Windows Analysis Report
1.msi

Overview

General Information

Sample Name: 1.msi
Analysis ID: 679413
MD5: 6cf5ad7a7d1b7bab0c62e246cf41a985
SHA1: b06a03adc550ead96534f5e723395c4e16bfdf44
SHA256: fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050
Tags: msi
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Hides user accounts
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Modifies the windows firewall
Tries to disable installed Antivirus / HIPS / PFW
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Sleep loop found (likely to delay execution)
Detected potential crypto function
Changes image file execution options
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Modifies existing windows services
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Spawns drivers
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Dropped file seen in connection with other malware
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 1.msi Virustotal: Detection: 48% Perma Link
Source: 1.msi ReversingLabs: Detection: 30%
Antivirus / Scanner detection for submitted sample
Source: 1.msi Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\Installer\78c344.msi Avira: detection malicious, Label: BDS/Finfish.ujrxw
Source: C:\Windows\Installer\78c341.msi Avira: detection malicious, Label: BDS/Finfish.ujrxw
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp Virustotal: Detection: 64% Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp Metadefender: Detection: 21% Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy) Virustotal: Detection: 64% Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy) Metadefender: Detection: 21% Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy) ReversingLabs: Detection: 65%
Antivirus or Machine Learning detection for unpacked file
Source: 11.0.install.exe.400000.4.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.7.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.3.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.5.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.2.unpack Avira: Label: TR/Dropper.Gen
Source: 11.2.install.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.6.unpack Avira: Label: TR/Dropper.Gen
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Windows\Logs\DPX\setupact.log Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Windows\Logs\DPX\setuperr.log Jump to behavior
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-64\privacy_feature\privacy_feature.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: anydesk.exe, 00000010.00000002.1078177888.0000000001C1A000.00000002.00000001.01000000.00000008.sdmp, AnyDesk.exe, 00000014.00000002.1170344791.0000000001E7A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-32\win_dwm\win_dwm.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-64\win_dwm\win_dwm.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-32\privacy_feature\privacy_feature.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb` source: anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: SAS.pdbR source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: SAS.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 92.223.88.41 92.223.88.41
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 195.181.174.174:6568
Source: global traffic TCP traffic: 192.168.2.22:49178 -> 80.209.241.3:20000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknown TCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknown TCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknown TCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknown TCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknown TCP traffic detected without corresponding DNS query: 80.209.241.3
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/ equals www.facebook.com (Facebook)
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ad.share.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it%20here%3A%20https%3A//anydesk.com/&source= equals www.linkedin.com (Linkedin)
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.anydesk.com/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.opengl.org/registry/
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/)
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalue
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anydesk.com
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anydesk.com/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anydesk.com/company#imprint
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anydesk.com/order
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anydesk.com/privacy
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anydesk.com/terms
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anydesk.com/update
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://boot-01.net.anydesk.com
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://boot.net.anydesk.comabcdefABCDEFtruefalsebase.prot.packetInvalid
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://console-ui.myanydesk2.on.anydesk.com
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://help.anydesk.com/
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://help.anydesk.com/$
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://help.anydesk.com/HelpLinkInstallLocationAnyDesk
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://help.anydesk.com/access
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://help.anydesk.com/backup-alias
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://help.anydesk.com/error-messages
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://help.anydesk.com/macos-security
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://help.anydesk.com/share
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://help.anydesk.com/wol
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.anydesk.com
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.anydesk.com/password-generator.
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://order.anydesk.com/trial
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/privacy?hl=$
Source: AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://support.anydesk.com
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.anydesk.com/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.anydesk.com/AnyDesk_on_macOS
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/home?status=Do%20you%20know%20%23AnyDesk?%20AnyDesk%20is%20a%20small%20and%20qui
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/$
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Rem
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nayuki.io/page/qr-code-generator-library
Source: unknown DNS traffic detected: queries for: boot.net.anydesk.com
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Code function: 11_2_004013DD CreateFileA,GlobalAlloc,GlobalAlloc,ReadFile,MultiByteToWideChar,MultiByteToWideChar,WSAStartup,socket,connect,send,send,Sleep,recv,shutdown,WSACleanup, 11_2_004013DD
Creates a DirectInput object (often for capturing keystrokes)
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: DirectDrawCreateEx
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\78c342.ipi Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\78c341.msi Jump to behavior
Detected potential crypto function
Source: C:\ProgramData\anydesk.exe Code function: 16_2_01042DFD 16_2_01042DFD
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_012A2DFD 20_2_012A2DFD
PE file contains executable resources (Code or Archives)
Source: eee52229ee24a34cb61191d27a7b66f1.tmp.9.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Abnormal high CPU Usage
Source: C:\Windows\System32\msiexec.exe Process Stats: CPU usage > 98%
PE file does not import any functions
Source: anydesk.exe.11.dr Static PE information: No import functions for PE file found
Source: AnyDesk.exe.16.dr Static PE information: No import functions for PE file found
PE file contains strange resources
Source: anydesk.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: anydesk.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AnyDesk.exe.16.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AnyDesk.exe.16.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\rdpdr.sys
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\anydesk\AnyDesk.exe AF61905129F377F5934B3BBF787E8D2417901858BB028F40F02200E985EE62F6
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\icacls.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\icacls.exe Memory allocated: 77740000 page execute and read and write
Source: 1.msi Virustotal: Detection: 48%
Source: 1.msi ReversingLabs: Detection: 30%
Source: C:\Windows\System32\VSSVC.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Console Write: ....................@.-..........3B.....(.P.....P........................~......................................................P............... Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Console Write: ....................@.-..........3B.....(.P.....P........................~..............................................v.................-..... Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Console Write: ......................,..........3......(.P.............................3.........................................................'.......'.....
Source: C:\Windows\SysWOW64\icacls.exe Console Write: ......................,..........3......(.P.............................9...............................................v.................,.....
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6381DE7DB6BAADD41D0E24C26E59EDFC
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22388C515E15FC158EA4B11229C0F8D9 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\anydesk.exe c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
Source: unknown Process created: C:\ProgramData\anydesk\AnyDesk.exe "C:\ProgramData\AnyDesk\AnyDesk.exe" --service
Source: unknown Process created: C:\ProgramData\anydesk\AnyDesk.exe "C:\ProgramData\AnyDesk\AnyDesk.exe" --control
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\anydesk\AnyDesk.exe c:\programdata\anydesk\anydesk.exe --set-password
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\ProgramData\anydesk\AnyDesk.exe "c:\programdata\anydesk\anydesk.exe" --get-id
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6381DE7DB6BAADD41D0E24C26E59EDFC Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22388C515E15FC158EA4B11229C0F8D9 E Global\MSI0000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)LOW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\ProgramData\anydesk\AnyDesk.exe "c:\programdata\anydesk\anydesk.exe" --get-id Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\anydesk.exe c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\anydesk\AnyDesk.exe c:\programdata\anydesk\anydesk.exe --set-password Jump to behavior
Source: C:\Windows\System32\VSSVC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Code function: 11_2_00401C0B OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle, 11_2_00401C0B
Source: C:\ProgramData\anydesk.exe File created: C:\Users\user\AppData\Roaming\AnyDesk Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\~DF0154135B388C6B07.TMP Jump to behavior
Source: classification engine Classification label: mal100.evad.winMSI@34/28@4/5
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\msiwrapper.ini Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \BaseNamedObjects\Global\ad_connect_queue_2556_539387648_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2856_712703952_0_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2120_827364153_1_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2336_604751762_1_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \BaseNamedObjects\Local\ad_trace_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2336_604751762_0_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2120_827364153_0_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2856_712703952_1_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \BaseNamedObjects\Global\ad_707_gsystem_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ad_trace_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exe Mutant created: \BaseNamedObjects\Session\1\ad_mailbox_2120_827364153_1_mtx
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Code function: 11_2_00401254 CreateDirectoryA,GetModuleHandleA,FindResourceA,LoadResource,SizeofResource,CreateFileA,WriteFile,CloseHandle,WriteFile, 11_2_00401254
Source: C:\Windows\SysWOW64\msiexec.exe File written: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\msiwrapper.ini Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 1.msi Static file information: File size 4063232 > 1048576
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-64\privacy_feature\privacy_feature.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: anydesk.exe, 00000010.00000002.1078177888.0000000001C1A000.00000002.00000001.01000000.00000008.sdmp, AnyDesk.exe, 00000014.00000002.1170344791.0000000001E7A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-32\win_dwm\win_dwm.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-64\win_dwm\win_dwm.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-32\privacy_feature\privacy_feature.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb` source: anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: SAS.pdbR source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: SAS.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\ProgramData\anydesk.exe Unpacked PE file: 16.2.anydesk.exe.1040000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\anydesk\AnyDesk.exe Unpacked PE file: 20.2.AnyDesk.exe.12a0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\anydesk\AnyDesk.exe Unpacked PE file: 21.2.AnyDesk.exe.12a0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\anydesk\AnyDesk.exe Unpacked PE file: 25.2.AnyDesk.exe.12a0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\anydesk\AnyDesk.exe Unpacked PE file: 26.2.AnyDesk.exe.12a0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\ProgramData\anydesk.exe Code function: 16_2_015A9805 push ecx; ret 16_2_015A9818
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_01809805 push ecx; ret 20_2_01809818
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_01809805 push ecx; ret 20_2_01809818
Contains functionality to dynamically determine API calls
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_01817257 LoadLibraryW,GetProcAddress,GetProcAddress,RtlEncodePointer,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 20_2_01817257
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe File created: C:\programdata\anydesk.exe Jump to dropped file
Source: C:\ProgramData\anydesk.exe File created: C:\ProgramData\anydesk\AnyDesk.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe File created: C:\programdata\anydesk.exe Jump to dropped file
Source: C:\ProgramData\anydesk.exe File created: C:\ProgramData\anydesk\AnyDesk.exe Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI5BE8.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB0A0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIBA33.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIED31.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI5BE8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB0A0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIBA33.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIED31.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Windows\Logs\DPX\setupact.log Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Windows\Logs\DPX\setuperr.log Jump to behavior

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Debugger Jump to behavior
Changes image file execution options
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Debugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe Debugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe Debugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe Debugger Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\msiexec.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore Jump to behavior
Creates or modifies windows services
Source: C:\Windows\System32\msiexec.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides user accounts
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Administartor Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\ProgramData\anydesk.exe File opened: C:\ProgramData\AnyDesk\AnyDesk.exe:Zone.Identifier read attributes | delete Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\anydesk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\msiexec.exe TID: 2948 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 264 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 868 Thread sleep time: -660000s >= -30000s Jump to behavior
Source: C:\Windows\System32\VSSVC.exe TID: 316 Thread sleep time: -900000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2408 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2944 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2068 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2676 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 904 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe TID: 2492 Thread sleep count: 1273 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe TID: 2492 Thread sleep count: 647 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe TID: 2492 Thread sleep count: 181 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe TID: 2492 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\ProgramData\anydesk.exe TID: 2012 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 2184 Thread sleep time: -420000s >= -30000s Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1040 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 464 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1544 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 2468 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 848 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1656 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 672 Thread sleep time: -60000s >= -30000s
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Thread sleep count: Count: 1273 delay: -10 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Window / User API: threadDelayed 1273 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Window / User API: threadDelayed 647 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\svchost.exe File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: VSSVC.exe, 00000003.00000002.1168516119.000000000172F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: svchost.exe, 00000004.00000003.984456495.0000000000324000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000004.00000002.1166912198.00000000002EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: svchost.exe, 00000004.00000002.1167619042.0000000001201000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: si#disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>>
Source: svchost.exe, 00000004.00000003.984328347.0000000000324000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},
Source: svchost.exe, 00000004.00000002.1167619042.0000000001201000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}00
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\ProgramData\anydesk.exe Code function: 16_2_015B0229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_015B0229
Contains functionality to dynamically determine API calls
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_01817257 LoadLibraryW,GetProcAddress,GetProcAddress,RtlEncodePointer,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 20_2_01817257
Source: C:\ProgramData\anydesk\AnyDesk.exe Memory protected: page read and write | page guard Jump to behavior
Source: C:\ProgramData\anydesk.exe Code function: 16_2_015B0229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_015B0229
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_01810229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_01810229
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_01810229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_01810229
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_0180743D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_0180743D
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_0180743D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_0180743D
Tries to disable installed Antivirus / HIPS / PFW
Source: C:\ProgramData\anydesk\AnyDesk.exe File opened: Windows Firewall: C:\Windows\SysWOW64\FirewallAPI.dll Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6381DE7DB6BAADD41D0E24C26E59EDFC Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22388C515E15FC158EA4B11229C0F8D9 E Global\MSI0000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)LOW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\ProgramData\anydesk\AnyDesk.exe "c:\programdata\anydesk\anydesk.exe" --get-id Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\anydesk.exe c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\anydesk\AnyDesk.exe c:\programdata\anydesk\anydesk.exe --set-password Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\VSSVC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exe Code function: 20_2_016F9BE0 _vswprintf_s,WaitForSingleObject,OutputDebugStringA,GetSystemTime,TlsGetValue,__itow,GetCurrentThreadId,GetCurrentProcessId,__snprintf,SetFilePointer,SetFilePointer,ReadFile,_memmove,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,WriteFile,RtlEnterCriticalSection,RaiseException, 20_2_016F9BE0

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
AV process strings found (often used to terminate AV products)
Source: install.exe, 0000000B.00000003.1118766580.0000000000946000.00000004.00000020.00020000.00000000.sdmp, install.exe, 0000000B.00000003.1118897172.000000000095E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: procdump.exe
OS version to string mapping found (often used in BOTs)
Source: AnyDesk.exe, 00000014.00000002.1170344791.0000000001E7A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: release/win_7.0.x
Source: AnyDesk.exe, 00000014.00000002.1170344791.0000000001E7A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: .itext.text.customf97bed53183a234c33acc24231b422c4release/win_7.0.x96f8d80eac273a9144abccce2f66dbc2200cc81d
Source: anydesk.exe, 00000010.00000002.1077981622.0000000001BA0000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 96f8d80eac273a9144abccce2f66dbc2200cc81drelease/win_7.0.xf97bed53183a234c33acc24231b422c4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679413 Sample: 1.msi Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 79 Antivirus detection for dropped file 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 9 msiexec.exe 92 29 2->9         started        13 AnyDesk.exe 3 2->13         started        16 AnyDesk.exe 2 2->16         started        18 7 other processes 2->18 process3 dnsIp4 71 192.168.2.3 unknown unknown 9->71 59 C:\Windows\Installer\78c344.msi, Composite 9->59 dropped 61 C:\Windows\Installer\78c341.msi, Composite 9->61 dropped 63 C:\Windows\Installer\MSIED31.tmp, PE32 9->63 dropped 65 3 other files (none is malicious) 9->65 dropped 20 msiexec.exe 1 2 9->20         started        22 msiexec.exe 3 9->22         started        73 boot.net.anydesk.com 92.223.88.41, 49176, 80 GCOREAT Austria 13->73 75 195.181.174.167, 443, 49175 CDN77GB United Kingdom 13->75 77 195.181.174.174, 49177, 6568 CDN77GB United Kingdom 13->77 95 Detected unpacking (changes PE section rights) 13->95 file5 signatures6 process7 process8 24 install.exe 5 3 20->24         started        29 expand.exe 4 20->29         started        31 icacls.exe 20->31         started        33 icacls.exe 20->33         started        35 cmd.exe 22->35         started        dnsIp9 69 80.209.241.3, 20000, 49178 HOSTKEY-USAUS United States 24->69 53 C:\programdata\anydesk.exe, PE32 24->53 dropped 87 Creates an undocumented autostart registry key 24->87 89 Hides user accounts 24->89 91 Uses netsh to modify the Windows network and firewall settings 24->91 93 Modifies the windows firewall 24->93 37 cmd.exe 24->37         started        39 cmd.exe 24->39         started        41 netsh.exe 24->41         started        43 AnyDesk.exe 1 24->43         started        55 C:\Users\user\AppData\...\install.exe (copy), PE32 29->55 dropped 57 C:\...\eee52229ee24a34cb61191d27a7b66f1.tmp, PE32 29->57 dropped file10 signatures11 process12 process13 45 anydesk.exe 23 6 37->45         started        49 AnyDesk.exe 1 39->49         started        51 cmd.exe 39->51         started        file14 67 C:\ProgramData\anydesk\AnyDesk.exe, PE32 45->67 dropped 97 Detected unpacking (changes PE section rights) 45->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->99 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
92.223.88.41
 boot.net.anydesk.com Austria
199524 GCOREAT false
195.181.174.174
 unknown United Kingdom
60068 CDN77GB false
80.209.241.3
 unknown United States
395839 HOSTKEY-USAUS false
195.181.174.167
 unknown United Kingdom
60068 CDN77GB false

Private

IP
192.168.2.3

Contacted Domains

Name IP Active
boot.net.anydesk.com 92.223.88.41 true