 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.580651999 CEST | 49750 | 6568 | 192.168.2.3 | 92.223.88.41 |
| Aug 10, 2022 11:03:19.756747961 CEST | 49750 | 6568 | 192.168.2.3 | 92.223.88.41 |
| Aug 10, 2022 11:03:19.786391020 CEST | 6568 | 49750 | 92.223.88.41 | 192.168.2.3 |
| Aug 10, 2022 11:03:24.768785954 CEST | 49751 | 443 | 192.168.2.3 | 88.198.34.103 |
| Aug 10, 2022 11:03:24.768851995 CEST | 443 | 49751 | 88.198.34.103 | 192.168.2.3 |
| Aug 10, 2022 11:03:24.769110918 CEST | 49751 | 443 | 192.168.2.3 | 88.198.34.103 |
| Aug 10, 2022 11:03:24.770359993 CEST | 49751 | 443 | 192.168.2.3 | 88.198.34.103 |
| Aug 10, 2022 11:03:24.770420074 CEST | 443 | 49751 | 88.198.34.103 | 192.168.2.3 |
| Aug 10, 2022 11:03:24.822004080 CEST | 443 | 49751 | 88.198.34.103 | 192.168.2.3 |
| Aug 10, 2022 11:03:24.822105885 CEST | 49751 | 443 | 192.168.2.3 | 88.198.34.103 |
| Aug 10, 2022 11:03:24.822948933 CEST | 49751 | 443 | 192.168.2.3 | 88.198.34.103 |
| Aug 10, 2022 11:03:24.822968006 CEST | 443 | 49751 | 88.198.34.103 | 192.168.2.3 |
| Aug 10, 2022 11:03:24.823340893 CEST | 443 | 49751 | 88.198.34.103 | 192.168.2.3 |
| Aug 10, 2022 11:03:24.823573112 CEST | 49751 | 443 | 192.168.2.3 | 88.198.34.103 |
| Aug 10, 2022 11:03:24.926590919 CEST | 49751 | 443 | 192.168.2.3 | 88.198.34.103 |
| Aug 10, 2022 11:03:24.968343019 CEST | 49752 | 80 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:24.986150980 CEST | 80 | 49752 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:24.986402988 CEST | 49752 | 80 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:24.996462107 CEST | 49752 | 80 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:25.014334917 CEST | 80 | 49752 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.016727924 CEST | 80 | 49752 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.016745090 CEST | 80 | 49752 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.016876936 CEST | 49752 | 80 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:25.033684015 CEST | 49752 | 80 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:25.051698923 CEST | 80 | 49752 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.051723957 CEST | 80 | 49752 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.051871061 CEST | 49752 | 80 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:25.200220108 CEST | 49752 | 80 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:25.218249083 CEST | 80 | 49752 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.228688002 CEST | 49753 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:25.259516954 CEST | 6568 | 49753 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.259649038 CEST | 49753 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:25.283776045 CEST | 49753 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:25.314125061 CEST | 6568 | 49753 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.315670967 CEST | 6568 | 49753 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.315695047 CEST | 6568 | 49753 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.315787077 CEST | 49753 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:25.326988935 CEST | 49753 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:25.356419086 CEST | 6568 | 49753 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.356460094 CEST | 6568 | 49753 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.356530905 CEST | 49753 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:25.578869104 CEST | 49753 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:25.607850075 CEST | 6568 | 49753 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.070823908 CEST | 49770 | 443 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:42.070874929 CEST | 443 | 49770 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.070998907 CEST | 49770 | 443 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:42.071688890 CEST | 49770 | 443 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:42.071717024 CEST | 443 | 49770 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.115318060 CEST | 443 | 49770 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.115468979 CEST | 49770 | 443 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:42.116590977 CEST | 49770 | 443 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:42.116610050 CEST | 443 | 49770 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.116902113 CEST | 443 | 49770 | 195.181.174.167 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.116976976 CEST | 49770 | 443 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:42.333893061 CEST | 49770 | 443 | 192.168.2.3 | 195.181.174.167 |
| Aug 10, 2022 11:03:42.359267950 CEST | 49772 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.387742043 CEST | 80 | 49772 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.387844086 CEST | 49772 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.388772011 CEST | 49772 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.417179108 CEST | 80 | 49772 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.419596910 CEST | 80 | 49772 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.419622898 CEST | 80 | 49772 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.419758081 CEST | 49772 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.430921078 CEST | 49772 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.459448099 CEST | 80 | 49772 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.459510088 CEST | 80 | 49772 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.459654093 CEST | 49772 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.615886927 CEST | 49772 | 80 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.644423008 CEST | 49773 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.645272970 CEST | 80 | 49772 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.673326969 CEST | 6568 | 49773 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.673826933 CEST | 49773 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.680664062 CEST | 49773 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.709342957 CEST | 6568 | 49773 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.711246014 CEST | 6568 | 49773 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.711302996 CEST | 6568 | 49773 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.712744951 CEST | 49773 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.724056005 CEST | 49773 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.752966881 CEST | 6568 | 49773 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.752988100 CEST | 6568 | 49773 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.753515959 CEST | 49773 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.908039093 CEST | 49773 | 6568 | 192.168.2.3 | 92.223.88.7 |
| Aug 10, 2022 11:03:42.936788082 CEST | 6568 | 49773 | 92.223.88.7 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.339584112 CEST | 49823 | 443 | 192.168.2.3 | 49.12.130.237 |
| Aug 10, 2022 11:04:35.339623928 CEST | 443 | 49823 | 49.12.130.237 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.339699984 CEST | 49823 | 443 | 192.168.2.3 | 49.12.130.237 |
| Aug 10, 2022 11:04:35.340399027 CEST | 49823 | 443 | 192.168.2.3 | 49.12.130.237 |
| Aug 10, 2022 11:04:35.340415001 CEST | 443 | 49823 | 49.12.130.237 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.393769979 CEST | 443 | 49823 | 49.12.130.237 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.393892050 CEST | 49823 | 443 | 192.168.2.3 | 49.12.130.237 |
| Aug 10, 2022 11:04:35.394984007 CEST | 49823 | 443 | 192.168.2.3 | 49.12.130.237 |
| Aug 10, 2022 11:04:35.394998074 CEST | 443 | 49823 | 49.12.130.237 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.395317078 CEST | 443 | 49823 | 49.12.130.237 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.395879984 CEST | 49823 | 443 | 192.168.2.3 | 49.12.130.237 |
| Aug 10, 2022 11:04:35.548629999 CEST | 49823 | 443 | 192.168.2.3 | 49.12.130.237 |
| Aug 10, 2022 11:04:35.574713945 CEST | 49824 | 80 | 192.168.2.3 | 185.229.191.39 |
| Aug 10, 2022 11:04:35.599663973 CEST | 80 | 49824 | 185.229.191.39 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.602632999 CEST | 49824 | 80 | 192.168.2.3 | 185.229.191.39 |
| Aug 10, 2022 11:04:35.603570938 CEST | 49824 | 80 | 192.168.2.3 | 185.229.191.39 |
| Aug 10, 2022 11:04:35.628483057 CEST | 80 | 49824 | 185.229.191.39 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.630844116 CEST | 80 | 49824 | 185.229.191.39 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.630954981 CEST | 80 | 49824 | 185.229.191.39 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.631042004 CEST | 49824 | 80 | 192.168.2.3 | 185.229.191.39 |
| Aug 10, 2022 11:04:35.643179893 CEST | 49824 | 80 | 192.168.2.3 | 185.229.191.39 |
| Aug 10, 2022 11:04:35.668104887 CEST | 80 | 49824 | 185.229.191.39 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.668128967 CEST | 80 | 49824 | 185.229.191.39 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.668144941 CEST | 80 | 49824 | 185.229.191.39 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.668221951 CEST | 49824 | 80 | 192.168.2.3 | 185.229.191.39 |
| Aug 10, 2022 11:04:35.834166050 CEST | 49824 | 80 | 192.168.2.3 | 185.229.191.39 |
| Aug 10, 2022 11:04:35.859061956 CEST | 80 | 49824 | 185.229.191.39 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.861644030 CEST | 49825 | 6568 | 192.168.2.3 | 195.181.174.174 |
| Aug 10, 2022 11:04:35.879740953 CEST | 6568 | 49825 | 195.181.174.174 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.879865885 CEST | 49825 | 6568 | 192.168.2.3 | 195.181.174.174 |
| Aug 10, 2022 11:04:35.881006956 CEST | 49825 | 6568 | 192.168.2.3 | 195.181.174.174 |
| Aug 10, 2022 11:04:35.900290966 CEST | 6568 | 49825 | 195.181.174.174 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.902108908 CEST | 6568 | 49825 | 195.181.174.174 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.902151108 CEST | 6568 | 49825 | 195.181.174.174 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.902244091 CEST | 49825 | 6568 | 192.168.2.3 | 195.181.174.174 |
| Aug 10, 2022 11:04:35.918519974 CEST | 49825 | 6568 | 192.168.2.3 | 195.181.174.174 |
| Aug 10, 2022 11:04:35.936517000 CEST | 6568 | 49825 | 195.181.174.174 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.936551094 CEST | 6568 | 49825 | 195.181.174.174 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.936649084 CEST | 49825 | 6568 | 192.168.2.3 | 195.181.174.174 |
| Aug 10, 2022 11:04:36.126636982 CEST | 49825 | 6568 | 192.168.2.3 | 195.181.174.174 |
| Aug 10, 2022 11:04:36.144623041 CEST | 6568 | 49825 | 195.181.174.174 | 192.168.2.3 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Aug 10, 2022 11:03:18.599575043 CEST | 57421 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:03:18.618748903 CEST | 53 | 57421 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.017834902 CEST | 65358 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:03:19.038065910 CEST | 53 | 65358 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:03:19.447402954 CEST | 49873 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:03:19.466522932 CEST | 53 | 49873 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:03:24.605710983 CEST | 53802 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:03:24.622828960 CEST | 53 | 53802 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:03:24.946160078 CEST | 65266 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:03:24.965172052 CEST | 53 | 65266 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:03:25.206053019 CEST | 63332 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:03:25.225737095 CEST | 53 | 63332 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:03:41.884808064 CEST | 63146 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:03:41.903934002 CEST | 53 | 63146 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.339848995 CEST | 58625 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:03:42.356637955 CEST | 53 | 58625 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:03:42.622601986 CEST | 52810 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:03:42.642338037 CEST | 53 | 52810 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.316668987 CEST | 64941 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:04:35.336699963 CEST | 53 | 64941 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.555313110 CEST | 55403 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:04:35.572448015 CEST | 53 | 55403 | 8.8.8.8 | 192.168.2.3 |
| Aug 10, 2022 11:04:35.840281010 CEST | 54960 | 53 | 192.168.2.3 | 8.8.8.8 |
| Aug 10, 2022 11:04:35.859107018 CEST | 53 | 54960 | 8.8.8.8 | 192.168.2.3 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Aug 10, 2022 11:03:18.599575043 CEST | 192.168.2.3 | 8.8.8.8 | 0x8dfd | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:03:19.017834902 CEST | 192.168.2.3 | 8.8.8.8 | 0xfca6 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:03:19.447402954 CEST | 192.168.2.3 | 8.8.8.8 | 0xac4 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:03:24.605710983 CEST | 192.168.2.3 | 8.8.8.8 | 0x1ce6 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:03:24.946160078 CEST | 192.168.2.3 | 8.8.8.8 | 0x304e | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:03:25.206053019 CEST | 192.168.2.3 | 8.8.8.8 | 0x715c | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:03:41.884808064 CEST | 192.168.2.3 | 8.8.8.8 | 0xf0c0 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:03:42.339848995 CEST | 192.168.2.3 | 8.8.8.8 | 0x19ad | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:03:42.622601986 CEST | 192.168.2.3 | 8.8.8.8 | 0x90bf | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:04:35.316668987 CEST | 192.168.2.3 | 8.8.8.8 | 0x80d2 | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:04:35.555313110 CEST | 192.168.2.3 | 8.8.8.8 | 0xd8ff | Standard query (0) | A (IP address) | IN (0x0001) | |
| Aug 10, 2022 11:04:35.840281010 CEST | 192.168.2.3 | 8.8.8.8 | 0x492a | Standard query (0) | A (IP address) | IN (0x0001) |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Aug 10, 2022 11:03:18.618748903 CEST | 8.8.8.8 | 192.168.2.3 | 0x8dfd | No error (0) | 92.223.88.7 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:03:19.038065910 CEST | 8.8.8.8 | 192.168.2.3 | 0xfca6 | No error (0) | 92.223.88.7 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:03:19.466522932 CEST | 8.8.8.8 | 192.168.2.3 | 0xac4 | No error (0) | 92.223.88.41 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:03:24.622828960 CEST | 8.8.8.8 | 192.168.2.3 | 0x1ce6 | No error (0) | 88.198.34.103 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:03:24.965172052 CEST | 8.8.8.8 | 192.168.2.3 | 0x304e | No error (0) | 195.181.174.167 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:03:25.225737095 CEST | 8.8.8.8 | 192.168.2.3 | 0x715c | No error (0) | 92.223.88.7 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:03:41.903934002 CEST | 8.8.8.8 | 192.168.2.3 | 0xf0c0 | No error (0) | 195.181.174.167 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:03:42.356637955 CEST | 8.8.8.8 | 192.168.2.3 | 0x19ad | No error (0) | 92.223.88.7 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:03:42.642338037 CEST | 8.8.8.8 | 192.168.2.3 | 0x90bf | No error (0) | 92.223.88.7 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:04:35.336699963 CEST | 8.8.8.8 | 192.168.2.3 | 0x80d2 | No error (0) | 49.12.130.237 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:04:35.572448015 CEST | 8.8.8.8 | 192.168.2.3 | 0xd8ff | No error (0) | 185.229.191.39 | A (IP address) | IN (0x0001) | ||
| Aug 10, 2022 11:04:35.859107018 CEST | 8.8.8.8 | 192.168.2.3 | 0x492a | No error (0) | 195.181.174.174 | A (IP address) | IN (0x0001) |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 0 | 192.168.2.3 | 49749 | 92.223.88.7 | 80 | C:\Users\user\Desktop\AnyDesk.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 10, 2022 11:03:19.103179932 CEST | 1027 | OUT | |
| Aug 10, 2022 11:03:19.134135962 CEST | 1029 | IN | |
| Aug 10, 2022 11:03:19.134179115 CEST | 1030 | IN | |
| Aug 10, 2022 11:03:19.147520065 CEST | 1031 | OUT | |
| Aug 10, 2022 11:03:19.176630974 CEST | 1031 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 1 | 192.168.2.3 | 49752 | 195.181.174.167 | 80 | C:\Users\user\Desktop\AnyDesk.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 10, 2022 11:03:24.996462107 CEST | 1041 | OUT | |
| Aug 10, 2022 11:03:25.016727924 CEST | 1043 | IN | |
| Aug 10, 2022 11:03:25.016745090 CEST | 1044 | IN | |
| Aug 10, 2022 11:03:25.033684015 CEST | 1045 | OUT | |
| Aug 10, 2022 11:03:25.051698923 CEST | 1045 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 2 | 192.168.2.3 | 49772 | 92.223.88.7 | 80 | C:\Users\user\Desktop\AnyDesk.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 10, 2022 11:03:42.388772011 CEST | 1260 | OUT | |
| Aug 10, 2022 11:03:42.419596910 CEST | 1262 | IN | |
| Aug 10, 2022 11:03:42.419622898 CEST | 1263 | IN | |
| Aug 10, 2022 11:03:42.430921078 CEST | 1264 | OUT | |
| Aug 10, 2022 11:03:42.459448099 CEST | 1265 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
|---|---|---|---|---|---|
| 3 | 192.168.2.3 | 49824 | 185.229.191.39 | 80 | C:\Users\user\Desktop\AnyDesk.exe |
| Timestamp | kBytes transferred | Direction | Data |
|---|---|---|---|
| Aug 10, 2022 11:04:35.603570938 CEST | 7810 | OUT | |
| Aug 10, 2022 11:04:35.630844116 CEST | 7811 | IN | |
| Aug 10, 2022 11:04:35.630954981 CEST | 7812 | IN | |
| Aug 10, 2022 11:04:35.643179893 CEST | 7813 | OUT | |
| Aug 10, 2022 11:04:35.668128967 CEST | 7814 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:02:59 |
| Start date: | 10/08/2022 |
| Path: | C:\Users\user\Desktop\AnyDesk.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1280000 |
| File size: | 3852912 bytes |
| MD5 hash: | 36D6BE2D72171C741E2989A578011CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Target ID: | 4 |
| Start time: | 11:03:05 |
| Start date: | 10/08/2022 |
| Path: | C:\Users\user\Desktop\AnyDesk.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1280000 |
| File size: | 3852912 bytes |
| MD5 hash: | 36D6BE2D72171C741E2989A578011CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Target ID: | 5 |
| Start time: | 11:03:06 |
| Start date: | 10/08/2022 |
| Path: | C:\Users\user\Desktop\AnyDesk.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1280000 |
| File size: | 3852912 bytes |
| MD5 hash: | 36D6BE2D72171C741E2989A578011CD8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
Function 044E5409 Relevance: .4, Instructions: 360COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016E5400 Relevance: 61.5, APIs: 20, Strings: 15, Instructions: 280filesynchronizationtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016A0720 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016F6BA0 Relevance: 7.5, APIs: 5, Instructions: 44comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 012819FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01281000 Relevance: 1.6, APIs: 1, Instructions: 107memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 017F978A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01281E47 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 01281E30 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 017FC239 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0149F0E0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 61libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 016F93C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |