Edit tour

Windows Analysis Report
92f25a21-b9c1-4aee-af3e-cacf098605e9

Overview

General Information

Sample Name:	92f25a21-b9c1-4aee-af3e-cacf098605e9
Analysis ID:	840831
MD5:	2621b754576047a6e94acbf1dd4fe0ef
SHA1:	246f36118c53ac7421518dbc9bb4259128f3c417
SHA256:	109b03ffc45231e5a4c8805a10926492890f7b568f8a93abe1fa495b4bd42975
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	18
Range:	0 - 100

Signatures

Detected unpacking (changes PE section rights)

Changes security center settings (notifications, updates, antivirus, firewall)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Creates files inside the driver directory

Queries the volume information (name, serial number etc) of a device

Drops certificate files (DER)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

EXE planting / hijacking vulnerabilities found

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

PE file does not import any functions

DLL planting / hijacking vulnerabilities found

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Adds / modifies Windows certificates

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Creates a start menu entry (Start Menu\Programs\Startup)

Enables security privileges

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64_ra

92f25a21-b9c1-4aee-af3e-cacf098605e9.exe (PID: 6320 cmdline: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe MD5: 2621B754576047A6E94ACBF1DD4FE0EF)

92f25a21-b9c1-4aee-af3e-cacf098605e9.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --local-service MD5: 2621B754576047A6E94ACBF1DD4FE0EF)

92f25a21-b9c1-4aee-af3e-cacf098605e9.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --local-control MD5: 2621B754576047A6E94ACBF1DD4FE0EF)

92f25a21-b9c1-4aee-af3e-cacf098605e9.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-auto --svc-conf "C:\Users\user\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\user\AppData\Roaming\AnyDesk\system.conf" MD5: 2621B754576047A6E94ACBF1DD4FE0EF)

expand.exe (PID: 7088 cmdline: expand -F:* "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver" MD5: 8C2235852F8C2659EB6CA4A0C6B3B3F1)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

rundll32.exe (PID: 1176 cmdline: C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver MD5: D0432468FA4B7F66166C430E1334DBDA)

svchost.exe (PID: 6520 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc MD5: 9520A99E77D6196D0D09833146424113)

svchost.exe (PID: 6564 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 9520A99E77D6196D0D09833146424113)

SgrmBroker.exe (PID: 6612 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: C51AA0BB954EA45E85572E6CC29BA6F4)

svchost.exe (PID: 6644 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: 9520A99E77D6196D0D09833146424113)

AnyDesk.exe (PID: 6944 cmdline: "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service MD5: 2621B754576047A6E94ACBF1DD4FE0EF)

AnyDesk.exe (PID: 7044 cmdline: "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control MD5: 2621B754576047A6E94ACBF1DD4FE0EF)

AnyDesk.exe (PID: 6160 cmdline: "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install MD5: 2621B754576047A6E94ACBF1DD4FE0EF)

svchost.exe (PID: 5944 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: 9520A99E77D6196D0D09833146424113)

drvinst.exe (PID: 5292 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\anydeskprintdriver.inf" "9" "45a2ed013" "00000000000001BC" "WinSta0\Default" "0000000000000164" "208" "c:\users\user\appdata\roaming\anydesk\printer_driver" MD5: 100997A8B475B1D1B173BE8941DFE1A6)

rundll32.exe (PID: 5636 cmdline: rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{a93448a4-5e3b-e34d-a377-ec81ab406cb0} Global\{56375bfd-f24b-3d4c-9cc8-12acbcf982ed} C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriver.cat MD5: F68AF942FD7CCC0E7BAB1A2335D2AD26)

cleanup

HTTP traffic detected: POST /httpapi HTTP/1.1Host: api.playanext.comUser-Agent: AnyDesk/7.0.14Accept: */*Content-Length: 354Content-Type: application/x-www-form-urlencodedapi_key=c1426bd258099fa69f62933b466d4b77&event=[{"event_type":"check_offer","user_id":"f13c8dbcc1b6f597de2338cf4452e0db","session_id":1680602579309287,"ip":"$remote","event_properties":{"method_used":"Google Chrome Criteria Checker","offer_product":"Google Chrome","distributor":"AnyDesk","distributor_product":"AnyDesk","user_country":"United States"}}Data Raw: Data Ascii:

Source: unknown

DNS traffic detected: queries for: boot.net.anydesk.com

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 185.229.191.41:443 -> 192.168.2.2:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.231.206:443 -> 192.168.2.2:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.231.206:443 -> 192.168.2.2:49765 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a DirectInput object (often for capturing keystrokes)

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1321823649.000000000231A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectDrawCreateEx

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\e1962c70bafb448bad7b03b1bd5ee792$dpx$.tmp\29294455594d444e97770a37389d8698.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\anydeskprintdriver.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\SET35C.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriver.cat (copy)	Jump to dropped file

System Summary

Uses 32bit PE files

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}

Deletes files inside the Windows folder

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\SET1F1.tmp

Creates files inside the system directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a

Detected potential crypto function

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417CF5E	1_3_0417CF5E
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417CF5E	1_3_0417CF5E
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417DFC9	1_3_0417DFC9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417DFC9	1_3_0417DFC9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417DFC9	1_3_0417DFC9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_041580C6	1_3_041580C6
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417CF5E	1_3_0417CF5E
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417CF5E	1_3_0417CF5E
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417DFC9	1_3_0417DFC9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417DFC9	1_3_0417DFC9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417DFC9	1_3_0417DFC9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_041580C6	1_3_041580C6
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417DFC9	1_3_0417DFC9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417DFC9	1_3_0417DFC9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0417DFC9	1_3_0417DFC9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D89BC0	2_3_03D89BC0
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D89BC0	2_3_03D89BC0
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D89BC0	2_3_03D89BC0
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D89BC0	2_3_03D89BC0
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D89BC0	2_3_03D89BC0
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D89BC0	2_3_03D89BC0
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D13300	2_3_03D13300
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D13300	2_3_03D13300
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D13300	2_3_03D13300
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D13300	2_3_03D13300
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D13300	2_3_03D13300
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D13300	2_3_03D13300
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D89BC0	2_3_03D89BC0
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D89BC0	2_3_03D89BC0
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D89BC0	2_3_03D89BC0
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D13300	2_3_03D13300
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D13300	2_3_03D13300
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 2_3_03D13300	2_3_03D13300
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E42687	3_3_03E42687
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E42687	3_3_03E42687
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E86EC2	3_3_03E86EC2
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E86EC2	3_3_03E86EC2
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E86EC2	3_3_03E86EC2
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E86EC2	3_3_03E86EC2
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 3_3_03E85291	3_3_03E85291

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Code function: String function: 03CCEDDE appears 48 times

PE file does not import any functions

Source: AnyDesk.exe.8.dr	Static PE information: No import functions for PE file found
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesas.dllj% vs 92f25a21-b9c1-4aee-af3e-cacf098605e9
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2271624333.00000000011AB000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesas.dllj% vs 92f25a21-b9c1-4aee-af3e-cacf098605e9

Enables security privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

File read: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Jump to behavior

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe "C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --local-service
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe "C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --local-control
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe "C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-auto --svc-conf "C:\Users\user\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\user\AppData\Roaming\AnyDesk\system.conf"
Source: unknown	Process created: C:\Program Files (x86)\AnyDesk\AnyDesk.exe "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
Source: unknown	Process created: C:\Program Files (x86)\AnyDesk\AnyDesk.exe "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Windows\SysWOW64\expand.exe expand -F:* "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver"
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver
Source: unknown	Process created: C:\Program Files (x86)\AnyDesk\AnyDesk.exe "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\anydeskprintdriver.inf" "9" "45a2ed013" "00000000000001BC" "WinSta0\Default" "0000000000000164" "208" "c:\users\user\appdata\roaming\anydesk\printer_driver"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{a93448a4-5e3b-e34d-a377-ec81ab406cb0} Global\{56375bfd-f24b-3d4c-9cc8-12acbcf982ed} C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriver.cat
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe "C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --local-service	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe "C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --local-control	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe "C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-auto --svc-conf "C:\Users\user\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\user\AppData\Roaming\AnyDesk\system.conf"	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Windows\SysWOW64\expand.exe expand -F:* "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver"	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\anydeskprintdriver.inf" "9" "45a2ed013" "00000000000001BC" "WinSta0\Default" "0000000000000164" "208" "c:\users\user\appdata\roaming\anydesk\printer_driver"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{a93448a4-5e3b-e34d-a377-ec81ab406cb0} Global\{56375bfd-f24b-3d4c-9cc8-12acbcf982ed} C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriver.cat

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2155fee3-2419-4373-b102-6843707eb41f}\InProcServer32

Jump to behavior

Source: AnyDesk.lnk.8.dr	LNK file: ..\..\..\Program Files (x86)\AnyDesk\AnyDesk.exe
Source: AnyDesk.lnk0.8.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\AnyDesk\AnyDesk.exe
Source: AnyDesk.lnk1.8.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\AnyDesk\AnyDesk.exe
Source: Uninstall AnyDesk.lnk.8.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\AnyDesk\AnyDesk.exe

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

File created: C:\Users\user\AppData\Roaming\AnyDesk

Jump to behavior

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

File created: C:\Users\user\AppData\Local\Temp\gcapi.dll

Jump to behavior

Source: classification engine

Classification label: mal76.evad.win@24/71@9/6

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver

Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_7044_3485416741_1_mtx
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Mutant created: \BaseNamedObjects\Global\ad_connect_queue_6944_3466758152_mtx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_02
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_6160_3513624709_1_mtx
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_7044_3485416741_0_mtx
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Mutant created: \BaseNamedObjects\Local\ad_trace_mtx
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Mutant created: \BaseNamedObjects\Global\ad_7014_gsystem_mtx
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_6160_3513624709_0_mtx

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

File created: C:\Program Files (x86)\AnyDesk

Jump to behavior

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: stall "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: stall "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: river:mirror --install-driver:printer --update-auto
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: ll-driver:mirror --install-driver:printer --update-auto --svc-conf "C:\Users\user\AppData\Roaming\AnyDesk\service.conf
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --inst
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --inst
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: ll-driver:mirror --install-driver:printer --update-auto --svc-conf "C:\Users\user\AppData\Roaming\AnyDesk\service.conf"
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "C:\Program Files (x86)\AnyDesk" --start-with-win
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "C:\Program Files (x86)\AnyDesk" --start-with-win
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: stall "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: river:mirror --install-driver:printer --update-auto --svc-conf "
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: river:mirror --install-driver:printer
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: ad.connect.share.myid=AnyDesk-Address:
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: --install "C:\Program Files (x86)\AnyDesk"
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: Show move/size-helper
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: AnyDesk-Address:
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: ad.menu.display.gui_feedback=Show move/size-helper
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: ad.connect.share.myid=AnyDesk-Address:
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: Show move/size-helper

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Window found: window name: SysTabControl32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Submission file is bigger than most known malware samples

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9

Static file information: File size 3853384 > 1048576

PE / OLE file has a valid certificate

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9

Static PE information: certificate valid

PE file has a big raw section

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x3a0600

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\b\build\slave\win\build\src\out\Release\gcapi_dll.dll.pdbGCTL source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2423871028.0000000001BA9000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2412143603.0000000003DA3000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1391741189.0000000004EB7000.00000004.00000001.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2411660362.0000000005909000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2420663164.00000000050B3000.00000004.00000001.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000002.2651591214.00000000036B3000.00000004.00000001.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000003.2226145656.0000000003711000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000002.2639033003.0000000002578000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000002.2639033003.000000000259D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000003.2231083866.00000000048C7000.00000004.00000001.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000002.2642528303.0000000004207000.00000004.00000010.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000002.2647954174.000000006C00A000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dda-64\privacy_feature\privacy_feature.pdb source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2271624333.00000000011AB000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000000.1279173333.00000000012CD000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-32\win_dwm\win_dwm.pdb source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2271624333.00000000011AB000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\source\git\printer-driver\v4\x64\Release\AnyDeskPrintDriverRenderFilter.pdb source: expand.exe, 0000000B.00000003.2161558512.0000000004EA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2542703879.000000000536D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-64\win_dwm\win_dwm.pdb source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2271624333.00000000011AB000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\dda-32\privacy_feature\privacy_feature.pdb source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2271624333.00000000011AB000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\b\build\slave\win\build\src\out\Release\gcapi_dll.dll.pdb source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2423871028.0000000001BA9000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2412143603.0000000003DA3000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1391741189.0000000004EB7000.00000004.00000001.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2411660362.0000000005909000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2420663164.00000000050B3000.00000004.00000001.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000002.2651591214.00000000036B3000.00000004.00000001.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000003.2226145656.0000000003711000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000002.2639033003.0000000002578000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000002.2639033003.000000000259D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000003.2231083866.00000000048C7000.00000004.00000001.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000002.2642528303.0000000004207000.00000004.00000010.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000002.2647954174.000000006C00A000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb` source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SAS.pdbR source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2271624333.00000000011AB000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: SAS.pdb source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2271624333.00000000011AB000.00000004.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Unpacked PE file: 9.2.AnyDesk.exe.580000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0393612A push ds; retf	1_3_0393612C
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0393612A push ds; retf	1_3_0393612C
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0392EB64 push 5F0389B3h; iretd	1_3_0392EB69
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_039338CD push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0392EAF7 push ebx; iretd	1_3_0392EB09
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0392EAF7 push ebx; iretd	1_3_0392EB09
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03953F4A push 0000007Ah; ret	1_3_03953FF9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03953F4A push 0000007Ah; ret	1_3_03953FF9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03953F7B push 0000007Ah; ret	1_3_03953FF9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03953F7B push 0000007Ah; ret	1_3_03953FF9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0392EAF7 push ebx; iretd	1_3_0392EB09
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0392EAF7 push ebx; iretd	1_3_0392EB09
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0393612A push ds; retf	1_3_0393612C
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_0393612A push ds; retf	1_3_0393612C
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03953F4A push 0000007Ah; ret	1_3_03953FF9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03953F4A push 0000007Ah; ret	1_3_03953FF9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03953F7B push 0000007Ah; ret	1_3_03953FF9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03953F7B push 0000007Ah; ret	1_3_03953FF9
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_03933663 push edx; retn 0001h	1_3_039338DD
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Code function: 1_3_04160A79 push ebx; retn 0003h	1_3_04160A7A

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriverRenderFilter.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\AnyDeskPrintDriverRenderFilter.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriverRenderFilter.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File created: C:\Users\user\AppData\Local\Temp\gcapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\e1962c70bafb448bad7b03b1bd5ee792$dpx$.tmp\0a36ee12a9ad3845bf4d8fa62daf37a5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File created: C:\Users\user\Desktop\gcapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\SETFB98.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File created: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Jump to dropped file
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	File created: C:\Program Files (x86)\AnyDesk\gcapi.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\SET1F1.tmp	Jump to dropped file
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	File created: C:\Windows\Temp\gcapi.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriverRenderFilter.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\SET1F1.tmp	Jump to dropped file
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	File created: C:\Windows\Temp\gcapi.dll	Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk\AnyDesk.lnk	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk\Uninstall AnyDesk.lnk	Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File opened: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	File opened: C:\Program Files (x86)\AnyDesk\AnyDesk.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	File opened: C:\Program Files (x86)\AnyDesk\AnyDesk.exe:Zone.Identifier read attributes \| delete

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MACAddress FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT MACAddress FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe TID: 6364	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe TID: 6368	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe TID: 6440	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe TID: 6444	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe TID: 6496	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe TID: 6224	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe TID: 6212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe TID: 1528	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe TID: 6060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe TID: 6224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe TID: 6272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe TID: 1328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe TID: 6272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe TID: 5380	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\e1962c70bafb448bad7b03b1bd5ee792$dpx$.tmp\0a36ee12a9ad3845bf4d8fa62daf37a5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\SETFB98.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\SET1F1.tmp	Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2423871028.0000000001BA9000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1343574620.0000000001BC7000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1336668105.0000000001B84000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1338197141.0000000001BA7000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1339342459.0000000001BBF000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1350387525.0000000001BAF000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1356293748.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.1353588845.0000000001B88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllame}LMEM
Source: svchost.exe, 00000004.00000002.2549825113.000002BA2282B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdo%SystemRoot%\system32\mswsock.dlleProfiles\NetworkService\AppData\Local\Microsoft\WindowsApps
Source: AnyDesk.exe, 0000000A.00000002.2624144367.00000000018A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2455446192.0000000001CC8000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.1962322095.0000000001CCA000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000002.2627514517.0000000001B5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe "c:\users\user\desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --install "c:\program files (x86)\anydesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-auto --svc-conf "c:\users\user\appdata\roaming\anydesk\service.conf" --sys-conf "c:\users\user\appdata\roaming\anydesk\system.conf"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{a93448a4-5e3b-e34d-a377-ec81ab406cb0} global\{56375bfd-f24b-3d4c-9cc8-12acbcf982ed} c:\windows\system32\driverstore\temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\anydeskprintdriver.inf c:\windows\system32\driverstore\temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\anydeskprintdriver.cat
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Process created: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe "c:\users\user\desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --install "c:\program files (x86)\anydesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-auto --svc-conf "c:\users\user\appdata\roaming\anydesk\service.conf" --sys-conf "c:\users\user\appdata\roaming\anydesk\system.conf"	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{a93448a4-5e3b-e34d-a377-ec81ab406cb0} global\{56375bfd-f24b-3d4c-9cc8-12acbcf982ed} c:\windows\system32\driverstore\temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\anydeskprintdriver.inf c:\windows\system32\driverstore\temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\anydeskprintdriver.cat

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\anydeskprintdriver.cat VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\anydeskprintdriver.cat VolumeInformation
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriver.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriver.cat VolumeInformation

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\AnyDesk\AnyDesk.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000007.00000002.2553918240.0000023475D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2550408134.0000023475C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AntiVirusProduct{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}Windows DefenderTue, 04 Apr 2023 10:03:00 GMTwindowsdefender://%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2552376715.0000023475C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2552376715.0000023475C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2550408134.0000023475C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2553918240.0000023475D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2551509839.0000023475C40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Adds / modifies Windows certificates

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 Blob

Stealing of Sensitive Information

OS version to string mapping found (often used in BOTs)

Source: AnyDesk.exe, 0000000A.00000002.2544678070.000000000054A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: release/win_7.0.x
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000000.1279173333.00000000012CD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .itext.text.custom1b8e6bc34e8cd533b5d7281935ff2761release/win_7.0.x5cf8483107cd52198359a9504e0641fbe8cc59b3
Source: AnyDesk.exe, 0000000A.00000002.2544678070.000000000054A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: 5cf8483107cd52198359a9504e0641fbe8cc59b3release/win_7.0.x1b8e6bc34e8cd533b5d7281935ff2761
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000002.2445980122.0000000001AFB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: a9504e0641fbe8cc59b3release/win_7.0.x1b8e6bc34e8cd533b5d7281935ff2761
Source: AnyDesk.exe, 00000009.00000002.2625514932.00000000018FB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: 5cf8483107cd52198359a9504e0641fbe8cc59b3release/win_7.0.x1b8e6bc34e8cd533b5d7281935ff27610
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2294657182.0000000001AFB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: 4e0641fbe8cc59b3release/win_7.0.x1b8e6bc34e8cd533b5d7281935ff2761

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	521 Windows Management Instrumentation	2 DLL Search Order Hijacking	2 DLL Search Order Hijacking	111 Disable or Modify Tools	1 Input Capture	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Command and Scripting Interpreter	2 Registry Run Keys / Startup Folder	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	224 System Information Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	2 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	431 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 DLL Search Order Hijacking	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	331 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	32 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	331 Virtualization/Sandbox Evasion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	11 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Files and Directories	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
92f25a21-b9c1-4aee-af3e-cacf098605e9	0%	ReversingLabs
92f25a21-b9c1-4aee-af3e-cacf098605e9	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\AnyDesk\AnyDesk.exe	0%	ReversingLabs
C:\Program Files (x86)\AnyDesk\gcapi.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\gcapi.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\AnyDeskPrintDriverRenderFilter.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\SETFB98.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriverRenderFilter.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\e1962c70bafb448bad7b03b1bd5ee792$dpx$.tmp\0a36ee12a9ad3845bf4d8fa62daf37a5.tmp	0%	ReversingLabs
C:\Users\user\Desktop\gcapi.dll	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriverRenderFilter.dll (copy)	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\SET1F1.tmp	0%	ReversingLabs
C:\Windows\Temp\gcapi.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.playanext.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://www.agesic.gub.uy/acrn/acrn.crl0)	0%	URL Reputation	safe
http://www.rcsc.lt/repository0	0%	URL Reputation	safe
http://www.correo.com.uy/correocert/cps.pdf0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crt08	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crt08	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	URL Reputation	safe
http://www.oaticerts.com/repository.	0%	URL Reputation	safe
http://www.oaticerts.com/repository.	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://ocsp.accv.es0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0	0%	URL Reputation	safe
http://www.echoworx.com/ca/root2/cps.pdf0	0%	URL Reputation	safe
https://t0.ssl.ak.dynamic.tiles.virtualeat/	0%	Avira URL Cloud	safe
http://ns.aap	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
d1atxff5avezsq.cloudfront.net	18.66.97.18	true	false		high
boot.net.anydesk.com	185.229.191.41	true	false		high
relay-10d0d168.net.anydesk.com	208.115.231.206	true	false		high
api.playanext.com	unknown	unknown	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.playanext.comUser-Agent: AnyDesk/7.0.14Accept: /Content-Length: 354Content-Type: application/x-www-form-urlencodedapi_key=c1426bd258099fa69f62933b466d4b77&event=[{"event_type":"check_offer","user_id":"f13c8dbcc1b6f597de2338cf4452e0db","session_id":1680602579309287,"ip":"$remote","event_properties":{"method_used":"Google Chrome Criteria Checker","offer_product":"Google Chrome","distributor":"AnyDesk","distributor_product":"AnyDesk","user_country":"United States"}}/httpapi	false		low
http://api.playanext.comUser-Agent: AnyDesk/7.0.14Accept: /Content-Length: 354Content-Type: application/x-www-form-urlencodedapi_key=c1426bd258099fa69f62933b466d4b77&event=[{"event_type":"check_offer","user_id":"f13c8dbcc1b6f597de2338cf4452e0db","session_id":1680602663428164,"ip":"$remote","event_properties":{"method_used":"Google Chrome Criteria Checker","offer_product":"Google Chrome","distributor":"AnyDesk","distributor_product":"AnyDesk","user_country":"United States"}}/httpapi	false		low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	rundll32.exe, 0000000D.00000003.2200819853.0000000003564000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	rundll32.exe, 0000000D.00000003.2196222562.0000000003578000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.suscerte.gob.ve0	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2196838864.0000000003568000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anydesk.com/update	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306006627.0000000003891000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2447188354.0000000003DB2000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2446392662.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 0000000A.00000002.2632459178.0000000003830000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000005.00000003.1476505072.000001C6A2C5C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl0	rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	rundll32.exe, 0000000D.00000003.2196222562.0000000003578000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	rundll32.exe, 0000000D.00000003.2192952973.0000000005340000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2194054524.000000000531C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2196222562.0000000003578000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anydesk.com/updatei5-xos	AnyDesk.exe, 0000000A.00000003.2174013377.0000000003856000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	rundll32.exe, 0000000D.00000003.2192952973.0000000005340000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/intl/en/chrome/privacy/eula_text.html.	AnyDesk.exe, 0000000E.00000003.2208872142.0000000003A81000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.anydesk.com/backup-aliasxeil	AnyDesk.exe, 0000000A.00000003.2171568833.00000000038FD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ca.disig.sk/ca/crl/ca_disig.crl0	rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datatracker.ietf.org/ipr/1526/	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.suscerte.gob.ve/dpc0	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2196838864.0000000003568000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.2541060713.000000000535C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://policies.google.com/privacy?hl=$	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2347789171.0000000004151000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306006627.00000000038B6000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2345287747.000000000414A000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306006627.0000000003891000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2343132667.0000000004141000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2424927165.0000000003DB4000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 0000000A.00000003.2175165217.0000000003832000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000002.2639041649.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000003.2174013377.0000000003856000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 0000000E.00000003.2208678495.00000000039E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.disig.sk/ca/crl/ca_disig.crl0	rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://help.anydesk.com/macos-security	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306006627.0000000003891000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2447188354.0000000003DB2000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2446392662.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 0000000A.00000002.2632459178.0000000003830000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.anydesk.com/wol7	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306006627.00000000038AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anydesk.com/rd	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1305008258.0000000003963000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1302769581.0000000003921000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000002.1477680291.000001C6A2C29000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pki.registradores.org/normativa/index.htm0	rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2193283285.0000000005331000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.anydesk.com/	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 0000000A.00000002.2632459178.0000000003830000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000002.2608079530.0000000000FB6000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://www.anf.es/es/address-direccion.html	rundll32.exe, 0000000D.00000002.2541060713.000000000534B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2192952973.000000000534B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2192479240.0000000005347000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.anf.es/address/)1(0&	rundll32.exe, 0000000D.00000003.2196222562.0000000003578000.00000004.00000020.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	rundll32.exe, 0000000D.00000003.2192952973.0000000005340000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2194054524.000000000531C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.anydesk.com/error-messages	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2447188354.0000000003DB2000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2446392662.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 0000000A.00000002.2632459178.0000000003830000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.certicamara.com/dpc/0Z	rundll32.exe, 0000000D.00000003.2195749217.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	rundll32.exe, 0000000D.00000003.2193283285.0000000005331000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	rundll32.exe, 0000000D.00000003.2196838864.0000000003568000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.anydesk.com/wol	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2447188354.0000000003DB2000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2446392662.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 0000000A.00000002.2632459178.0000000003830000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.anf.es/AC/ANFServerCA.crl0	rundll32.exe, 0000000D.00000003.2196222562.0000000003578000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.globaltrust.info0	rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000005.00000003.1476438880.000001C6A2C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1476345599.000001C6A2C46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.anydesk.com/share3.$	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2355347217.000000000415C000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2349758776.0000000004158000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2343132667.0000000004141000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2347789171.000000000415B000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2344817415.0000000004154000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en/chrome/privacy/eula_text.htmlce	AnyDesk.exe, 0000000A.00000003.2175739835.00000000038D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualeat/	svchost.exe, 00000005.00000002.1477680291.000001C6A2C29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/intl/en/chrome/privacy/eula_text.htmls	AnyDesk.exe, 0000000E.00000003.2208872142.0000000003A81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ac.economia.gob.mx/last.crl0G	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://support.anydesk.com	AnyDesk.exe, 0000000A.00000002.2608079530.0000000000BA5000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://support.google.com/chrome/contact/chromeuninstall3?hl=$1microsoft-edge:openFailed	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000002.00000003.2423871028.0000000001BA9000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 00000009.00000003.2226145656.0000000003711000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000002.2647954174.000000006C00A000.00000002.00000001.01000000.0000000E.sdmp	false		high
https://dynamic.t	svchost.exe, 00000005.00000003.1476039716.000001C6A2C62000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	rundll32.exe, 0000000D.00000003.2194054524.000000000531C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000005.00000003.1476438880.000001C6A2C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1476345599.000001C6A2C46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/ipr/1524/	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Schedules/	svchost.exe, 00000005.00000002.1478151638.000001C6A2C73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1475539841.000001C6A2C71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1475797253.000001C6A2C6A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.oces.trust2408.com/oces.crl0	rundll32.exe, 0000000D.00000002.2541060713.000000000534B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2192952973.000000000534B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2192479240.0000000005347000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://eca.hinet.net/repository0	rundll32.exe, 0000000D.00000003.2193283285.0000000005331000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anydesk.com/company#imprint	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306006627.0000000003891000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2447188354.0000000003DB2000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2446392662.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 0000000A.00000002.2632459178.0000000003830000.00000004.00000020.00020000.00000000.sdmp	false		high
https://policies.google.com/privacy?hl=ens	AnyDesk.exe, 0000000A.00000003.2174013377.0000000003856000.00000004.00000020.00020000.00000000.sdmp	false		high
http://certs.oaticerts.com/repository/OATICA2.crl	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es00	rundll32.exe, 0000000D.00000003.2194054524.000000000531C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.openssl.org/)	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp	false		high
https://policies.google.com/privacy?hl=enu	AnyDesk.exe, 0000000A.00000003.2174013377.0000000003856000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/intl/om	AnyDesk.exe, 0000000A.00000003.2174013377.000000000383A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anydesk.com/orderuPu	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306497731.0000000003960000.00000004.00000020.00020000.00000000.sdmp	false		high
https://order.anydesk.com/trials	AnyDesk.exe, 0000000A.00000003.2171568833.00000000038FD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	rundll32.exe, 0000000D.00000003.2192952973.0000000005340000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000005.00000003.1476505072.000001C6A2C5C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000005.00000003.1476345599.000001C6A2C46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://policies.google.com/privacy?hl=enn	AnyDesk.exe, 0000000A.00000003.2174013377.0000000003856000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.aap	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000002.2374972849.0000000004490000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2363295379.000000000448F000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2363732141.0000000004491000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.anydesk.com/en	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306006627.000000000389D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000003.2174013377.000000000383A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.anydesk.com/	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2447188354.0000000003DB2000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2446392662.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 0000000A.00000002.2632459178.0000000003830000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 0000000A.00000003.2171568833.00000000038FD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	rundll32.exe, 0000000D.00000003.2193283285.0000000005331000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2194054524.000000000531C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000005.00000003.1476438880.000001C6A2C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1476345599.000001C6A2C46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.anydesk.com/wolfb~o	AnyDesk.exe, 0000000A.00000003.2171568833.00000000038FD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.acabogacia.org0	rundll32.exe, 0000000D.00000003.2193283285.0000000005331000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.anydesk.com/access.	AnyDesk.exe, 0000000E.00000003.2208872142.0000000003A81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	rundll32.exe, 0000000D.00000003.2195110966.0000000005318000.00000004.00000020.00020000.00000000.sdmp	false		high
https://my.anydesk.com	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2447188354.0000000003DB2000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2446392662.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp, AnyDesk.exe, 0000000A.00000002.2632459178.0000000003830000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.anydesk.com/ss	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306006627.00000000038AE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.agesic.gub.uy/acrn/acrn.crl0)	rundll32.exe, 0000000D.00000003.2193283285.0000000005331000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.openssl.org/support/faq.html	92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000003.2106370639.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000008.00000002.2245564237.0000000000CED000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.rcsc.lt/repository0	rundll32.exe, 0000000D.00000003.2194054524.000000000531C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000005.00000002.1477680291.000001C6A2C29000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web.certicamara.com/marco-legal0Z	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.correo.com.uy/correocert/cps.pdf0	rundll32.exe, 0000000D.00000003.2200819853.0000000003564000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crt08	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersignroot.html0	rundll32.exe, 0000000D.00000003.2191171384.0000000005363000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000003.1475972109.000001C6A2C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1477680291.000001C6A2C29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1475797253.000001C6A2C6A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.anf.es/AC/RC/ocsp0c	rundll32.exe, 0000000D.00000003.2196222562.0000000003578000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.oaticerts.com/repository.	rundll32.exe, 0000000D.00000003.2191707427.000000000534D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.ancert.com/cps0	rundll32.exe, 0000000D.00000003.2195749217.000000000357F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2193283285.0000000005331000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000005.00000002.1478151638.000001C6A2C73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1475539841.000001C6A2C71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1475797253.000001C6A2C6A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es0	rundll32.exe, 0000000D.00000003.2194054524.000000000531C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0	rundll32.exe, 0000000D.00000003.2194054524.000000000531C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.echoworx.com/ca/root2/cps.pdf0	rundll32.exe, 0000000D.00000003.2195749217.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.66.97.76	unknown	United States	3	MIT-GATEWAYSUS	false
185.229.191.39	unknown	Czech Republic	60068	CDN77GB	false
185.229.191.41	boot.net.anydesk.com	Czech Republic	60068	CDN77GB	false
18.66.97.82	unknown	United States	3	MIT-GATEWAYSUS	false
239.255.102.18	unknown	Reserved	unknown	unknown	false
208.115.231.206	relay-10d0d168.net.anydesk.com	United States	46475	LIMESTONENETWORKSUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	840831
Start date and time:	2023-04-04 12:01:36 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	92f25a21-b9c1-4aee-af3e-cacf098605e9
Detection:	MAL
Classification:	mal76.evad.win@24/71@9/6
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed

Warnings

Exclude process from analysis (whitelisted): WmiPrvSE.exe
Excluded domains from analysis (whitelisted): login.live.com, ctldl.windowsupdate.com
Execution Graph export aborted for target 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, PID 6320 because there are no executed function
Execution Graph export aborted for target 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, PID 6388 because there are no executed function
Execution Graph export aborted for target 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, PID 6396 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:02:56	API Interceptor	1x Sleep call for process: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe modified
12:04:20	API Interceptor	1x Sleep call for process: AnyDesk.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
18.66.97.76	http://fortinet.com	Get hash	malicious	HTMLPhisher	Browse
185.229.191.39	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	Microsoft.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	sJ9Q8UWMAX.exe	Get hash	malicious	CryptOne, Mofksys	Browse
	http://anydesk.com	Get hash	malicious	Unknown	Browse
	https://ms94.yolasite.com/	Get hash	malicious	Unknown	Browse
185.229.191.41	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	Microsoft.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
boot.net.anydesk.com	AnyDesk.exe	Get hash	malicious	Unknown	Browse	49.12.130.236
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	49.12.130.235
	https://anydesk.com/en/downloads/windows?dv=win_exe	Get hash	malicious	Unknown	Browse	49.12.130.237
	migrate.120.exe	Get hash	malicious	DCRat, EICAR	Browse	49.12.130.235
	AnyDesk.msi	Get hash	malicious	Unknown	Browse	185.229.191.39
	AnyDesk(1).msi	Get hash	malicious	Unknown	Browse	185.229.191.44
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.44
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41
	AnyDesk261022.exe	Get hash	malicious	Unknown	Browse	49.12.130.237
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	49.12.130.237
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	92.223.88.7
	1.msi	Get hash	malicious	Unknown	Browse	92.223.88.41
	sJ9Q8UWMAX.exe	Get hash	malicious	CryptOne, Mofksys	Browse	185.229.191.39
	http://anydesk.com	Get hash	malicious	Unknown	Browse	185.229.191.39
	https://ms94.yolasite.com/	Get hash	malicious	Unknown	Browse	49.12.130.236
	AnyDesk (5).exe	Get hash	malicious	Unknown	Browse	49.12.130.237
	AnyDesk (4).exe	Get hash	malicious	Unknown	Browse	195.181.174.167
	AnyDesk (3).exe	Get hash	malicious	Unknown	Browse	195.181.174.173
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	195.181.174.173
d1atxff5avezsq.cloudfront.net	https://download.filezilla-project.org/client/FileZilla_3.63.2.1_win64_sponsored2-setup.exe	Get hash	malicious	Unknown	Browse	18.66.97.82
	IxwmWTyePr.exe	Get hash	malicious	Unknown	Browse	13.224.103.61
	AnyDesk261022.exe	Get hash	malicious	Unknown	Browse	18.66.97.76
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	18.66.192.103
	Microsoft.exe	Get hash	malicious	Unknown	Browse	13.224.103.47
	DA362DFF8B39C6B4B92387F48F5BEB91CE55DBDF8BFE6.exe	Get hash	malicious	AsyncRAT, RedLine	Browse	13.226.158.101
	AnyDesk (3).exe	Get hash	malicious	Unknown	Browse	108.156.46.84
	handelsbankensupport.com-AnyDesk.exe	Get hash	malicious	Unknown	Browse	13.224.96.25
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	52.85.14.29
	AnyDesk_ETS_WIN.exe	Get hash	malicious	Unknown	Browse	13.224.196.114
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	13.32.14.27
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	143.204.98.106
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	143.204.98.24
	nqG4It8G4V.exe	Get hash	malicious	Unknown	Browse	143.204.202.109
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	13.32.25.101
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	13.32.25.29

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CDN77GB	https://links.e.sportpursuit.com/ctt?m=27991812&r=MzE4MTQ5Nzk2MTk2S0&b=0&j=MjQyMDk3NjE5NwS2&k=t-e.e-23468.i-1.&kx=1&kt=12&kd=https%3a%2f%2flyrical-real-viscountess.glitch.me?gq=paul.baldock@dvsa.gov.uk	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://clickhereazuoff.com/link.html#YUBhLmNvbQ=	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://www.youtube.com/attribution_link?c=3Dcoachblog-ytm-acq-int-blog-txt-coach&u=http%3A%2F%2F578027855.imxlg.com%2F.glm.ca%2F57476237%2Fnze22%2F%2F%2F%2Farahman@glm.ca/?id=3Dcom.google.android.apps.youtube.music	Get hash	malicious	Unknown	Browse	89.187.165.194
	http://wdmue6lcey6419b9cc73c4c.nlbdr.ru	Get hash	malicious	Unknown	Browse	89.187.165.194
	DCUMNTO_FDR_PROCES.vbs	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://click.stitchfix.com/YXcr?pid=Email&sf_client_external_id=613c20e2-b0dd-4438-8a2e-0d1d1513fc57&deeplink=true&utm_campaign=email_us_w_reactivation_styleshuffle&utm_source=blueshift&utm_medium=email&utm_content=email_us_w_reactivation_styleshuffle_437152218&af_esp_url_path=%2Ftrack&af_esp_url_params=uid%3D32c44352-a594-48c3-bce6-586e60e061a2%26txnid%3Df1763a38-2e1d-5443-9ceb-d12aa1744af2%26bsft_aaid%3D3a8cb797-2e0c-489f-b330-8334bcfa0b57%26eid%3D7efc95f6-bd2a-acf5-0423-478fa777323c%26mid%3D530eddc0-b872-4a79-ac14-24461f2f973d%26bsft_ek%3D2022-09-21T14%3A24%3A38Z%26bsft_mime_type%3Dhtml%26bsft_link_id%3D17%26bsft_tv%3D62%26bsft_lx%3D9%26a%3Dclick%26api%3Dtrue&af_esp_name=blueshift&af_dp=https%3A%2F%2Fwww.stitchfix.com%2Fapp%2Fhome&af_web_dp=//rsuganesha.com/gusleo/RIGQhe/emFjay5tY2Nhbm5AY25hc3VyZXR5LmNvbQ==	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://brandequity.economictimes.indiatimes.com/etl.php?url=https://rarecaretherapeutics.com/HSGGDHDJF/kdjdhf/wpajnwf%2F%2F%2F%2Fbvantussenbrook@badlandsgear.com	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://brandequity.economictimes.indiatimes.com/etl.php?url=//Reillyarch.monkey-lab.net/a?e=YXVkcml1c2xAcmVpbGx5YXJjaC5jb20=	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://app.plangrid.com/oauth_link?token=oauth_da6596803402246b4ea05a279c69b892&redirect=http://100KGgrace.kpcbenjaminjbu.totalbeautysaloon.nl/?code=Y2JlbmphbWluQGFiaGkuY29t	Get hash	malicious	Unknown	Browse	89.187.165.194
	http://ipfs.io	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://brandequity.economictimes.indiatimes.com/etl.php?url=//Pella.monkey-lab.net/a?e=ZXZhbmNob3NtQHBlbGxhLmNvbQ==	Get hash	malicious	Unknown	Browse	89.187.165.194
	http://ipfs.io/ipfs/qmfddxlwoliqfurx6duzcshxvbp1znm21h5jxgs1ffnxtp?filename=atob.html#THISISTHEFBI@gov.us	Get hash	malicious	Unknown	Browse	185.93.3.244
	https://brandequity.economictimes.indiatimes.com/etl.php?url=//Bunkhousegroup.cpr4doctors.com?e=cmhpYW5ub24uZGlsbG9uQGJ1bmtob3VzZWdyb3VwLmNvbQ==	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://app.funnel-preview.com/for_domain/hollytreeccdesign.clickfunnels.com/microsoft1680013743643?updated_at=260a39772dc83fcc30e22f61f718489fv2&track=0&preview=true%20https://app.funnel-preview.com/for_domain/hollytreeccdesign.clickfunnels.com/microsoft1680013743643?updated_at=260a39772dc83fcc30e22f61f718489fv2&track=0&preview=true	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://srm.dewa.gov.ae/sap/public/bc/icf/logoff?redirecturl=http%3A%2F%2Fipfs.io%2Fipfs%2Fbafkreiev4zmqlc75snjpotepgahnuh5n3h6ecjjj3c5k2mqx3s7bx3pkdi%2F?io=dmluY2VudC5tYWNoaUB6YmV0YS5jb20=	Get hash	malicious	Unknown	Browse	185.93.3.244
	https://www.youtube.com/attribution_link?c=achblog-ytm-acq-int-blog-txt-coach&u=http%3A%2F%2F24032.dvasolutions.co.za%2F.markus.halbedl%2F563%2FEonyU%2F%2F%2F%2Fmarkus.halbedl@energytoolbase.com/?id=com.google.android.apps.youtube.music	Get hash	malicious	Unknown	Browse	89.187.165.194
	https://cm.naukri.com/?redirect=https://ep6jigo7.hmcobnr.com/aHR0cHM6Ly9yYW1idW5jdGlvdXMtbGFjeS1udXRtZWcuZ2xpdGNoLm1lP2FmPWljdUBhdWd1c3RhaGVhbHRoLmNvbQ==	Get hash	malicious	Unknown	Browse	89.187.165.194
	Signed_Referral_Agreement.html	Get hash	malicious	Unknown	Browse	89.187.165.194
	http://www.google.com/url?q=http%3A%2F%2Fl1nq.com%2FBgdan&sa=D&sntz=1&usg=AOvVaw1uZGAk5g9hujpxm2qhpEAJ	Get hash	malicious	Unknown	Browse	89.187.165.194
	Payment Advice Note-20969.html.htm	Get hash	malicious	HTMLPhisher	Browse	185.59.220.194
MIT-GATEWAYSUS	https://searchunify.com	Get hash	malicious	Unknown	Browse	18.66.97.31
	FYv143KmBp.elf	Get hash	malicious	Mirai, Moobot	Browse	19.63.90.0
	https://links.e.sportpursuit.com/ctt?m=27991812&r=MzE4MTQ5Nzk2MTk2S0&b=0&j=MjQyMDk3NjE5NwS2&k=t-e.e-23468.i-1.&kx=1&kt=12&kd=https%3a%2f%2flyrical-real-viscountess.glitch.me?gq=paul.baldock@dvsa.gov.uk	Get hash	malicious	Unknown	Browse	18.66.192.52
	WOBnGFfwDv.elf	Get hash	malicious	Mirai, Moobot	Browse	19.186.14.12
	https://www.searchunify.com/	Get hash	malicious	Unknown	Browse	18.66.97.30
	https://online.fliphtml5.com/gmlhf/fite/	Get hash	malicious	Unknown	Browse	18.66.192.61
	http://online.fliphtml5.com/gmlhf/fite/	Get hash	malicious	Unknown	Browse	18.66.192.61
	https://jornaleconomico.pt	Get hash	malicious	Unknown	Browse	18.66.192.9
	https://indd.adobe.com/view/8dd8ddd2-2c7c-47df-b84c-cbd3ea227272	Get hash	malicious	Unknown	Browse	18.66.200.135
	https://clickhereazuoff.com/link.html#YUBhLmNvbQ=	Get hash	malicious	Unknown	Browse	18.66.200.97
	https://ipac.edu.py/v2/redirect/redirect/ZG9ubmFfaG9iYnNAYmN0cmFuc2l0LmNvbQ==	Get hash	malicious	Phisher	Browse	18.66.200.97
	https://dankbarglobal.com/wp_plugns/sfgwg53/index.html	Get hash	malicious	HTMLPhisher	Browse	18.66.196.6
	https://dankbarglobal.com/wp_plugns/sfgwg53/index.html	Get hash	malicious	HTMLPhisher	Browse	18.66.196.15
	a6fSE2r5ku.elf	Get hash	malicious	Mirai, Moobot	Browse	19.101.81.68
	CavHGXBV6E.exe	Get hash	malicious	DanaBot	Browse	18.113.29.119
	https://payroll-docu.webnode.page/contact/	Get hash	malicious	HTMLPhisher	Browse	18.64.142.21
	https://osgrrnc2orygyl2bdaq3j55dt2nf7nxkh3kwhvxo7q374hule-ipfs-w3s-link.translate.goog/0.html?_x_tr_hp=bafybeicws&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#buds@alpenacounty.org	Get hash	malicious	HTMLPhisher	Browse	18.66.196.75
	https://learning.dmec.org/	Get hash	malicious	Unknown	Browse	18.66.112.39
	#U260e#Ufe0f message 03042023.htm	Get hash	malicious	Unknown	Browse	18.66.192.9
	http://url8684.kawasakicars.com/ls/click?upn=53L2kKfSIMO4mVacl2iz-2FW3pLcKytArHUBB-2Fc7OF85NFVG005dakz-2F7w1mxB7J9gGpYzldI06fnugBt9ZOMe6TCSsc2o4CFMymZpa0rnw-2B0-3Dftv2_MjFPikWoCmv8aAb7xuiZzJpw0rN20lGU-2FefNCDf-2BvF1qGXFhcd9-2Fb0Hfztrr1chhIoT6jBb-2FbTFo7XsT3K0iiHbds-2FRqbZH9SUnkLfZ3Dv7wt3A2KbXSv1O9Bru5-2FkgFWUDx4h9UOVYdJPvS17wna9sc6vR7LCDHeOJfMMqCARetFBXUu1pxYbvayvf2dX7t3qpWZmSaIXWxbKvNl-2B-2BTMWe6LZMS6WUZGGo-2BaWFpJJF1CNUG5SqENGUtwlVH8aRtTiaEcN1bQ5bZXVGsc04vYyuC5HcnmgrWTmgFTaMYs4iXw-2FDo1S3qe1uN9p-2FHcHCNW7udQqc5j9T-2FVaFu8XmUCSqnq42voim27ZcQQkotkvsxG0czL92R-2FWwPAUBsbif1djQBuIv79VLGoQbivJ9i3RkQe-2B-2FoaFgOJh31lyw08HyZqk99YPKPUEyFYlrJXJYm9WFVWdPyZD-2BcS5QtMU2-2BYdlNhVf0K80PIRKmeV5hx8Oe8XeKuypDbWUSlv0g0ljn1WRF3MTYZECYqRTziEuDmxvO2LoWMKP9kCzP9oV74fJQzHyUzRZmYD5MLuDfzTEkc36obx3qIGjDej4Tii1VI386LkpAvzUlB6F5BClytBbTKf3Rm6OUXlLJpEEGGtCGV5iO-2FSLKDZuGyUTJrpe5g5WiTa6zEuIoH7-2Fpt76IwWfg0EJ7E-2F3DSGMDWo7RFTqjRJPoNPqiI5TTa5BL06c3gWxKCOFtkCLBiHgMnFZSaRU67VpvROOB7-2FxG0azGT9eOXmkUwuACKyBcrXjecI9g1GynZomaE5c-2F74CPen7WRV55QSHthLuNCc5V9W-2BvbdSRrgFKF-2BOhE0xave1Y7f0TBcANgGhEc2NdlFE0UARlAJ0-3D	Get hash	malicious	Unknown	Browse	18.172.213.118

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
c91bde19008eefabce276152ccd51457	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk(1).msi	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk261022.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	sJ9Q8UWMAX.exe	Get hash	malicious	CryptOne, Mofksys	Browse	185.229.191.41 208.115.231.206
	AnyDesk (5).exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk (4).exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk.exe	Get hash	malicious	Vidar	Browse	185.229.191.41 208.115.231.206
	AnyDesk (3).exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDeskUninst5265.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	handelsbankensupport.com-AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206
	AnyDesk_ETS_WIN.exe	Get hash	malicious	Unknown	Browse	185.229.191.41 208.115.231.206

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\AnyDesk\gcapi.dll	Modulo.msi	Get hash	malicious	DanaBot	Browse
	AnyDesk261022.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	comprovante.msi	Get hash	malicious	DanaBot	Browse
	Regularize.msi	Get hash	malicious	DanaBot	Browse
	presidentes.msi	Get hash	malicious	DanaBot	Browse
	NotaFiscal.msi	Get hash	malicious	Unknown	Browse
	Microsoft.exe	Get hash	malicious	Unknown	Browse
	AnyDesk (5).exe	Get hash	malicious	Unknown	Browse
	AnyDesk (3).exe	Get hash	malicious	Unknown	Browse
	handelsbankensupport.com-AnyDesk.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	AnyDesk_ETS_WIN.exe	Get hash	malicious	Unknown	Browse
	YfbB61z87a.exe	Get hash	malicious	RedLine	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse
	nqG4It8G4V.exe	Get hash	malicious	Unknown	Browse
	AnyDesk.exe	Get hash	malicious	Unknown	Browse

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: .href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=An equals www.linkedin.com (Linkedin)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306006627.0000000003891000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2447188354.0000000003DB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/ equals www.facebook.com (Facebook)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2433088182.0000000003E6A000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2440172733.0000000003E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/( equals www.facebook.com (Facebook)
Source: AnyDesk.exe, 0000000E.00000003.2207829592.0000000003A9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com//1k equals www.facebook.com (Facebook)
Source: AnyDesk.exe, 0000000A.00000003.2171568833.00000000038E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/qJ equals www.facebook.com (Facebook)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2446392662.0000000003DB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ad.share.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyD equals www.linkedin.com (Linkedin)
Source: AnyDesk.exe, 0000000E.00000003.2208678495.00000000039E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ad.share.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it%20here%3A%20https%3A//anydesk.com/&source= equals www.linkedin.com (Linkedin)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2433088182.0000000003E6A000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.2440172733.0000000003E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: f=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it% equals www.linkedin.com (Linkedin)
Source: AnyDesk.exe, 0000000A.00000003.2171568833.00000000038E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hare.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it%20here%3A%20https%3A//anydesk.com/&source=ot equals www.linkedin.com (Linkedin)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306497731.0000000003957000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2340690424.0000000003951000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/ equals www.facebook.com (Facebook)
Source: AnyDesk.exe, 0000000A.00000003.2171568833.00000000038FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/Bd#m, equals www.facebook.com (Facebook)
Source: AnyDesk.exe, 0000000A.00000003.2171568833.00000000038FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/Pd equals www.facebook.com (Facebook)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe	String found in binary or memory: ps://facebook.com/AnyDesk ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/ ad.share.linkedi equals www.facebook.com (Facebook)
Source: AnyDesk.exe, 0000000A.00000003.2175165217.0000000003832000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe, 0000000E.00000003.2208678495.00000000039E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ttps://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/ equals www.facebook.com (Facebook)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, AnyDesk.exe, 0000000A.00000002.2641365818.0000000003DA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2344098787.0000000003931000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2352942627.0000000003931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comee. equals www.facebook.com (Facebook)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.1339498915.0000000003E45000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.1339379057.0000000003E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comf equals www.facebook.com (Facebook)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, AnyDesk.exe, 0000000A.00000002.2641365818.0000000003DA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306379463.0000000003933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.comea$ equals www.linkedin.com (Linkedin)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.1306379463.0000000003933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.comfs equals www.linkedin.com (Linkedin)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.1339498915.0000000003E45000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000003.00000003.1339379057.0000000003E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.comfu equals www.linkedin.com (Linkedin)
Source: 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2344098787.0000000003931000.00000004.00000020.00020000.00000000.sdmp, 92f25a21-b9c1-4aee-af3e-cacf098605e9.exe, 00000001.00000003.2352942627.0000000003931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.comktopj equals www.linkedin.com (Linkedin)

Process:	C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3853384
Entropy (8bit):	7.9990645721025375
Encrypted:	true
SSDEEP:	98304:6W0Ughn1zD8gmJUikb59sFaZw3abaqt8+Uen/xIZ:6WBCn5D8gmJUrvsFaZw3HsJIZ
MD5:	2621B754576047A6E94ACBF1DD4FE0EF
SHA1:	246F36118C53AC7421518DBC9BB4259128F3C417
SHA-256:	109B03FFC45231E5A4C8805A10926492890F7B568F8A93ABE1FA495B4BD42975
SHA-512:	6B3D58AFC82297626BC85D0EA0BD9A16626C34CA3A13BC6CDF3EEA396946685641D8659A472FF8C6526E3EFBDFD439B05B79965ED195FD1B734A935FFBB00812
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L... ..b..........".........\:..............@....@..........................P......C.;...@.............................................PH............:.HF...@......................................................................................text...5(......................... ..`.itext.......@...........................rdata.............................@..@.data.....:......:..2..............@....rsrc...PH.......J...8:.............@..@.reloc.......@........:.............@..B................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Generic INItialization configuration [DriverRender]
Category:	dropped
Size (bytes):	271
Entropy (8bit):	5.266454556037467
Encrypted:	false
SSDEEP:	6:/5QXK4VCzXL2ory+eC2rgN+jAJh6piBVAZVhe81W8l2+:Cazb2Yy+eC2xKh64Ke8xN
MD5:	0D7876B516B908AAB67A8E01E49C4DED
SHA1:	0900C56619CD785DECA4C302972E74D5FACD5EC9
SHA-256:	98933DE1B6C34B4221D2DD065715418C85733C2B8CB4BD12AC71D797B78A1753
SHA-512:	6874F39FFF34F9678E22C47B67F5CD33B825C41F0B0FD84041450A94CC86CC94811293BA838F5267C9CD167D9ABCF74E00A2F3C65E460C67E668429403124546
Malicious:	false
Preview:	[DriverConfig]..DataFile=AnyDeskPrintDriver.gpd..PrinterDriverID={ccc6b592-6ec7-4055-9140-99474af555d3}..............RequiredFiles=UNIRES.DLL,STDNAMES.GPD,MSXPSINC.GPD..DriverCategory=PrintFax.Printer......UserPropertyBagScope=Queue....[DriverRender]..XpsFormat=XPS......

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	Generic INItialization configuration [DriverRender]
Category:	dropped
Size (bytes):	271
Entropy (8bit):	5.266454556037467
Encrypted:	false
SSDEEP:	6:/5QXK4VCzXL2ory+eC2rgN+jAJh6piBVAZVhe81W8l2+:Cazb2Yy+eC2xKh64Ke8xN
MD5:	0D7876B516B908AAB67A8E01E49C4DED
SHA1:	0900C56619CD785DECA4C302972E74D5FACD5EC9
SHA-256:	98933DE1B6C34B4221D2DD065715418C85733C2B8CB4BD12AC71D797B78A1753
SHA-512:	6874F39FFF34F9678E22C47B67F5CD33B825C41F0B0FD84041450A94CC86CC94811293BA838F5267C9CD167D9ABCF74E00A2F3C65E460C67E668429403124546
Malicious:	false
Preview:	[DriverConfig]..DataFile=AnyDeskPrintDriver.gpd..PrinterDriverID={ccc6b592-6ec7-4055-9140-99474af555d3}..............RequiredFiles=UNIRES.DLL,STDNAMES.GPD,MSXPSINC.GPD..DriverCategory=PrintFax.Printer......UserPropertyBagScope=Queue....[DriverRender]..XpsFormat=XPS......

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	2202
Entropy (8bit):	3.6217875907609276
Encrypted:	false
SSDEEP:	12:QgAaZpAPzRprbo370PB2dHl1ElKAO09DK3dQ2xQ2dH12UIQDIPA9YuA9TKAmA9fd:Qi4fbY77sjW3dXbcXTxdqXH6yvMgy
MD5:	D4CA3F9CEEB46740C6C43826D94ABA18
SHA1:	D863CB54AD2FA0CFC0329954CBE49F70F49FDB87
SHA-256:	494E4351B85D2821E53A22434F51A4186AA0F7BE5724922FC96DFB16687AD37C
SHA-512:	BE08BC144EE2A491FBC80449B4339C01871C6E7D2DDC0E251475D8E426220C6EF35F67698B0586156F0A62B22DB764C43842F577B82C3F9E4E93957F9D617DB4
Malicious:	false
Preview:	..;. .C.o.p.y.r.i.g.h.t. .(.c.). .2.0.1.8. .A.n.y.D.e.s.k.....;. .I.N.F. .f.i.l.e. .f.o.r. .t.h.e. .A.n.y.D.e.s.k. .p.r.i.n.t. .d.r.i.v.e.r.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.=.P.r.i.n.t.e.r.....C.l.a.s.s.G.u.i.d.=.{.4.D.3.6.E.9.7.9.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....P.r.o.v.i.d.e.r.=.%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e.=.A.n.y.D.e.s.k.P.r.i.n.t.D.r.i.v.e.r...c.a.t.....C.l.a.s.s.V.e.r.=.4...0.....D.r.i.v.e.r.V.e.r. .=. .1.2./.0.4./.2.0.1.8.,.1.0...4.0...2.8...1.0.9.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.=.S.t.a.n.d.a.r.d.,.N.T.a.m.d.6.4.........[.S.t.a.n.d.a.r.d...N.T.a.m.d.6.4.].....".A.n.y.D.e.s.k. .v.4. .P.r.i.n.t.e.r. .D.r.i.v.e.r.".=.D.r.i.v.e.r.I.n.s.t.a.l.l.,. .{.G.U.I.D.}.....".A.n.y.D.e.s.k. .v.4. .P.r.i.n.t.e.r. .D.r.i.v.e.r.".=.D.r.i.v.e.r.I.n.s.t.a.l.l.,. .U.S.B.P.R.I.N.T.\.A.n.y.D.e.s.k.....".A.n.y.D.e.s.k. .v.4. .P.r.i.n.t.e.r.

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.23886881445016456
Encrypted:	false
SSDEEP:	12:8lcn/e0y52xX/7EzPTG6P0+RSQ9aTQ1olfW+08sRT+U+lxOi:8ltOOG6P0+RSHMizgTa1
MD5:	00105566976551A916123998B6452B9C
SHA1:	07DB4ECC15BFA5A819A6F8C4A007042D7F5E865D
SHA-256:	A91311AF275D4250A78C4456E79F12E89A4B59DE5580DE808D6CF77484221D7F
SHA-512:	6B5FC5976B96CD174DFF5E6334E74F5D051E195882BE767202D076C75D33B3B376FA25AFB7CE5DBBEC334864356E0B32BEABD28686DB12DB8ED84D8C313C656C
Malicious:	false
Preview:	.... ... ....................................... ...!...............................x......Q.....................G..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1...........................................................@.SS(...........J..f..........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.3.0.4.0.4._.1.0.0.2.5.7._.3.6.5...e.t.l.........P.P.....x......Q....................................................................................................................................................................................................................................................................

Entrypoint:	0x401ce9
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F0D620 [Mon Aug 8 09:23:44 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/13/2021 1:00:00 AM 1/9/2025 12:59:59 AM
Subject Chain	CN=philandro Software GmbH, O=philandro Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
Version:	3
Thumbprint MD5:	EAE713DFC05244CF4301BF1C9F68B1BE
Thumbprint SHA-1:	9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE
Thumbprint SHA-256:	9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF
Serial:	0DBF152DEAF0B981A8A938D53F769DB8

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf8f000	0x4850	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3a8600	0x4648	.itext
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf94000	0x84	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbed000	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2835	0x2a00	False	0.5951450892857143	data	6.499250014872965	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x4000	0xbe8a00	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xbed000	0x2fa	0x400	False	0.724609375	Matlab v4 mat-file (little endian) \234\322\276, numeric, rows 1659950624, columns 0, imaginary	5.64813417805907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbee000	0x3a0904	0x3a0600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf8f000	0x4850	0x4a00	False	0.5122466216216216	data	6.015287517361402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf94000	0x300	0x400	False	0.1455078125	data	1.181265380704217	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0xf8f280	0x1b8e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xf90e10	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States
RT_ICON	0xf91478	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States
RT_ICON	0xf91760	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States
RT_ICON	0xf91948	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States
RT_ICON	0xf91ac0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States
RT_ICON	0xf92b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States
RT_GROUP_ICON	0xf91a70	0x4c	data	English	United States
RT_GROUP_ICON	0xf92fd0	0x22	data	English	United States
RT_VERSION	0xf92ff8	0x250	data	English	United States
RT_MANIFEST	0xf93248	0x606	XML 1.0 document, ASCII text	English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2023 12:02:57.130357981 CEST	50130	53	192.168.2.2	1.1.1.1
Apr 4, 2023 12:02:57.148536921 CEST	53	50130	1.1.1.1	192.168.2.2
Apr 4, 2023 12:02:57.370429993 CEST	56712	53	192.168.2.2	1.1.1.1
Apr 4, 2023 12:02:57.388158083 CEST	53	56712	1.1.1.1	192.168.2.2
Apr 4, 2023 12:02:58.624797106 CEST	61978	53	192.168.2.2	1.1.1.1
Apr 4, 2023 12:02:58.643343925 CEST	53	61978	1.1.1.1	192.168.2.2
Apr 4, 2023 12:02:58.831864119 CEST	54981	53	192.168.2.2	1.1.1.1
Apr 4, 2023 12:02:58.850370884 CEST	53	54981	1.1.1.1	192.168.2.2
Apr 4, 2023 12:02:59.136430979 CEST	63431	53	192.168.2.2	1.1.1.1
Apr 4, 2023 12:02:59.155142069 CEST	53	63431	1.1.1.1	192.168.2.2
Apr 4, 2023 12:03:00.179441929 CEST	49524	53	192.168.2.2	1.1.1.1
Apr 4, 2023 12:03:00.201225996 CEST	53	49524	1.1.1.1	192.168.2.2
Apr 4, 2023 12:04:17.194188118 CEST	64488	53	192.168.2.2	1.1.1.1
Apr 4, 2023 12:04:17.212552071 CEST	53	64488	1.1.1.1	192.168.2.2
Apr 4, 2023 12:04:20.894210100 CEST	56501	53	192.168.2.2	1.1.1.1
Apr 4, 2023 12:04:20.912245035 CEST	53	56501	1.1.1.1	192.168.2.2
Apr 4, 2023 12:04:24.329638958 CEST	60668	53	192.168.2.2	1.1.1.1
Apr 4, 2023 12:04:24.351682901 CEST	53	60668	1.1.1.1	192.168.2.2

Timestamp	kBytes transferred	Direction	Data
Apr 4, 2023 12:02:58.416994095 CEST	50	OUT	Data Raw: 16 03 01 01 0d 01 00 01 09 03 03 2a 11 7a 46 a4 70 ef d5 14 22 eb a7 a1 34 d0 f7 30 15 aa 62 68 56 61 92 23 91 fd 6d ca 36 d1 52 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 Data Ascii: zFp"40bhVa#m6Rn0,($kjih98762.&=5/+'#g@?>32101-)%</r#
Apr 4, 2023 12:02:58.444766998 CEST	50	IN	Data Raw: 16 03 03 00 57 02 00 00 53 03 03 d1 88 60 aa 25 5d 95 c8 91 f7 70 5e 48 db f7 93 2c 0e c8 3e b9 23 c4 08 44 4f 57 4e 47 52 44 01 20 38 5b f5 a4 ca de dc 79 13 4f 71 43 d8 24 52 ad a2 a8 08 76 f7 a4 71 c3 6b 31 ab 2c 6c 17 3a bb c0 2c 00 00 0b ff Data Ascii: WS`%]p^H,>#DOWNGRD 8[yOqC$Rvqk1,l:,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
Apr 4, 2023 12:02:58.444880962 CEST	51	IN	Data Raw: e6 e8 20 b9 4b 8b bb 63 de 6f 65 6a 9f 5d d7 c1 97 9b 2d 30 4e 9a 81 85 b4 1c 92 a6 ed d8 7a f9 df 9d 03 b3 90 9c 78 a9 c8 ba 0e 3c ac ec 14 db 7d 51 b3 97 06 b9 f6 77 60 ab fe 59 83 af 8e 97 56 29 c7 db 7e 71 79 d1 c7 f7 da b6 c8 f7 af 8f 24 e0 Data Ascii: Kcoej]-0Nzx<}Qw`YV)~qy$ZG\|'SO^jl$\|XM+")+{n\&9S\|4xLp\|aZ.qDL\vq$;OroCs4\|z\8[TRxU>R
Apr 4, 2023 12:02:58.444991112 CEST	52	IN	Data Raw: 35 35 5a 17 0d 32 34 30 34 30 38 30 32 33 37 35 35 5a 30 48 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 4e 65 74 20 52 6f 6f 74 20 43 41 31 20 30 1e 06 03 55 04 0a 0c 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 Data Ascii: 55Z240408023755Z0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0"0*H0AZ T7;h8m&i6p4p]\|Zx1\{ZQ/3'h;jlaV
Apr 4, 2023 12:02:58.445065022 CEST	52	IN	Data Raw: 3c 1f 22 91 25 17 15 cc 42 82 da 3b a8 39 c7 2a 50 ca d9 4c a0 8c 95 33 75 03 70 b8 df a0 c9 b2 b2 8b 1b 38 83 79 32 c3 12 da 33 96 42 f4 91 11 aa c6 26 31 bc ea 43 8a 30 54 65 c5 43 9e 50 3b fa 91 93 0e 9d 3b 23 4a 3d 43 c1 c6 22 9b 68 af 2f fc Data Ascii: <"%B;9PL3up8y23B&1C0TeCP;;#J=C"h/R"j.P0N0UeyXW6\bG0U#0eyXW6\bG0U00HG`4%(^0VGv T=#
Apr 4, 2023 12:02:58.445163965 CEST	53	IN	Data Raw: ca b6 9b 39 e6 cf 27 d0 2c 99 74 d4 ca de 47 88 ed df f7 9c 3b ac 8a 62 d2 75 90 d9 00 81 d3 f8 c2 47 8e 9a bd 87 6d ce e5 9a 7f 28 76 a4 77 c6 3f b9 bf 4d f1 cb df 0f 2c 73 fe b4 60 e3 26 5e 83 f2 ae 36 56 94 e9 a7 9d a1 3d ca 5d 6e 3d 5d a8 6f Data Ascii: 9',tG;buGm(vw?M,s`&^6V=]n=]oh'g4E4{%QT?Qd9wsfI+\+Wfp;q.Lgr:>4m`=D^!`l.:s&jAc0.VV,Ab,3b,bH
Apr 4, 2023 12:02:58.457070112 CEST	54	OUT	Data Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 34 30 34 31 30 30 32 Data Ascii: 000H010UAnyDesk Client0 230404100255Z20730322100255Z010UAnyDesk Client0"0H0 3P8A<SOn9^Tkt(9EUNze]MJmj_m/9,c6
Apr 4, 2023 12:02:58.483083963 CEST	54	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 28 af ab 40 f0 73 ed 60 9d e9 b3 e1 04 27 54 f2 3b 77 5c 08 25 80 3b 51 22 fb 93 30 d5 d2 0f 88 3f 9d 30 bb cf 45 64 99 28 Data Ascii: (@s`'T;w\%;Q"0?0Ed(
Apr 4, 2023 12:02:58.483335972 CEST	54	IN	Data Raw: 17 03 03 00 23 af ab 40 f0 73 ed 60 9e 0b e4 95 76 98 b4 3b 18 7d 12 a3 9b 32 52 25 f5 80 44 21 66 6e 7a 8e 31 54 0b d3 Data Ascii: #@s`v;}2R%D!fnz1T
Apr 4, 2023 12:02:58.485265017 CEST	54	OUT	Data Raw: 17 03 03 00 57 ef 0b 8b bf f5 fe 06 a8 40 f4 f5 1f 63 f7 8e a8 9f 46 97 f2 71 3e 93 5e b8 96 fa 7a 82 39 85 31 82 ab ee 0e ad f7 2a 45 19 19 84 5f 1a f0 48 f7 01 b7 db 0e 03 b5 ed 27 1f e2 12 8a 89 c2 d9 cf 6a f2 47 5d 1b 47 40 14 38 ff b6 60 5f Data Ascii: W@cFq>^z91*E_H'jG]G@8`_xI_z
Apr 4, 2023 12:02:58.510272026 CEST	55	IN	Data Raw: 17 03 03 03 32 af ab 40 f0 73 ed 60 9f 06 24 98 46 43 ed c0 15 48 82 bc 60 07 0b 4a c2 87 e7 04 78 56 c0 4a 63 79 c5 6b 89 a7 36 0e 91 69 6f a8 3d c3 76 4c 7d 80 95 c2 42 99 e1 7f 54 db ad 2c a0 25 ae ff bc f4 a0 0b 73 5c de fa 51 6b 37 45 a2 d0 Data Ascii: 2@s`$FCH`JxVJcyk6io=vL}BT,%s\Qk7E! 0s@ '#oJVh8[ugFRhiRR*$jDj}R_g\|a+5o8gETt&]L>6\x^{y\l(
Apr 4, 2023 12:02:58.510365963 CEST	55	IN	Data Raw: 17 8f 39 e7 01 f2 32 0e dc 7f b5 41 ef 55 ac a9 5a 10 91 45 8b 32 ec 98 ec da 9e 51 d0 01 07 37 b3 57 d1 f0 47 af fb b9 bc 1d 17 ba 94 d1 fb 51 53 a9 9d d4 2c 0a d9 98 06 77 e5 72 d8 e9 a7 e3 ca 09 fc d6 e5 05 7b f4 53 b2 06 9f 2e 23 a6 5b 7d 4b Data Ascii: 92AUZE2Q7WGQS,wr{S.#[}KYb]ugL\|]!Ee-o$F05lGlyX_o?xRnYu\|< RX}Z]0</ ~\|6VK;VNi)@VT&vt@

Timestamp	kBytes transferred	Direction	Data
Apr 4, 2023 12:02:58.878720045 CEST	61	OUT	Data Raw: 16 03 01 01 0d 01 00 01 09 03 03 50 b7 95 84 a2 79 83 a7 9a b6 7f d4 0c 2d 9a 2f 85 14 9a f7 35 ee fd d6 16 4c 61 c8 42 79 97 d0 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 Data Ascii: Py-/5LaByn0,($kjih98762.*&=5/+'#g@?>32101-)%</r#
Apr 4, 2023 12:02:58.901032925 CEST	62	IN	Data Raw: 16 03 03 00 57 02 00 00 53 03 03 b5 0b bb d2 d9 8e 32 28 34 e6 d2 0f a4 3a 99 99 14 e3 cc 55 e9 ec 7a 80 44 4f 57 4e 47 52 44 01 20 43 b6 1a 3f 75 6b 72 df 49 bb f0 a5 79 89 91 f9 65 ff eb 1c 23 da 63 a5 ed 25 97 07 7b 05 f1 b9 c0 2c 00 00 0b ff Data Ascii: WS2(4:UzDOWNGRD C?ukrIye#c%{,C0?0'0vtS$0*H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
Apr 4, 2023 12:02:58.901078939 CEST	63	IN	Data Raw: 5a eb 51 2f 97 bf f6 fb 33 27 90 b3 d8 e4 e0 cd 68 3b 6a 87 6c a6 0d e7 d8 bd 61 df 56 6b 2a e1 1c 2b f5 9f bf 85 dd 8c 5b 06 1e 71 7f ba 4a a6 40 b0 77 17 ea 2c 3f 5b 94 14 85 2e ad 11 61 ab 88 f6 01 bb b3 47 6b e2 81 18 f1 8e 39 e6 d8 7b 0c 63 Data Ascii: ZQ/3'h;jlaVk*+[qJ@w,?[.aGk9{cpu'-5={{Hy8-&~K2vf/bj@kXScuxI#ph3/L^}a}4AkP+g_R4gs@lo67Jv"rR}uMU#[~.K_e
Apr 4, 2023 12:02:58.901114941 CEST	63	IN	Data Raw: 17 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 09 06 03 55 04 06 13 02 44 45 16 03 03 00 04 0e 00 00 00 Data Ascii: philandro Software GmbH10UDE
Apr 4, 2023 12:02:58.913158894 CEST	65	OUT	Data Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 34 30 34 31 30 30 32 Data Ascii: 000H010UAnyDesk Client0 230404100255Z20730322100255Z010UAnyDesk Client0"0H0 3P8A<SOn9^Tkt(9EUNze]MJmj_m/9,c6
Apr 4, 2023 12:02:58.934092999 CEST	65	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 28 f7 c0 7f a9 04 a1 c9 0d f8 72 bf ca 54 07 df 79 c7 ed 3c 4c d3 ce d5 55 51 5b ea 74 55 8e 64 f8 04 2a 7b 99 5d f3 86 a1 Data Ascii: (rTy<LUQ[tUd*{]
Apr 4, 2023 12:02:58.934165001 CEST	65	IN	Data Raw: 17 03 03 00 23 f7 c0 7f a9 04 a1 c9 0e 29 50 92 6f dd e2 1d 3f e4 84 37 bf e2 73 62 96 16 1b 4e d8 cb 57 cf 9c 53 5c b2 Data Ascii: #)Po?7sbNWS\
Apr 4, 2023 12:02:58.935614109 CEST	65	OUT	Data Raw: 17 03 03 00 57 30 7b 82 88 f2 5b 1b 39 ca 9a 9d 7f 1a 59 65 d3 39 94 77 88 a2 2a 3e 82 c5 dc 3e da b9 4c 4d ed 43 65 e8 b0 87 62 04 7e 6b 9c 5f d0 5b ce cd c4 d0 c3 ef cd b5 5c 7c 5d dd 1b 11 5c f7 15 c3 ae 8b 20 12 68 5f 46 86 22 5f 12 c1 ae 4e Data Ascii: W0{[9Ye9w*>>LMCeb~k_[\\|]\ h_F"_N2s$t
Apr 4, 2023 12:02:59.014251947 CEST	65	IN	Data Raw: 17 03 03 00 24 f7 c0 7f a9 04 a1 c9 0f 76 49 33 b6 f0 6e 3d aa 4c 96 40 6f 05 7c 62 cc 7a 2c f9 e6 08 5e 8c c8 dc 7f b5 b8 Data Ascii: $vI3n=L@o\|bz,^

Timestamp	kBytes transferred	Direction	Data
Apr 4, 2023 12:03:00.226269960 CEST	491	OUT	POST /httpapi HTTP/1.1Host: api.playanext.comUser-Agent: AnyDesk/7.0.14Accept: /Content-Length: 354Content-Type: application/x-www-form-urlencodedapi_key=c1426bd258099fa69f62933b466d4b77&event=[{"event_type":"check_offer","user_id":"f13c8dbcc1b6f597de2338cf4452e0db","session_id":1680602579309287,"ip":"$remote","event_properties":{"method_used":"Google Chrome Criteria Checker","offer_product":"Google Chrome","distributor":"AnyDesk","distributor_product":"AnyDesk","user_country":"United States"}} Data Raw: Data Ascii:
Apr 4, 2023 12:03:00.548162937 CEST	492	IN	HTTP/1.1 200 OK Content-Type: application/json Content-Length: 0 Connection: keep-alive Date: Tue, 04 Apr 2023 10:03:00 GMT x-amzn-RequestId: d2a79a52-5069-4ecb-8ac3-3c6507f1b712 x-amz-apigw-id: C2NZPF2DoAMFvSg= X-Amzn-Trace-Id: Root=1-642bf5d4-0d2ae57048a5445460c10ba9;Sampled=0;lineage=d7502c8f:0 Via: 1.1 82514a5a8cf35fb3132b0b5ab9cb724c.cloudfront.net (CloudFront), 1.1 2af4ee189e50805a67bd62bbd51ad0dc.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P3 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: FRA56-P2 X-Amz-Cf-Id: OLQYbv5zRbrPZlfi1B73vF_gDEK7Z6RSulnk_tliPJXFjuNssTcr8A==

Timestamp	kBytes transferred	Direction	Data
Apr 4, 2023 12:04:20.937870026 CEST	504	OUT	Data Raw: 16 03 01 01 0d 01 00 01 09 03 03 5c 2f 77 d2 8f d1 26 2b ad fe ec c2 0f ec 7a 04 7b 30 49 40 73 5b e0 5f c1 8a e9 e8 10 10 7e 6e 00 00 6e c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 Data Ascii: \/w&+z{0I@s[_~nn0,($kjih98762.*&=5/+'#g@?>32101-)%</r#
Apr 4, 2023 12:04:20.961000919 CEST	505	IN	Data Raw: 16 03 03 00 57 02 00 00 53 03 03 fd a6 a8 62 c4 9c c6 c4 81 99 a1 94 36 52 30 6b 60 09 80 46 40 82 36 1e 44 4f 57 4e 47 52 44 01 20 a3 d0 f9 61 3a 2a d8 55 1f 21 34 69 31 b6 fd c3 99 b2 44 7d f3 2e 15 73 99 ed df 48 45 1d 7e 2f c0 2c 00 00 0b ff Data Ascii: WSb6R0k`F@6DOWNGRD a:U!4i1D}.sHE~/,C0?0'0vtS$0H0H10UAnyNet Root CA1 0Uphilandro Software GmbH10UDE0181118021423Z281115021
Apr 4, 2023 12:04:20.961062908 CEST	507	IN	Data Raw: 5a eb 51 2f 97 bf f6 fb 33 27 90 b3 d8 e4 e0 cd 68 3b 6a 87 6c a6 0d e7 d8 bd 61 df 56 6b 2a e1 1c 2b f5 9f bf 85 dd 8c 5b 06 1e 71 7f ba 4a a6 40 b0 77 17 ea 2c 3f 5b 94 14 85 2e ad 11 61 ab 88 f6 01 bb b3 47 6b e2 81 18 f1 8e 39 e6 d8 7b 0c 63 Data Ascii: ZQ/3'h;jlaVk*+[qJ@w,?[.aGk9{cpu'-5={{Hy8-&~K2vf/bj@kXScuxI#ph3/L^}a}4AkP+g_R4gs@lo67Jv"rR}uMU#[~.K_e
Apr 4, 2023 12:04:20.961102009 CEST	507	IN	Data Raw: 70 68 69 6c 61 6e 64 72 6f 20 53 6f 66 74 77 61 72 65 20 47 6d 62 48 31 0b 30 09 06 03 55 04 06 13 02 44 45 16 03 03 00 04 0e 00 00 00 Data Ascii: philandro Software GmbH10UDE
Apr 4, 2023 12:04:20.973886967 CEST	508	OUT	Data Raw: 16 03 03 02 b6 0b 00 02 b2 00 02 af 00 02 ac 30 82 02 a8 30 82 01 90 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 19 31 17 30 15 06 03 55 04 03 0c 0e 41 6e 79 44 65 73 6b 20 43 6c 69 65 6e 74 30 20 17 0d 32 33 30 34 30 34 31 30 30 32 Data Ascii: 000H010UAnyDesk Client0 230404100255Z20730322100255Z010UAnyDesk Client0"0H0 3P8A<SOn9^Tkt(9EUNze]MJmj_m/9,c6
Apr 4, 2023 12:04:20.995853901 CEST	508	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 28 2e a0 e8 5e 1d 8b ac 1c 0c bd ed f4 af da c5 f8 09 96 dd c5 c0 a7 e6 d6 04 dd e2 29 85 24 ac ab 14 8b 35 0b 8d 36 be 2f Data Ascii: (.^)$56/
Apr 4, 2023 12:04:20.995915890 CEST	508	IN	Data Raw: 17 03 03 00 23 2e a0 e8 5e 1d 8b ac 1d 9f d5 ae dc 22 8e a0 8b 9e b9 5d 67 59 e1 cb e0 5d a2 c5 68 60 83 ad 6b 08 da 2c Data Ascii: #.^"]gY]h`k,
Apr 4, 2023 12:04:20.996993065 CEST	508	OUT	Data Raw: 17 03 03 00 57 d3 2d 4c c3 d8 c7 4d 11 48 c1 b0 d8 93 c5 f0 ee 2d 48 45 41 20 55 a2 58 24 50 06 42 70 23 53 62 0f a3 20 63 7a 61 e2 12 3b 82 62 45 af bf c3 33 f3 84 f3 f3 ab 41 9e 96 12 03 70 65 7a 37 14 b2 81 1c 97 69 14 59 f9 e9 87 4e b0 28 1b Data Ascii: W-LMH-HEA UX$PBp#Sb cza;bE3Apez7iYN(+`T;J3Q
Apr 4, 2023 12:04:21.236733913 CEST	509	IN	Data Raw: 17 03 03 00 8d 2e a0 e8 5e 1d 8b ac 1e f7 36 9b 3b 8a 83 fb 81 e7 1f b9 46 7f 53 1c 68 52 f3 26 15 77 c8 65 8b 33 a9 92 4e 66 d4 33 e2 08 35 b3 7d ba 23 2e 50 d1 0d 12 29 de ae ca 6f a7 fb cd 12 9d f6 e0 68 d5 e3 4d 06 8d 24 fa 36 99 01 53 31 c9 Data Ascii: .^6;FShR&we3Nf35}#.P)ohM$6S1@REi+.enX<0Oa\[YL3ux<j'#?\|
Apr 4, 2023 12:04:21.301178932 CEST	509	OUT	Data Raw: 17 03 03 00 38 d3 2d 4c c3 d8 c7 4d 12 43 b9 33 aa 48 1a 6b c2 f0 87 3b 18 89 10 a0 f7 f0 46 3f c4 84 13 ab 8f 7a 58 c9 9a e3 c9 32 eb a6 e7 e4 8f 32 da 57 2d 12 1e e2 99 12 ac c7 5c Data Ascii: 8-LMC3Hk;F?zX22W-\
Apr 4, 2023 12:04:21.390070915 CEST	509	IN	Data Raw: 17 03 03 00 44 2e a0 e8 5e 1d 8b ac 1f 39 ea 24 f7 20 42 a0 16 74 fb 42 5a dc 54 03 14 11 05 90 9b b7 52 11 71 89 e6 c8 35 2c d5 e4 c8 7a dc a7 2d 0a a0 93 db 1a 61 94 b0 81 11 f3 39 a4 4b a9 af 1f 6a 45 d4 b2 79 42 51 Data Ascii: D.^9$ BtBZTRq5,z-a9KjEyBQ
Apr 4, 2023 12:04:21.390876055 CEST	509	OUT	Data Raw: 17 03 03 00 2a d3 2d 4c c3 d8 c7 4d 13 38 46 e5 50 5e a2 9a a2 c1 6c 6f 89 8d 97 ff c3 1e 85 46 17 84 63 94 20 c9 3c 78 08 62 97 3f 84 a6 a9 Data Ascii: *-LM8FP^loFc <xb?
Apr 4, 2023 12:04:21.515947104 CEST	509	IN	Data Raw: 17 03 03 00 2f 2e a0 e8 5e 1d 8b ac 20 96 7c 4c b2 2c 41 dc c9 7d 76 d9 c6 47 3c 75 b6 4d 29 9d b0 81 ba 94 b5 ec fc d1 e9 8f 89 96 95 a6 c3 07 a1 50 ef ff Data Ascii: /.^ \|L,A}vG<uM)P
Apr 4, 2023 12:04:23.059037924 CEST	510	OUT	Data Raw: 17 03 03 00 3c d3 2d 4c c3 d8 c7 4d 14 17 7f 65 1a e7 0d 48 26 65 68 16 bb d3 33 07 cb 5d fe b6 e7 7f 56 c4 91 c3 b3 a3 9e 1a b9 df ae dd 0c 30 7b 82 b8 e8 86 ef 10 fe 4a ab ab c8 23 8f f1 4d a7 Data Ascii: <-LMeH&eh3]V0{J#M
Apr 4, 2023 12:04:23.098850012 CEST	510	IN	Data Raw: 17 03 03 00 2e 2e a0 e8 5e 1d 8b ac 21 1a 51 ee 82 8d ad 46 3e 82 7f 87 99 d8 fd e6 24 ff 95 17 e6 0c 7b 17 6a a0 ea cf 68 61 1e 46 02 34 4a fa 23 23 b2 Data Ascii: ..^!QF>${jhaF4J##
Apr 4, 2023 12:04:23.100040913 CEST	510	OUT	Data Raw: 17 03 03 00 3e d3 2d 4c c3 d8 c7 4d 15 5a a1 23 4e f0 f1 cf fd 4c b3 e3 96 05 ba 01 bc 93 f3 b4 af e4 36 34 d2 4e 69 3a 0f a7 a1 10 03 0d 24 ab e2 1f 07 00 e5 20 03 81 08 9a f2 64 d5 3c a3 7b 5f d5 57 Data Ascii: >-LMZ#NL64Ni:$ d<{_W
Apr 4, 2023 12:04:23.149909973 CEST	510	IN	Data Raw: 17 03 03 00 2e 2e a0 e8 5e 1d 8b ac 22 96 57 4c 76 30 0b 37 d8 8a 5b 2e 81 4d e5 06 4e 75 85 96 c8 ad b8 11 6e 72 05 b0 f0 37 63 1f 24 74 c9 85 60 47 22 Data Ascii: ..^"WLv07[.MNunr7c$t`G"
Apr 4, 2023 12:04:23.151277065 CEST	510	OUT	Data Raw: 17 03 03 00 34 d3 2d 4c c3 d8 c7 4d 16 ff 0f 31 24 d4 e9 cb d3 44 38 6b c1 c3 1b 0a e1 66 fc 47 04 eb 87 d6 23 5a af df 89 43 40 e0 23 8b 30 e5 1e 99 4f 15 fb 63 e2 e3 26 Data Ascii: 4-LM1$D8kfG#ZC@#0Oc&
Apr 4, 2023 12:04:23.174325943 CEST	511	OUT	Data Raw: 17 03 03 00 34 d3 2d 4c c3 d8 c7 4d 17 70 34 9d 6e 1b f0 0f ee 79 98 9f cf 7d 07 01 11 45 54 ed 22 b9 69 8a 5f 28 68 11 0d 01 76 1a 10 08 47 d3 24 70 89 cf e1 ad 60 07 d8 Data Ascii: 4-LMp4ny}ET"i_(hvG$p`
Apr 4, 2023 12:04:23.199976921 CEST	511	OUT	Data Raw: 17 03 03 00 34 d3 2d 4c c3 d8 c7 4d 18 25 53 c9 70 f5 04 27 d1 f2 dc 5e b7 42 9c 66 67 5f 95 8b 3e 7d 88 97 13 9c ba 82 59 50 83 2b fd a8 8b ac ef 9a f8 e1 6d 7e c7 f0 4e Data Ascii: 4-LM%Sp'^Bfg_>}YP+m~N

Timestamp	kBytes transferred	Direction	Data
Apr 4, 2023 12:04:24.376872063 CEST	927	OUT	POST /httpapi HTTP/1.1Host: api.playanext.comUser-Agent: AnyDesk/7.0.14Accept: /Content-Length: 354Content-Type: application/x-www-form-urlencodedapi_key=c1426bd258099fa69f62933b466d4b77&event=[{"event_type":"check_offer","user_id":"f13c8dbcc1b6f597de2338cf4452e0db","session_id":1680602663428164,"ip":"$remote","event_properties":{"method_used":"Google Chrome Criteria Checker","offer_product":"Google Chrome","distributor":"AnyDesk","distributor_product":"AnyDesk","user_country":"United States"}} Data Raw: Data Ascii:
Apr 4, 2023 12:04:24.699210882 CEST	928	IN	HTTP/1.1 200 OK Content-Type: application/json Content-Length: 0 Connection: keep-alive Date: Tue, 04 Apr 2023 10:04:24 GMT x-amzn-RequestId: ffdcb9c4-2e4d-43f5-916b-8a2bb7375974 x-amz-apigw-id: C2NmZE8moAMFipA= X-Amzn-Trace-Id: Root=1-642bf628-444e9b853a58e2b20b7b0cb9;Sampled=0;lineage=d7502c8f:0 Via: 1.1 77ba839b79ec0a8b2031c8a828e7fdfa.cloudfront.net (CloudFront), 1.1 891011d51eb2353ebe8601f5b6467070.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P3 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: FRA56-P2 X-Amz-Cf-Id: fs6HnCvdjm4O9-tEJ0A06f6SC1S30RR7DTeZuko2kxyZysQTaTDIDg==

Target ID:	1
Start time:	12:02:47
Start date:	04/04/2023
Path:	C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe
Imagebase:	0x6e0000
File size:	3853384 bytes
MD5 hash:	2621B754576047A6E94ACBF1DD4FE0EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 92f25a21-b9c1-4aee-af3e-cacf098605e9

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Privilege Escalation

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

C:\Program Files (x86)\AnyDesk\gcapi.dll

C:\ProgramData\AnyDesk\ad_svc.trace

C:\ProgramData\AnyDesk\service.conf

C:\ProgramData\AnyDesk\system.conf

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk\AnyDesk.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk\Uninstall AnyDesk.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\AnyDesk.lnk

C:\Users\Public\Desktop\AnyDesk.lnk

C:\Users\user\AppData\Local\Temp\gcapi.dll

C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\AnyDeskPrintDriver-manifest.ini (copy)

C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\AnyDeskPrintDriver.cat (copy)

C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\AnyDeskPrintDriver.gpd (copy)

C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml (copy)

C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\AnyDeskPrintDriverRenderFilter.dll (copy)

C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\SETFB98.tmp

C:\Users\user\AppData\Local\Temp\{a1d03c80-7a9d-0740-8675-ad849a86a4e4}\SETFBC8.tmp

Windows Analysis Report
92f25a21-b9c1-4aee-af3e-cacf098605e9

Target ID:	2
Start time:	12:02:51
Start date:	04/04/2023
Path:	C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --local-service
Imagebase:	0x6e0000
File size:	3853384 bytes
MD5 hash:	2621B754576047A6E94ACBF1DD4FE0EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	4
Start time:	12:02:57
Start date:	04/04/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc
Imagebase:	0x7ff6f63c0000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	8
Start time:	12:04:10
Start date:	04/04/2023
Path:	C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\92f25a21-b9c1-4aee-af3e-cacf098605e9.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-auto --svc-conf "C:\Users\user\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\user\AppData\Roaming\AnyDesk\system.conf"
Imagebase:	0x6e0000
File size:	3853384 bytes
MD5 hash:	2621B754576047A6E94ACBF1DD4FE0EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	9
Start time:	12:04:13
Start date:	04/04/2023
Path:	C:\Program Files (x86)\AnyDesk\AnyDesk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
Imagebase:	0x580000
File size:	3853384 bytes
MD5 hash:	2621B754576047A6E94ACBF1DD4FE0EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Target ID:	10
Start time:	12:04:14
Start date:	04/04/2023
Path:	C:\Program Files (x86)\AnyDesk\AnyDesk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
Imagebase:	0x580000
File size:	3853384 bytes
MD5 hash:	2621B754576047A6E94ACBF1DD4FE0EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	11
Start time:	12:04:15
Start date:	04/04/2023
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	expand -F:* "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver"
Imagebase:	0xd60000
File size:	53248 bytes
MD5 hash:	8C2235852F8C2659EB6CA4A0C6B3B3F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	13
Start time:	12:04:17
Start date:	04/04/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\user\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver
Imagebase:	0x910000
File size:	61952 bytes
MD5 hash:	D0432468FA4B7F66166C430E1334DBDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	15
Start time:	12:04:22
Start date:	04/04/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Imagebase:	0x7ff6f63c0000
File size:	53744 bytes
MD5 hash:	9520A99E77D6196D0D09833146424113
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	18
Start time:	12:04:25
Start date:	04/04/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{a93448a4-5e3b-e34d-a377-ec81ab406cb0} Global\{56375bfd-f24b-3d4c-9cc8-12acbcf982ed} C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{5190aac7-b965-5d4c-a8f2-d012c5c874ce}\AnyDeskPrintDriver.cat
Imagebase:	0x7ff7bc550000
File size:	71168 bytes
MD5 hash:	F68AF942FD7CCC0E7BAB1A2335D2AD26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre